What is the best practice for setting up security groups?

Every VM has to have a security group associated with it but there is no requirement that they all share the same one. Each VM can have a different security group or share a common security group. Also, VMs can have more than one security group so you can design a complicated and sophisticated security model if so required.

Best practice is to open access to the outside world to the absolute minimum required. For example, web servers may need several ports exposed externally but other servers in the deployment may only need to have only one (eg., TCP 22) exposed for management purposes. In cases such as that, one security group could be shared by all VMs opening port 22 to the management address while the web servers could have a second security group exposing the web ports to all addresses.

Another best practice is to expose ports only to those addresses requiring access to them.  For example, you need to open TCP 22 for management purposes.  However, you only want to access the VM from a specific address or network (e.g., 101.102.103.104).  Such a custom rule would look like this:

Cidr

For more information on how to setup and manage security groups, go HERE