AWS allows you to create your own virtual private cloud (or VPC). This is a network within which your machines will communicate. You can control the level of access across your VPC through subnets, Network Access Control Lists and Security Groups.
Network Access Control lists allow particular traffic in and outbound, but are stateless; that is, if you allow traffic in, it doesn’t necessarily mean that traffic will leave the network. This can cause problems for services that use ephemeral ports (e.g. SSH over port 22 - the incoming port is always port 22, but not always outbound on port 22).