I manage several firewalls in AWS and am frustrated by the fact that every one that I've seen still relies on IP/CIDR for filtering (other than DNS).
In a completely dynamic auto scaling AWS environment I'd like to know if there is a firewall out there that is aware of Instance Roles or Security Groups. Seeing as how many new APM tools are aware of these, I am hoping there is a Firewall as well.
I have my SGs tightened down when possible, and I have my firewall with egress rules configured, but I'd like to narrow those egress rules a lot – and maintaining SGs is difficult when dealing with DNS entries. (honestly if AWS SGs could handle DNS-based rules, this would be a moot point).
I've seen some corps using completely separate VPCs to handle different kinds of egress traffic, but this either means more egress firewalls, or certainly a more complicated routing design.