Security Groups and NACLs are basic controls for VPC traffic but have clear limitations. Security Groups are stateful but perform only simple allow/deny, and NACLs are stateless; both operate at IP, port, and protocol level. Requirements like "allow outbound only to specific domains," "detect intrusions by signature in packet payload (IPS)," and "block domains based on TLS SNI" cannot be met by these tools. AWS Network Firewall (a managed stateful/stateless inspection engine) and Route 53 Resolver DNS Firewall (DNS query filtering) fill this gap.