The Amazon EC2 service provides the ability to dynamically add and removed instances. However, this flexibility can complicate firewall configuration and maintenance which traditionally relies on IP addresses, subnet ranges or DNS host names as the basis for the firewall rules.
The Amazon EC2 firewall allows you to assign your compute resources to user-defined groups and define firewall rules for and in terms of these groups. As compute resources are added to or removed from groups, the appropriate rules are enforced. Similarly, if a group's rules are changed these changes are automatically applied to all members of the affected group.
Defining firewall rules in terms of groups is flexible enough to allow you to implement functionality equivalent to a VLAN.
In addition to the distributed firewall, you can maintain your own firewall on any of your instances. This may be useful if you have specific requirements not catered for by the distributed firewall.
At present, the API calls for authorizing and revoking permissions are still under development. The remainder of this section outlines what you can depend on from this part of our API. The command line API tools expose only the subset of the functionality that is expected to remain unchanged.
Callers may depend on, now and in future, being able to grant permissions to
source address ranges (specified with CIDRs, specific protocol and ports (or ICMP type/code)).
source {user,group} tuples. No additional granularity, such as protocol and port (or ICMP type/code), should be expected.