3. Virtual Networks & Security Groups

By Cyber Analyst • 19 Apr 2025

Cloud networking is the backbone of secure cloud architectures. In traditional on-premises environments, network boundaries were well-defined: firewalls, VLANs, physical routers, and datacenter segmentation. In cloud environments, however, these concepts transition into virtualized abstractions, Virtual Private Clouds (VPCs), Virtual Networks (VNets), subnets, security groups, network access control lists, route tables, proxies, and gateways. The shift from hardware-based perimeter controls to software-defined networking (SDN) models represents a fundamental paradigm change: the network becomes programmable, ephemeral, and deeply integrated with identity and automation.

 

This virtualization significantly amplifies both opportunities and risks. Cloud platforms offer granular segmentation, micro-segmented firewalls, and isolation mechanisms far more flexible than on-premises equivalents. Yet, misconfigurations, overly permissive security groups, exposed endpoints, and inappropriate peerings, remain one of the leading causes of cloud breaches. In fact, the threat analyses found in The Web Application Hacker’s Handbook highlight that network exposure often becomes the initial entry point for attacks, especially when external services are reachable from the internet.

 

As we explore Virtual Networks and Security Groups across AWS, Azure, and GCP, we will analyze these architectures in depth, focusing on their design principles, configuration models, and their role in enforcing Zero Trust through segmentation, least privilege, and network-based access control.

 

Core Cloud Networking Concepts

Before diving into each cloud provider, it is essential to understand the abstractions common to cloud networking. Across all major platforms, we see the following shared components:

 

Virtualized Private Networks (VPCs/VNets)

A logically isolated virtual network where resources are deployed. These networks behave similarly to traditional TCP/IP networks but are fully controlled via APIs and policy engines.

 

Subnets

Logical subdivisions of virtual networks. Subnets may be designated as public or private depending on their routing configurations. Subnet design impacts security posture, resource accessibility, and future scalability.

 

Routing Systems

Route tables or network routing policies define how traffic flows within and outside the cloud. Misconfigured routing can unintentionally expose internal services.

 

Firewalls and Access Control Systems

These include:

  • Security Groups (instance-level firewalls)
  • Network ACLs (subnet-level)
  • Cloud firewalls (managed firewall services)
  • Application firewalls (WAFs)

Security groups are the primary focus of this chapter.

 

Connectivity and Isolation Controls

Such as:

  • Peering
  • VPN tunnels
  • Interconnects / ExpressRoute / Direct Connect
  • NAT gateways
  • Load balancers
  • Private endpoints

 

Understanding these components is essential for secure network architecture design.

 

 

AWS Virtual Networks & Security Groups

AWS uses the Virtual Private Cloud (VPC) architecture, one of the most widely adopted cloud networking models in industry.

 

AWS VPC Architecture

An AWS VPC is a logically isolated virtual network in which users define:

  • CIDR Blocks
  • Public and private subnets
  • Route tables
  • NAT gateways
  • Internet gateways
  • VPC endpoints for private service access

 

Each VPC is fully customizable, offering granular control over traffic.

 

Security Groups (SGs) in AWS

Security Groups are stateful, instance-level firewalls that control inbound and outbound traffic.

Key characteristics:

  • Stateful: Return traffic is automatically permitted.
  • Attached per-resource: EC2 instances, RDS, Lambda in VPC mode, ENIs.
  • Allow rules only: No deny rules; security groups define permitted traffic only.
  • Dynamic updates: Changes apply instantly without restarts.

 

Structure of Security Group Rules

Each rule includes:

  • Protocol (TCP, UDP, ICMP, etc.)
  • Port or port ranges
  • Source/destination (CIDR, SG reference, prefix list)

 

Referencing other security groups is a powerful micro-segmentation technique.

 

 

Network ACLs (NACLs)

Where security groups are stateful and instance-level, NACLs are stateless firewall rules applied at the subnet level.

They include both allow and deny rules.

NACLs enable coarse-grained control; SGs enable fine-grained.

Use cases:

  • Blocking known malicious IP ranges
  • Differentiating traffic between public/private subnets
  • Complementing SGs for compliance requirements

 

Common AWS Network Misconfigurations

  1. Security groups open to the world (0.0.0.0/0)
    Especially SSH (22) or RDP (3389).
  2. Unrestricted outbound access
    Malicious exfiltration is possible via compromised instances.
  3. Public subnets used for critical workloads
  4. Direct database exposure without SG restrictions
  5. Improper VPC peering trust relationships
    Overly permissive routing between VPCs.
  6. Lack of private endpoints for AWS APIs
    Forces traffic over the public internet.

 

These illustrate the operational risks of poor network governance.

 

 

Azure Virtual Networks & Security Groups

Azure uses the Virtual Network (VNet) model, similar to AWS but integrated closely with Microsoft identity services.

 

Azure VNets

Azure VNets support:

  • CIDR configuration
  • Subnets (each tied to a Network Security Group optionally)
  • Routing via system or user-defined routes
  • Peering (regional or global)
  • Private link for service isolation

 

Azure heavily emphasizes private, managed connectivity for PaaS services.

 

Network Security Groups (NSGs)

NSGs serve as Azure’s primary network-level filtering mechanism.

 

Like AWS SGs, they contain inbound and outbound rules, but Azure NSGs support allow and deny types.

 

NSG features:

  • Applicable at subnet and VM NIC levels
  • Rules evaluated by priority (100–4096)
  • Support for service tags (e.g., "Internet", "AzureCloud")
  • Application Security Groups (ASGs) for grouping workloads

 

Azure NSGs offer a strong balance between simplicity and granular segmentation.

