Hennie It's not really necessary but it's logical to take a granular approach and filter unwanted traffic before the edge through network ACL, at the edge through edge firewalling and then locally on each enhance instance. I'm looking forward to when enhance makes it easy to define what services are publicly accessible/visible (mysqld, ftpd, sshd all cause problems with PCI DSS ASV scanning and more creative solutions need to be considered long term on how these are mitigated).
