Security group to lock down a client / net

Any advice for setting SG that block anything but internet access for a client?
Example: its network (or this box) should be able to able to speak to nothing else but the upstream gateway, and NOT to any neighbour.

Doing this right within Security Groups might be a lot more maintainable than doing it all on switch or firewall level.

hmm, in that case will be better to create separate virtual networks with vlans