Cloud Enablement

Cloud Consulting

Cloud Migration Services

Cloud Migration Strategies

Cloud Security Posture

Cloud Monitoring

Cloud Cost Optimization

AWS

GCP

Azure

Private Cloud

App Engine

Data & AI

Overview

Data Science

Data Engineering

Big Data Processing

Data Storage

Data Management

Data Visualization

Machine Learning

Video Analytics

Artificial Intelligence

Robotic Process Automation

Digitalization

Cloud-Native Apps

Mobility

Web Development

Web Frontends

Blockchain

Internet of Things

RTLS

eCommerce Sites

eLearning Portals

Chatbots

ECM

End-to-End

Microservice Architecture

UX/UI Design

DevOps

QA Automation

Cybersecurity

Performance Monitoring

Digital Marketing

SaaS

Salesforce

SharePoint

Oracle HCM

ServiceNow

G Suite

Microsoft Solutions

View All

Healthcare

Retail

Manufacturing

Education

Engineering

Financial Services

Renewables

Insurance

View All

Digital Queue Management

Notification Builder

Delivery Scheduling App

IIoT Solution

Security Testing Tool

Car Dealer Chatbot

Recommendation Engine

Data Intelligence Platform

Project Management Tool

Salesforce Widget

Server Monitoring Tool

Gaming Framework

Opensource Works

View All

Case Studies

Featured Projects

White Papers

Videos

View All

Services
  • Cloud Enablement Data & AI Digitalization End-to-End SaaS
Industries
Company
Approach
Careers
Blog
Cloud Enablement Cloud Consulting Cloud Migration Services Cloud Migration Strategies Cloud Security Posture Cloud Monitoring Cloud Cost Optimization AWS GCP Azure Private Cloud App Engine
Data & AI Overview Data Science Data Engineering Big Data Processing Data Storage Data Management Data Visualization Machine Learning Video Analytics Artificial Intelligence Robotic Process Automation
Digitalization Cloud-Native Apps Mobility Web Development Web Frontends Blockchain Internet of Things RTLS eCommerce Sites eLearning Portals Chatbots ECM
End-to-End Microservice Architecture UX/UI Design DevOps QA Automation Cybersecurity Performance Monitoring Digital Marketing
SaaS Salesforce SharePoint Oracle HCM ServiceNow G Suite Microsoft Solutions
Inquiry icon

START A CONVERSATION

Share your requirements and we'll get back to you with how we can help.

Thank you for submitting your request.
We will get back to you shortly.

Build Resilient Networks on the Cloud

Networks that help connect a multitude of computing resources also offer the means to build a resilient infrastructure. In order to put up a solid defense, you have to understand the various networking features and security functionalities provided by different cloud service providers and adopt those that meet your security goals. By securing your network, you can create a ring of defense around your vital resources, including data, applications, and systems in the cloud.

VPC⁠—Your Safe Space on the Cloud

Exposing your infrastructure to the wild west of computing invites huge risks. Reducing the number of services that need to be exposed is one way of reducing the risk. Virtual Private Cloud (VPC) allows you to distribute your computing and selectively connect your resources to the Internet. While being similar to traditional network security techniques, VPC provides a new set of tools and strategies to secure your infrastructure while taking advantage of the scalability and flexibility of the cloud.

By applying both the traditional networking concepts such as subnets and firewalls as well as the new set of security management tools, your computing infrastructure can be managed in a fine-grained manner, enhancing overall security.

Logical Isolation

Logical Isolation Through Subnets

VPC can be partitioned into different subnets with a range of IP addresses defined for each subnet, providing logical isolation for resources. Communication within and across subnets can be controlled differentially. Geographical organization of subnets into zones enables further isolation and helps meet differential scalability requirements. Separating subnets into private and public reduces the attack surface. Subnets can be further layered with restricted access so as to provide defense in depth.

Access Control

Access Control Between Subnets

While subnets, both private and public, enable logical separation between computing infrastructures, they do not provide security by themselves. The defense mechanism is established through security groups and network access control lists (ACL). These are like firewalls—they allow you to define the various forms of communication between machines and the directions in which the communication must flow. The rules of communications are implemented based on the principle of least privilege.

