The Amazon EC2 service allows you to dynamically add and
remove instances. However, this flexibility can complicate
firewall configuration and maintenance which traditionally relies
on IP addresses, subnet ranges or DNS host names as the basis for
the firewall rules.
The Amazon EC2 firewall allows you to assign your instances to user-defined
groups and define firewall rules for these groups. As instances are added
or removed, the appropriate rules are enforced. Similarly, if you change a
rule for a group, the changes are automatically applied to all members of
the group.
Defining firewall rules in terms of groups is flexible enough
to allow you to implement functionality equivalent to a VLAN.
In addition to the distributed firewall, you can maintain your
own firewall on any of your instances. This can be useful
if you have specific requirements not met by the Amazon EC2
distributed firewall.