inbound and outbound firewall for EC2 instances
there are no 'deny' rules(Use NACL). all traffic is blocked by default unless a rule specifically allows it.
all inbound traffic is blocked by default
multible instances across multible subnets can belong to a Security Group.
An EC2 inatance can belong to multiple Security Groups, and rules are permissive
specific IP range
if traffic is allowed inbound, it is also allowed outbound