I was looking for firewall good practices for an EKS cluster. I easily found AWS recommendations about Security Groups (SG) but I had trouble finding some for Network Access Control List (NACLs). I realized it is not so easy to derive NACL configuration from an SG configuration if you do not understand some core concepts. In this article I will try to sum up these concepts by comparing SGs and NACLs. I will then propose some configurations for both resources in case you are hosting an EKS cluster.