establish an isolated virtual network on behalf of a client of the virtualized computing service;

store, within a repository of metadata of the isolated virtual network in response to a first request submitted via a programmatic interface of the virtualized computing service by the client, a representation of a first security group associated with a compute instance launched at the virtualization server, wherein the compute instance is assigned a network address within the isolated virtual network, wherein the first security group includes a first restriction on sources of inbound traffic directed to the compute instance, and wherein the compute instance executes a first network function of a radio-based application;

store, within the repository in response to a second request submitted via the programmatic interface by the client, a representation of a second security group associated with the network function accelerator, wherein the second security group includes a second restriction on destinations of outbound traffic from the network function accelerator, and wherein the network function accelerator executes a second network function of the radio-based application;

cause a verification, prior to delivery of a first network message of the radio-based application to the compute instance using the network address as a destination address, that the first network message is compliant with the first restriction, wherein the first network message results at least in part in an execution of the first network function; and

cause a verification, prior to transmission of a second network message of the radio-based application to a destination from the network function accelerator, that the second network message is compliant with the second restriction, wherein output of an execution of the first network function results at least in part in an execution of the second network function.