For both security groups and NACLs, you should apply configure them based on the rule of least privilege. This essentially means that you should be restrictive as possible on the type of ports that are used and the source and destination used within the rules. Try to steer away from using any with the fields; for example, if your application only communicates across a single port, then just add that single port number. The more specific and restrictive, the greater the security of your infrastructure. The wider the access scope is, the greater the chance of malicious infiltration. The same applies when specifying the source and destination entries: narrow it down to the smallest range possible. Don't open up access to a whole subnet if only a single resource requires the access; instead add the single IP address.