Many organizations consider layered security to be a best practice for protecting network infrastructure. In the cloud, you can use a combination of Amazon VPC, implicit firewall rules at the hypervisor-layer, alongside network access control lists, security groups, host-based firewalls, and IDS/IPS systems to create a layered solution for network security. While security groups, NACLs and host-based firewalls meet the needs of many customers, if you're looking for defense in-depth, you should deploy a network-level security control appliance, and you should do so inline, where traffic is intercepted and analyzed prior to being forwarded to its final destination, such as an application server.
Examples of inline threat protection technologies include the following:
• Third-party firewall devices installed on Amazon EC2 instances (also known as soft blades)
• Unified threat management (UTM) gateways
• Intrusion prevention systems
• Data loss management gateways
• Anomaly detection gateways
• Advanced persistent threat detection gateways
https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf