You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Cloud computing has fundamentally changed network security architecture. The traditional perimeter dissolves when applications, data, and users are distributed across multiple cloud providers, on-premises data centres, and remote locations. Cloud network security requires adapting architectural principles to environments where you no longer control the physical infrastructure.
| Traditional | Cloud |
|---|---|
| Physical firewalls at the perimeter | Virtual firewalls and security groups |
| Hardware load balancers | Cloud-native load balancers |
| Physical network segmentation | Virtual networks and subnets |
| On-premises IDS/IPS | Cloud-native threat detection services |
| MPLS for site-to-site connectivity | VPN and SD-WAN over the internet |
| Capital expenditure (buy hardware) | Operational expenditure (pay as you go) |
Cloud security follows a shared responsibility model — the cloud provider secures the infrastructure, while the customer secures their workloads:
| Responsibility | IaaS | PaaS | SaaS |
|---|---|---|---|
| Physical infrastructure | Provider | Provider | Provider |
| Network infrastructure | Provider | Provider | Provider |
| Virtualisation layer | Provider | Provider | Provider |
| Operating system | Customer | Provider | Provider |
| Network controls (security groups, NACLs) | Customer | Shared | Provider |
| Application security | Customer | Customer | Provider |
| Data protection | Customer | Customer | Customer |
| Identity and access | Customer | Customer | Customer |
A VPC is an isolated virtual network within a cloud provider, equivalent to a physical network in a data centre:
┌─────────────────────────────────────────────┐
│ VPC │
│ (10.0.0.0/16) │
│ │
│ ┌──────────────┐ ┌──────────────┐ │
│ │ Public Subnet│ │ Public Subnet│ │
│ │ 10.0.1.0/24 │ │ 10.0.2.0/24 │ │
│ │ [Web Servers] │ │ [Load Balancer]│ │
│ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │
│ ┌──────▼───────┐ ┌──────▼───────┐ │
│ │Private Subnet│ │Private Subnet│ │
│ │ 10.0.3.0/24 │ │ 10.0.4.0/24 │ │
│ │ [App Servers] │ │ [Databases] │ │
│ └──────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────┘
| Control | AWS | Azure | GCP |
|---|---|---|---|
| Virtual firewall | Security Groups | Network Security Groups (NSG) | Firewall Rules |
| Subnet ACLs | NACLs | NSG at subnet level | Firewall policies |
| Web application firewall | AWS WAF | Azure WAF | Cloud Armor |
| DDoS protection | AWS Shield | Azure DDoS Protection | Cloud Armor |
| Private connectivity | PrivateLink | Private Link | Private Service Connect |
| VPN | Site-to-Site VPN | VPN Gateway | Cloud VPN |
| Network monitoring | VPC Flow Logs | NSG Flow Logs | VPC Flow Logs |
| DNS security | Route 53 Resolver | Azure DNS Private Zones | Cloud DNS |
| Threat detection | GuardDuty | Microsoft Defender | Security Command Center |
| Feature | Description |
|---|---|
| Operates at | Instance level (attached to virtual machines / ENIs) |
| Stateful | Return traffic automatically allowed |
| Default | Deny all inbound, allow all outbound |
| Rules | Allow rules only (no explicit deny) |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.