Inquiry icon

START A CONVERSATION

Share your requirements and we'll get back to you with how we can help.

Thank you for submitting your request.
We will get back to you shortly.

Build Resilient Networks on the Cloud

Networks that help connect a multitude of computing resources also offer the means to build a resilient infrastructure. In order to put up a solid defense, you have to understand the various networking features and security functionalities provided by different cloud service providers and adopt those that meet your security goals. By securing your network, you can create a ring of defense around your vital resources, including data, applications, and systems in the cloud.

VPC⁠—Your Safe Space on the Cloud

Exposing your infrastructure to the wild west of computing invites huge risks. Reducing the number of services that need to be exposed is one way of reducing the risk. Virtual Private Cloud (VPC) allows you to distribute your computing and selectively connect your resources to the Internet. While being similar to traditional network security techniques, VPC provides a new set of tools and strategies to secure your infrastructure while taking advantage of the scalability and flexibility of the cloud.

By applying both the traditional networking concepts such as subnets and firewalls as well as the new set of security management tools, your computing infrastructure can be managed in a fine-grained manner, enhancing overall security.

Logical Isolation

Logical Isolation Through Subnets

VPC can be partitioned into different subnets with a range of IP addresses defined for each subnet, providing logical isolation for resources. Communication within and across subnets can be controlled differentially. Geographical organization of subnets into zones enables further isolation and helps meet differential scalability requirements. Separating subnets into private and public reduces the attack surface. Subnets can be further layered with restricted access so as to provide defense in depth.

Access Control

Access Control Between Subnets

While subnets, both private and public, enable logical separation between computing infrastructures, they do not provide security by themselves. The defense mechanism is established through security groups and network access control lists (ACL). These are like firewalls—they allow you to define the various forms of communication between machines and the directions in which the communication must flow. The rules of communications are implemented based on the principle of least privilege.

When a computing resource is created, it is assigned to a security group along with a subnet. Security groups define firewall rules controlling inbound (ingress) and outbound (egress) traffic of an instance of a computing resource in that group. Multiple security groups can be defined based on your needs. A default security group can also be created with minimal access.

Network ACLs provide firewall-like protection at the subnet-level, acting as an additional security mechanism. Combining logical isolation at subnets, access control between subnets, and restrictions at the instance-level, you can achieve a higher level of resilience.

Active Defense

Active Defense Through Real-Time Monitoring

Flow logs enable near real-time capture of communications on VPC. This data can be generated at VPC, subnet, or individual interface-level. Capturing this data into other cloud resources like Amazon CloudWatch Logs or Google BigQuery permits continuous monitoring and post-event investigation. The flow log can be processed in real time or in batches. The resulting insights can be used to fine-tune the security group and network ACL rules.

Amazon’s generic log monitoring service, CloudWatch, enables users to establish Security Operation Centers with necessary dashboards. The recently introduced CloudWatch Anomaly Detection monitors and alerts when unusual activities are observed in the log. Specialized tools for monitoring network security, such as intrusion detection systems, also make use of flow logs and provide an active defense.

Distributed Denial of Service (DDoS) attacks is another area that requires an active defense. Google Cloud Armor’s web application firewall functionality checks against other common attacks like Cross-site Scripting (XSS) and SQL Injection (SQLi). Amazon WAF supports web application firewall creation and AWS Shield protects against DDoS. The challenge is to deploy the right services for your specific needs.

Logical Isolation Through Subnets

VPC can be partitioned into different subnets with a range of IP addresses defined for each subnet, providing logical isolation for resources. Communication within and across subnets can be controlled differentially. Geographical organization of subnets into zones enables further isolation and helps meet differential scalability requirements. Separating subnets into private and public reduces the attack surface. Subnets can be further layered with restricted access so as to provide defense in depth.

Access Control Between Subnets

While subnets, both private and public, enable logical separation between computing infrastructures, they do not provide security by themselves. The defense mechanism is established through security groups and network access control lists (ACL). These are like firewalls—they allow you to define the various forms of communication between machines and the directions in which the communication must flow. The rules of communications are implemented based on the principle of least privilege.

When a computing resource is created, it is assigned to a security group along with a subnet. Security groups define firewall rules controlling inbound (ingress) and outbound (egress) traffic of an instance of a computing resource in that group. Multiple security groups can be defined based on your needs. A default security group can also be created with minimal access.

Network ACLs provide firewall-like protection at the subnet-level, acting as an additional security mechanism. Combining logical isolation at subnets, access control between subnets, and restrictions at the instance-level, you can achieve a higher level of resilience.

Active Defense Through Real-Time Monitoring

Flow logs enable near real-time capture of communications on VPC. This data can be generated at VPC, subnet, or individual interface-level. Capturing this data into other cloud resources like Amazon CloudWatch Logs or Google BigQuery permits continuous monitoring and post-event investigation. The flow log can be processed in real time or in batches. The resulting insights can be used to fine-tune the security group and network ACL rules.

Amazon’s generic log monitoring service, CloudWatch, enables users to establish Security Operation Centers with necessary dashboards. The recently introduced CloudWatch Anomaly Detection monitors and alerts when unusual activities are observed in the log. Specialized tools for monitoring network security, such as intrusion detection systems, also make use of flow logs and provide an active defense.

Distributed Denial of Service (DDoS) attacks is another area that requires an active defense. Google Cloud Armor’s web application firewall functionality checks against other common attacks like Cross-site Scripting (XSS) and SQL Injection (SQLi). Amazon WAF supports web application firewall creation and AWS Shield protects against DDoS. The challenge is to deploy the right services for your specific needs.

QBurst to Your Defense

QBurst has expertise in a wide range of tools and frameworks that provide comprehensive protection for your mission-critical cloud infrastructure. Our layered defense-in-depth approach to security ensures that any attack is delayed and the damage is contained, minimizing downtime and disruption to business. While designing the network architecture in VPC, we take into consideration your security and scalability requirements as well as the geographical differences in usage. If you are using deprecated network models of cloud, like Amazon EC2 Classic or Google’s legacy network, we can help you migrate to a more flexible and secure VPC architecture.

Secure your cloud-based networks