Continuing from the previous example, it may not be enough to just group your servers by function. The previous example would work great for general web pages that are accessible to the public, but would not work well if the applications needed to be controlled are on a per-client or per-system basis.

Refer to the following diagram:

This diagram looks very similar to the previous one, except we have simplified it down to a single application with separate front-end instances. The database instance still contains a security group that allows anything in the web interfaces (sg-1 and sg-2) while the web interfaces are bound ...