Network Security Controls
Your cloud resources communicate over networks. Databases talk to application servers. Application servers talk to users. Services talk to each other. Without network security controls, any path in the network is a potential attack path. Network security controls decide who can talk to whom, on which ports, and under what conditions.
The Neighborhood Watch Analogy
Imagine a neighborhood with roads connecting every house. Without controls, anyone can drive on any road to any house at any time. With controls, certain roads have checkpoints, some roads are closed to outsiders, and residents can call for help if a strange car appears. Cloud network security works the same way — it puts checkpoints on your traffic and blocks unauthorized routes entirely.
Firewalls
A firewall is a rule-based filter for network traffic. It examines every connection attempt — incoming and outgoing — and allows or blocks it based on your rules. Cloud firewalls are software-defined, meaning you configure them through a control panel rather than installing physical hardware.
Firewall Rule Example: ------------------------------------------------- Rule 1: ALLOW → Port 443 (HTTPS) → From: Internet → To: Web Server Rule 2: ALLOW → Port 5432 (DB) → From: App Server → To: Database Rule 3: DENY → All other ports → From: Internet → To: Database ------------------------------------------------- The database never directly receives internet traffic. Only the app server can reach it.
Security Groups
Cloud providers use security groups as virtual firewalls for individual resources. A security group contains inbound and outbound rules. You assign a security group to each virtual machine, database, or other resource. This means you control network access at the resource level — not just at the perimeter.
Example: Your web server's security group allows traffic on port 80 and 443 from anywhere. Your database's security group only allows traffic on port 5432 from the web server's IP address.
Network ACLs (Access Control Lists)
A Network ACL is a firewall for an entire subnet — a group of resources sharing the same network segment. While security groups protect individual resources, Network ACLs protect the subnet boundary. They add a second layer of traffic control. Rules are evaluated in numeric order, and the first matching rule wins.
Layers of Network Defense:
-------------------------------------------------
Internet
|
[ Network ACL ] ← Subnet-level firewall
|
[ Security Group ] ← Resource-level firewall
|
[ Your Cloud Server ]
-------------------------------------------------
Two checkpoints before traffic reaches your server.
Web Application Firewalls (WAF)
A WAF sits in front of your web application and inspects HTTP/HTTPS traffic specifically. It looks for attack patterns — SQL injection, cross-site scripting (XSS), bot traffic, and other web-specific threats. A regular firewall checks ports and IP addresses. A WAF checks the actual content of web requests.
Example: A WAF rule blocks any request that contains OR 1=1 in a URL parameter — a classic SQL injection attempt. Your web server never sees that request.
DDoS Protection
Cloud providers offer built-in DDoS protection that absorbs and filters large volumes of malicious traffic before it reaches your resources. AWS Shield, Azure DDoS Protection, and Google Cloud Armor all automatically detect and mitigate large-scale volumetric attacks. Enhanced tiers offer more protection against sophisticated application-layer attacks.
Network Segmentation
Network segmentation divides your cloud environment into zones with limited communication between them. Instead of one flat network where every service can talk to every other service, you create separate segments. A breach in one zone cannot easily spread to another.
| Zone | Contains | Access From |
|---|---|---|
| Public Zone | Web servers, load balancers | Internet and App Zone |
| Application Zone | App servers, APIs | Public Zone and Data Zone |
| Data Zone | Databases, storage | Application Zone only |
| Management Zone | Admin tools, logging | VPN / trusted IPs only |
Key Terms to Know
- Security Group: A virtual firewall that controls inbound and outbound traffic for an individual cloud resource.
- ACL: Access Control List — rules applied at a subnet or resource level to allow or deny traffic.
- WAF: Web Application Firewall — a firewall that inspects HTTP traffic for application-layer attacks.
- Subnet: A defined segment of an IP network.
- DDoS: Distributed Denial of Service — a flood of traffic from many sources intended to overwhelm a system.
What You Learned
Network security controls include firewalls, security groups, network ACLs, WAFs, DDoS protection, and network segmentation. Firewalls and security groups control which traffic reaches your resources. WAFs inspect web application traffic for attack patterns. DDoS protection absorbs large-scale traffic floods. Network segmentation limits how far a breach can spread by dividing your environment into zones with tightly controlled communication between them.
