Have Questions? Want to see Valtix in action?
The Importance of a Cloud Firewall in the Public Cloud
Public cloud is an ever-changing world with hundreds or even thousands of VPCs, accounts, and elastic application workloads. Most enterprises may take several weeks to proactively enforce security and depend on manual efforts to adapt to changes.
This article covers cloud firewalls for AWS, Azure, GCP, and OCI, why they are essential, how they work, architectural considerations, their benefits, and their use cases. Keep reading to learn more.
Defining Public Cloud Firewalls
What Are Cloud Firewalls (AWS, Azure, GCP, OCI)?
According to the definition from Gartner, “Cloud network firewalls offer bi-directional, stateful traffic inspection (both egress and ingress) for securing (applications) in different types of public clouds. They can be deployed as cloud-native from the cloud infrastructure vendor, as a separate virtual instance, or in containers. Container firewalls can also secure interconnections between containers.”
Most critically, cloud firewalls are not the same as virtual appliance network firewalls lifted to the cloud, which require significant work to automate and insert into the network traffic path. Cloud firewalls leverage native cloud constructs to automate the underlying infrastructure and networking stack to enable traffic inspection for each desired use case and the ability to tie workload identity to cloud-native constructs like tags or VPC identity.
Cloud Firewalls are an essential building block of public cloud security. Given the variety of threats, variations in the underlying app infrastructure (containers, serverless, VMs), concerns around vulnerabilities in the software supply chain, and the ever-growing attack surface, the network is the only place to provide consistent security across every app workload. Cloud Firewalls enable cloud network security that goes beyond basic threat visibility – providing prevention, deep visibility, and comprehensive incident response.
How Cloud Firewalls Work
Whether they are CSP (AWS, Azure, GCP, OCI) based or a third-party solution, Cloud Firewalls follow similar architectural principles that are important for buyers to understand. Often named differently, every Cloud Firewall has a “Gateway” (or Firewall Endpoint) and a “Controller” (Manager).
Cloud Firewall Gateway
A Cloud Firewall Gateway must work flexibly to adapt to different architectural considerations whether they be centralized or distributed security. They must also work seamlessly with other cloud-native networking capabilities like AWS Transit Gateways, Gateway Load Balancers, VPC/VNet Peering, Service VPC, etc. The Cloud Firewall Gateway is often referred to as the dataplane since this is where the traffic resides, threats are detected, and alerts aggregated. Cloud Firewall Gateways are different from virtual appliances in how they are managed as a Platform as a Service (PaaS).
Many basic Cloud Firewalls like AWS Firewall or GCP Firewall might only provide visibility and protection for unencrypted traffic through the Gateway. Enterprise Cloud Firewall solutions will also provide integrated TLS Decryption for advanced threat detection and traffic filtering. Since most traffic in a cloud environment is encrypted, TLS Decryption is really a requirement for most organizations to use the network for effective detection and protection. Best-in-class Cloud Firewall solutions also take advantage of cloud-native architecture to optimize traffic inspection with a single-pass pipeline.
(Cloud Firewall Architecture)
Cloud Firewall Controller
A Cloud Firewall Controller is responsible for centralizing visibility, control as well as providing gateway management and policy administration. Cloud Firewall Controllers are the brains of a distributed security system – they manage not only the enforcement points (provisioning, operations, decommissioning) but everything about policy, apps, and infrastructure.
This is different from a device or policy manager (e.g., PANW Panorama) – a much “thinner” layer passing configuration files to devices designed as stand-alone. A controller manages the state of the entire system – policy, apps, connectivity of both apps and enforcement points, load and health of enforcement points, etc. Compare that to a manager, which pushes an admin’s configuration files to otherwise autonomous devices, and sometimes monitors their uptime.
A good analogy is self-driving vs. cruise control. Self-driving replicates everything a driver does – environmental awareness, route finding, rapid decision-making, speed, etc. Cruise control maintains a set speed that’s it. The requirements are very different – visibility of a dynamic external environment vs. visibility of an internal metric and the processing capability to automate with agility vs. simple logic to maintain speed, aka status quo. A controller is closer to self-driving, whereas a device manager is more like cruise control.
