AWS describes security groups as virtual firewalls. While this analogy helps newcomers to the EC2 platform understand their purpose and function, it's probably more accurate to describe them as a firewall-like method of authorizing traffic. They don't offer all the functionality you'd find in a traditional firewall, but this simplification makes them much easier to use and troubleshoot since they do just a single job and do it reliably.

We're going to go through a basic scenario involving a web server and a load balancer. Load balancers are vital components of a scalable web application as they allow requests to be spread out over a fleet of instances, instead of sending traffic to a single point of failure. We want the load balancer to respond to HTTP requests from everywhere, and we want to isolate the web server from everything except the load balancer. This is a good security practice as it shields instances from direct external connections.