When a computing resource is created, it is assigned to a security group along with a subnet. Security groups define firewall rules controlling inbound (ingress) and outbound (egress) traffic of an instance of a computing resource in that group. Multiple security groups can be defined based on your needs. A default security group can also be created with minimal access.

Network ACLs provide firewall-like protection at the subnet-level, acting as an additional security mechanism. Combining logical isolation at subnets, access control between subnets, and restrictions at the instance-level, you can achieve a higher level of resilience.

Active Defense

Active Defense Through Real-Time Monitoring

Flow logs enable near real-time capture of communications on VPC. This data can be generated at VPC, subnet, or individual interface-level. Capturing this data into other cloud resources like Amazon CloudWatch Logs or Google BigQuery permits continuous monitoring and post-event investigation. The flow log can be processed in real time or in batches. The resulting insights can be used to fine-tune the security group and network ACL rules.

Amazon’s generic log monitoring service, CloudWatch, enables users to establish Security Operation Centers with necessary dashboards. The recently introduced CloudWatch Anomaly Detection monitors and alerts when unusual activities are observed in the log. Specialized tools for monitoring network security, such as intrusion detection systems, also make use of flow logs and provide an active defense.

Distributed Denial of Service (DDoS) attacks is another area that requires an active defense. Google Cloud Armor’s web application firewall functionality checks against other common attacks like Cross-site Scripting (XSS) and SQL Injection (SQLi). Amazon WAF supports web application firewall creation and AWS Shield protects against DDoS. The challenge is to deploy the right services for your specific needs.

Logical Isolation Through Subnets

VPC can be partitioned into different subnets with a range of IP addresses defined for each subnet, providing logical isolation for resources. Communication within and across subnets can be controlled differentially. Geographical organization of subnets into zones enables further isolation and helps meet differential scalability requirements. Separating subnets into private and public reduces the attack surface. Subnets can be further layered with restricted access so as to provide defense in depth.

Access Control Between Subnets

While subnets, both private and public, enable logical separation between computing infrastructures, they do not provide security by themselves. The defense mechanism is established through security groups and network access control lists (ACL). These are like firewalls—they allow you to define the various forms of communication between machines and the directions in which the communication must flow. The rules of communications are implemented based on the principle of least privilege.

When a computing resource is created, it is assigned to a security group along with a subnet. Security groups define firewall rules controlling inbound (ingress) and outbound (egress) traffic of an instance of a computing resource in that group. Multiple security groups can be defined based on your needs. A default security group can also be created with minimal access.

Network ACLs provide firewall-like protection at the subnet-level, acting as an additional security mechanism. Combining logical isolation at subnets, access control between subnets, and restrictions at the instance-level, you can achieve a higher level of resilience.

Active Defense Through Real-Time Monitoring

Flow logs enable near real-time capture of communications on VPC. This data can be generated at VPC, subnet, or individual interface-level. Capturing this data into other cloud resources like Amazon CloudWatch Logs or Google BigQuery permits continuous monitoring and post-event investigation. The flow log can be processed in real time or in batches. The resulting insights can be used to fine-tune the security group and network ACL rules.

Amazon’s generic log monitoring service, CloudWatch, enables users to establish Security Operation Centers with necessary dashboards. The recently introduced CloudWatch Anomaly Detection monitors and alerts when unusual activities are observed in the log. Specialized tools for monitoring network security, such as intrusion detection systems, also make use of flow logs and provide an active defense.

Distributed Denial of Service (DDoS) attacks is another area that requires an active defense. Google Cloud Armor’s web application firewall functionality checks against other common attacks like Cross-site Scripting (XSS) and SQL Injection (SQLi). Amazon WAF supports web application firewall creation and AWS Shield protects against DDoS. The challenge is to deploy the right services for your specific needs.

QBurst to Your Defense

QBurst has expertise in a wide range of tools and frameworks that provide comprehensive protection for your mission-critical cloud infrastructure. Our layered defense-in-depth approach to security ensures that any attack is delayed and the damage is contained, minimizing downtime and disruption to business. While designing the network architecture in VPC, we take into consideration your security and scalability requirements as well as the geographical differences in usage. If you are using deprecated network models of cloud, like Amazon EC2 Classic or Google’s legacy network, we can help you migrate to a more flexible and secure VPC architecture.

Secure your cloud-based networks