Explanation

Security groups are the correct answer because they provide a virtual firewall at the instance level for Amazon EC2 instances.

Key Differences:

• Security Groups:

  • Operate at the instance level
  • Stateful - return traffic is automatically allowed
  • Support allow rules only (no deny rules)
  • Can be associated with individual EC2 instances
  • Evaluate all rules before deciding whether to allow traffic

• Network ACLs:

  • Operate at the subnet level
  • Stateless - return traffic must be explicitly allowed
  • Support both allow and deny rules
  • Apply to all instances in a subnet
  • Process rules in numerical order

• NAT Gateway:

  • Used to allow instances in private subnets to connect to the internet
  • Not a firewall feature

• Route Tables:

  • Control traffic routing between subnets and to external networks
  • Not a firewall feature

Since the requirement is for a virtual firewall specific to a single EC2 instance, security groups are the appropriate choice as they can be directly associated with individual instances.