A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups operate at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups. Network Access Control Lists (NACLs) operate at the subnet level, so they are not the correct answer. Route tables direct network traffic, but do not control or filter traffic like a firewall. Subnet CIDRs are used for IP address allocation within a VPC and have no filtering capabilities.