 

Application Security Groups (ASGs)

ASGs solve the challenge of IP-based rule maintenance.

 

For example, instead of writing rules for a list of VM IP addresses, you can assign VMs to an ASG and reference the ASG in NSG rules.

This is crucial for enterprise scalability.

 

Azure Firewall & Private Endpoints

Azure Firewall extends protection with deep inspection.

 

Private Endpoints direct traffic to Azure PaaS services through private IPs, reducing public exposure of:

  • Storage
  • SQL
  • Key Vault
  • App Services

 

This aligns with Zero Trust principles of minimizing externally accessible surfaces from the start.

 

Common Azure Network Misconfigurations

  1. NSGs missing on critical subnets
  2. Overly open service tags such as "Internet" allowed inbound
  3. Public IPs assigned unnecessarily to VMs or PaaS services
  4. Failure to restrict outbound traffic
  5. Improper VNet peering leading to flat networks
  6. Lack of private endpoints for Azure SQL/Storage

 

These are frequently exploited in insecure cloud deployments.

 

Google Cloud Virtual Networks & Firewall Rules

GCP employs a different architectural model for networking: VPC networks are global, not region-bound like AWS and Azure.

 

GCP VPC Architecture

Key distinctive features:

  • Global VPCs: Spanning regions for simplified management
  • Subnets are regional
  • Auto-mode and custom-mode VPCs
  • Cloud Router and Cloud NAT for routing and egress
  • Firewall rules operate at the VPC level

 

This makes GCP's networking system highly flexible but also prone to configuration drift.

 

GCP Firewall Rules

Google's firewall rules resemble security groups, but with differences:

  • Rules are VPC-wide
  • Apply to VM instances based on tags or service accounts
  • Support allow and deny rules
  • Priority-based evaluation (lower number = higher priority)
  • Equivalent of AWS SG referencing: target service accounts

 

Using service accounts as firewall selectors is a unique strength that supports identity-based micro-segmentation.

 

VPC Service Controls

One of GCP's strongest data protection mechanisms:

  • Provides a security perimeter around cloud services
  • Defends against data exfiltration
  • Particularly important for sensitive PII or compliance workloads

 

Common GCP Network Misconfigurations

  1. Firewall rule "allow 0.0.0.0/0" on SSH
  2. Incorrect priority ordering leading to unintended access
  3. Lack of VPC service controls for sensitive data
  4. Flat network segmentation with no tag-based rules
  5. Overly permissive VPC peering

 

These mistakes often contribute to unauthorized access paths and lateral movement.

 

Cross-Cloud Network Security Best Practices

 

These best practices apply universally across AWS, Azure, and GCP:

 

  • Enforce Network Segmentation
    • Use separate subnets for application tiers
    • Apply firewalls at subnet and resource levels
    • Prevent unnecessary lateral movement
    • Adopt micro-segmentation principles

This aligns with Zero Trust architectures and principles found in NIST SP 800-153.

 

  • Use Private Endpoints for Cloud Services

Force API calls, databases, and storage traffic to remain internal.

This drastically reduces the attack surface.

 

  • Deny Public Access by Default

No public IPs unless explicitly required.

No security group ingress from 0.0.0.0/0 for sensitive ports.

 

  • Implement Egress Controls

Outbound rules are often overlooked.

Restricting outbound traffic prevents:

  • Command-and-control callback traffic
  • Data exfiltration
  • Abuse via compromised instances

 

  • Use Cloud-Native Firewall Logs

Logging sources include:

  • AWS VPC Flow Logs
  • Azure NSG Flow Logs
  • GCP VPC Flow Logs

Continuous monitoring is essential for detecting suspicious access patterns.

 

  • Automate Security Group Reviews

Use IaC (Infrastructure as Code) to maintain consistency and prevent drift:

  • Terraform
  • AWS CloudFormation
  • Azure Bicep
  • Google Deployment Manager

Automation reduces human error-critical given that network misconfigurations are a leading cause of cloud breaches.

 

The Role of Cryptography in Cloud Network Security

Although networks often appear decoupled from cryptography, encrypted communications are fundamental to the integrity and confidentiality of cloud traffic.

 

As Applied Cryptography emphasizes, cryptography must be correctly implemented and enforced to avoid attack vectors such as:

  • Protocol downgrade attacks
  • Man-in-the-middle (MitM) attacks
  • Session hijacking (notably explored in The Web Application Hacker’s Handbook)
  • Weak cipher suite selection
  • TLS misconfiguration on load balancers

 

Cloud networking security must ensure:

  • TLS enforcement on all public endpoints
  • Use of strong, modern cipher suites
  • Certificate rotation and automation
  • Encryption for VPC/VNet flow across regions
  • VPN and Direct Connect encryption

 

Secure networking is inseparable from strong cryptographic governance.

 

Virtual Networks and Security Groups form the foundational fabric of secure cloud deployments. Whether using AWS VPCs, Azure VNets, or GCP VPCs, the principles remain consistent: isolate resources, restrict traffic minimally, enforce strong access policies, and minimize public exposure. These controls directly reinforce Zero Trust designs where trust is never implicit, and verification is continuous.

 

Mastering these networking constructs empowers security practitioners to design architectures resistant to intrusion, aligned with regulatory expectations, and prepared for modern cloud-native threats. As cloud environments grow in complexity, the ability to design, evaluate, and secure virtual networks becomes a core competency for all cybersecurity professionals.

 

 

Category: CS08 - Cloud Fundamentals for Cybersecurity

Tags: security Virtual Networks Groups