All Amazon EC2 instances are assigned two IP addresses at launch: a private address, and a public address. The public IP address is directly mapped to the private address via Network Address Translation (NAT). Private addresses are only reachable from within the Amazon EC2 network. Public addresses are reachable from the Internet.

Amazon EC2 also provides an internal DNS name and a public DNS which map to the private and public IP addresses respectively. The internal DNS name is only resolvable from within Amazon EC2. The public DNS name resolves to the public IP address from outside of Amazon EC2, and, currently, resolves to the private IP address from with Amazon EC2.

More detail can be found in the section called “Instance Addressing”.

	Note
	During earlier stages of the Amazon EC2 Beta program, instances used direct addressing. This addressing scheme used the same address for internal and external access. This approach is being deprecated, and the documentation therefore does not discuss this addressing scheme.

The Amazon EC2 service provides the ability to dynamically add and remove instances. However, this flexibility can complicate firewall configuration and maintenance which traditionally relies on IP addresses, subnet ranges or DNS host names as the basis for the firewall rules.

The Amazon EC2 firewall allows you to assign your compute resources to user-defined groups and define firewall rules for and in terms of these groups. As compute resources are added to or removed from groups, the appropriate rules are enforced. Similarly, if a group's rules are changed these changes are automatically applied to all members of the affected group.

the section called “Securing the Network” discusses this topic in more detail.