Hi Vasil,

Thanks for the feedback, and great to hear it "just worked" for you; yay!

To answer your questions:

1) Yes, you should be able to deny any new incoming TCP connections. As long as outbound / established connections are allowed. And yes, you should be able to drop incoming connections to port 22, or even shut down your OpenSSH server.

2) Yes, that is a common use case. For this, we have the Border0 Connector. See docs and examples here:

https://docs.border0.com/docs/using-the-mysocket-connector

This allows you to declare exactly what you intend to make available through the connector. The connector needs outbound network access only. And can manage the connections for the rest of your VPC. For example, this allows you to make RDS, SSH, or http services available. Either defined statically, or based on EC2 tags, it also supports integrations with SSM.

An example can be found here: https://docs.border0.com/docs/config-template

Give it a try when you can! We'd love your feedback and can help you where needed.

Cheers!