In my experience, AWS networking sucks.. they can't even offer proper edge routing capabilities, instead they offer a bastardised version of it. Every time I think of security in AWS (via ACL and Security Groups), i want to scream "2002 just called... they'd like their Stateful Firewalls back".

You can solve this using a 3rd party Firewall VA (Palo Alto, Cisco, Fortigate etc), but the problem is, the people who have brought into Cloud are DevOps Network luddites, who think what AWS offers is the best of-breed, and there is no need for Deep packet inspection, IPS and IDS etc, likewise they happily route outbound.. Even when you point out, they use these very same technologies on the corporate network, they don't feel the need to do this when it comes to the company's "crown jewels" (i.e. its data in AWS!)

