This content is part of the Essential Guide: Combat the latest cloud security challenges and risks

How do I establish network security groups for public cloud?

Network security groups control the lines of communication between network traffic and cloud instances. How do I set them up in AWS or Azure?

Network security groups allow organizations to shield parts of their public cloud from direct outside access -- similar to a firewall. At the same time, these groups ensure the data flowing between cloud instances is contained only within relevant instances. While some organizations will require additional public cloud security tools, network security groups are a good start.

Network security groups help cloud admins establish access controls for networks in a public cloud configuration. For instance, admins can set up a subnet of instances as a demilitarized zone (DMZ) with Internet access, while ensuring tiers of back-end cloud instances only talk to each other, and to specific ports or instances, within the DMZ.

Network security groups help cloud admins establish access controls for networks in a public cloud configuration.

The process for setting up network security groups differs between clouds. With Microsoft Azure, for example, admins create network security groups either through the Azure Resource Manager portal, which has a GUI setup, or through scripts. Cloud admins for Amazon Web Services (AWS) can use AWS' Virtual Private Cloud console.

All cloud instances need to belong to network security groups, and there is a default group in both that blocks inbound traffic from the Internet. However, it's generally bad practice to rely only on defaults. Cloud services need to communicate with other applications and services, but some instances, such as databases, should never be accessed directly by the Internet.

To address this, cloud admins can create a three-tier cloud security model that consists of:

  1. A top tier that is Internet-aware for Web servers.
  2. A middle tier that acts as an application layer and talks to the top tier and the bottom tier.
  3. A bottom tier that supports the database. Because only the middle layer can communicate with the bottom tier, the database has greater isolation.

There are other similarities and differences between network security groups for public cloud security in Azure and AWS. Both are rules-based systems and admins can apply these rules to cloud instances, as well as subnets. In AWS, rules have no priority over each other; this makes it easier for admins to write them, since exceptions to a prior rule don't need to be stated. Azure maintains a priority system, which more closely resembles traditional firewall setups, and can increase complexity.

Google takes a more traditional approach to public cloud security. Google Cloud Platform uses features such as firewalls and routing that are more familiar to network admins with a background in on-premises operations. While experienced admins may feel more comfortable with Google's cloud security approach, it could also create more work, since there are more elements to manage.

Next Steps

Perform security tests in public cloud

Protect data with cloud access security brokers

Explore the evolution of network security

Dig Deeper on Cloud computing security