The only things exposed on our VPC are an Amazon ELB and a well-secured SSH bastion host (keys only, EC2 instances have password login disabled by default) for getting into the private cloud.

No reason you can't run stuff like mod_security, but that's not strictly a firewall, just Apache setup.