ELB: Automatically pull in some LB default security group

[hjacobs]

Idea to automatically restrict service access by default to certain IP ranges (e.g. to mitigate DOS attacks):

• create a default LB security group in the VPC (this can be done via Seven Seconds)
  • TODO: find a good name for the security group, e.g. "default-protected-https-lb"
• the default LB security group should only allow traffic from "trusted" IP ranges (this needs to include AWS ranges) via port 443
  • NOTE: AWS IP ranges need to be consolidated to bigger subnets (e.g. 52.95.0.0/16) to not hit the 50 rules security group limit
• Senza's ElasticLoadBalancer component automatically assigns this default LB security group (if it exists) to the ELB (in addition to the usual "app-myapp-lb" security group)
• senza init needs to be changed to not allow any traffic on the "app-myapp-lb" by default (if the default LB security group exists)

Users can still easily allow any public traffic to their app's LB by adding an inbound rule for "0.0.0.0/0" to "app-myapp-lb".

Changing Senza's ElasticLoadBalancer component to pull in the new restricted security group is "safe" as existing applications with "open" security groups are not affected (only new apps created with senza init).

[tuxlife]

I have discussed with @hjacobs and we have agreed that we will allow TCP completely and not just 443

the group is called default_protection