Cloud environments abandon physical VLANs in favor of Virtual Private Clouds (VPCs) and software-defined micro-perimeters. Security Groups and NSGs act as stateful, distributed firewalls attached directly to the cloud instance's virtual NIC.
Security Groups (SGs) are stateful and operate at the instance level. Network ACLs (NACLs) are stateless and operate at the subnet level. SGs are the primary defense mechanism, allowing you to define 'allow' rules based on logical tags rather than IP addresses.
💡 Pro-tip: Use Security Group referencing. Instead of allowing IP 10.0.1.5, allow 'sg-web-tier'. This makes your architecture elastic; as auto-scaling adds new instances, they inherit the correct access automatically.
This command allows MySQL access ONLY from instances belonging to the sg-web-tier security group, regardless of their dynamic IP addresses.
Azure NSGs function similarly but can be applied to both subnets and individual NICs. They use Application Security Groups (ASGs) to group VMs by application role, simplifying complex east-west rule management.
⚠️ Cloud firewalls default to 'implicit deny' for inbound, but 'implicit allow' for outbound. Always create explicit outbound rules to prevent compromised instances from initiating C2 connections or exfiltrating data.
| Cloud | Instance FW | Subnet FW |
|---|---|---|
| AWS | Security Group (Stateful) | NACL (Stateless) |
| Azure | NSG on NIC | NSG on Subnet |
| GCP | VPC Firewall Rules | VPC Firewall Rules |
Verify exercises to earn ★ 230 XP and unlock next lab level.