Components of VPC:
Internet Gateway is the only way users can enter into your infrastructure. All the interactions possible through internet gateway only. So, this is the main area to focus on security.
Security groups are called the first level of guards. It acts as a firewall. You can modify your rules any time and those new rules are automatically applied to instances associated with that security group.
You can't change the security group of EC2-classic after completion of the launching process. But however, you can modify the rules associated with that security group. By using security group, you can only allow the rules.
Access Control List(ACL) is the access control list that contains the list of restricted and allowed IP address defined by you. Network ACL is the second layer of defense after the security groups in VPC architecture. The major advantage with ACS is that you can set both allow and deny rules.