This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

Cloud Network Security

Cloud Network Security

Cloud Network Security

Cloud Network Security

Cloud Network Security

Cloud Network Security

Cloud Network Security

Cloud Network Security

Cloud Network Security

Cloud Network Security Layers

Cloud networks require defense in depth: VPC isolation, subnet segmentation, security groups, network ACLs, and traffic inspection.

Security Groups vs NACLs

Security groups are stateful instance-level firewalls. NACLs are stateless subnet-level filters:

Security Group (stateful)

resource "aws_security_group" "web_sg" {

name = "web-tier"

description = "Security group for web instances"

vpc_id = var.vpc_id

ingress {

description = "HTTPS from anywhere"

from_port = 443

to_port = 443

protocol = "tcp"

cidr_blocks = ["0.0.0.0/0"]

}

ingress {

description = "SSH from bastion only"

from_port = 22

to_port = 22

protocol = "tcp"

security_groups = [aws_security_group.bastion.id]

}

egress {

from_port = 0

to_port = 0

protocol = "-1"

cidr_blocks = ["0.0.0.0/0"]

}

}

NACL (stateless - must allow both directions)

resource "aws_network_acl" "public_subnet_acl" {

vpc_id = var.vpc_id

ingress {

rule_no = 100

protocol = "tcp"

from_port = 443

to_port = 443

cidr_block = "0.0.0.0/0"

action = "allow"

}

egress {

rule_no = 100

protocol = "tcp"

from_port = 1024

to_port = 65535

cidr_block = "0.0.0.0/0"

action = "allow"

}

---

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.