A security group acts as a virtual firewall on your Instances controlling incoming and outgoing (with inbound and outbound rules) traffic.

Since Security Groups apply at the instance level the same security group can be applied to instances in different subnets.

Security Groups have a deny list by default and support only Allow Rules.

All inbound traffic is denied by default (in custom groups ), while in default groups traffic from within the group is allowed by default.

Outbound traffic is always enabled by default.

Security groups are stateful, this means that traffic as response is allowed to return automatically ( without the need of processing rules).

Network Access Control Lists, aka Network ACLs, aka NACLs,

apply to the traffic at the subnet level, entering or exiting the subnet. It will apply to all instances in the subnet, but not to a group of EC2 instances (in different subnets).

NACLs are stateless therefore a rule check is applied for both connections (request & response).

NACLs deny all inbound and outbound traffic by default, but support both allow and deny rules.

NACLs do not apply to traffic within the subnet.

Pay attention to the Rules Order, Rules are evaluated from top to bottom, and whatever does not match a rule will be evaluated by the next one. That means that if you have a Rule that allows everything and then a rule that denies , the denies will not work..

Since Security Groups can't block specific ranges of IPs, NACLS are the preferred option in this scenario.