If I block traffic via a security group, I assume I don't have to pay for it.
But if I block traffic via iptables installed on my server then I assume it would be me that pays for any incoming traffic I blocked.
Are there things iptables can do that a security group cannot?
I am asking because I am looking into mitigating DDoS attacks on my web server. Thanks.
One thing is for sure - if you use security groups, the filtered traffic never reaches your server, so it reduces the load the server needs to take to process firewall rules. This is important if you talk about DDoS.
The security groups seems to have just simple filtering rules, while with iptables you can do really fancy things. But do you need them? Personally I would filter as much as possible with security groups and then make next stage on iptables if you need something more sophisticated than security groups allows. Nothing prevents you also from setting the same filters on both - you would be then double protected ;-)
On Amazon EC2, you are not charged for incoming traffic. You are only charged for outgoing traffic. src: http://aws.amazon.com/ec2/pricing/#DataTransfer
One thing to know is that you cannot add or remove a security group to a running instance. You can however change the rules in the security group you used for that instance.