Benefits of Cloud Firewalls
Cloud Firewalls are no longer a “nice to have” in the cloud. They are an essential part of a defense in-depth strategy that leverages network security to provide a baseline for visibility and control, regardless of the underlying cloud or application infrastructure.
In the past, the purpose of network security was to secure the network itself, and applications simply inherited that security. But, as recent events have demonstrated, you need to approach cloud architecture differently — and protect the applications regardless of the underlying infrastructure.
That’s where network-based controls come in, providing the additional layer of security for your cloud workloads. This is also required for meeting common compliance and regulatory frameworks such as ISO, SOC, and PCI DSS.
A comprehensive approach to cloud security requires defense in-depth, along with a combination of passive and active defenses. But to keep up with the cloud’s dynamic environment, the controls must be automated while constantly learning from, and adapting to, the environment.
Here are the main benefits of cloud firewalls for public cloud.
Organizations move to the public cloud to take advantage of elastic scale. A cloud firewall must enable cloud scale and not become a bottleneck on performance or compute.
Whether defined as part of regulation or as part of a defense in-depth strategy, organizations need advanced network security even in the cloud. While the purpose of network security changes in the cloud, it’s no longer about protecting the network, which is the cloud provider’s after all. Network security is critical for the protection of the application workloads running in the cloud.
Lifting and shifting legacy virtual appliances to the cloud requires significant effort to deploy properly and ongoing maintenance. A cloud firewall provides the benefits of enabling deployment and ongoing operational simplicity.
|NETWORK SECURITY FUNCTION||INGRESS||EGRESS||EAST-WEST|
|Web Application Firewall (WAF)||✓||–||–|
|Intrusion Detection/Prevention (IDS/IPS)||✓||✓||✓|
|URL/FQDN Filtering (includes explicit and category-based profiles)||–||✓||✓|
|Data Loss Prevention (DLP)||–||✓||✓|
|Malicious IP Blocking||✓||✓||–|
|Threat Packet Captures||✓||✓||✓|
Cloud Firewalls vs. Other Network Security Approaches
How do cloud firewalls compare to other network security approaches? See how they compare to virtual firewall appliances, IP-based network security policies, and security groups.
Virtual Firewall Appliances
Many organizations lean toward extending their data center appliances into the cloud (e.g., Palo Alto Networks VM-Series, Checkpoint, Fortinet, etc). Compared to cloud firewalls, this model doesn’t work well because of the appliances’ inherent inability to work well in a dynamic cloud environment. The disadvantages include:
- Lack of native autoscaling, high-availability and fault tolerance, creating operational complexity due to unsupported scripts and resulting in excessive costs to correctly customize and maintain
- Lack of integration into cloud networking constructs such as AWS transit gateways, Gateway Load Balancers, VPC/VNet peering, making it harder to scale security to tens and hundreds of VPCs, and breaking the cloud network architectures
- Lack of cloud-native workload identity, resulting in poor security coverage due to manual association of application IDs with cloud workloads
- Lack of cloud scale, resulting in reduced agility due to manual management
- Lack of a single dashboard for centralized policy enforcement, along with fragmented visibility across multiple clouds
IP-Based Network Security Policy
In the data center, you can set network security policies based on IP addresses to govern the behavior of network devices and users. Since IP- based policies are relatively static, they don’t scale to the cloud, where IP addresses change dynamically — for example, when an instance is shut down or when an auto-scaling event occurs, resulting in the expansion or contraction of the compute workload.
Security groups provide basic security segmentation and help reduce your attack surface by restricting network port access. But they give you a false sense of security. Cloud applications require certain network ports to be accessible in order to function, and security groups cannot stop attacks that are deep inside the application traffic that target these open ports.
Security groups also offer limited visibility due to the lack of logging and contextual metadata needed when responding to incidents. Additionally, since they only allow you to create a small set of rules, security groups don’t scale well across dozens of applications.
Cloud Firewall Use Cases
To stop malicious activity across your cloud infrastructure, applications, and services, you need to secure both the perimeter (ingress and egress, or north-south traffic) and lateral traffic (east-west). Cloud firewalls are used to secure ingress, egress, and east-west traffic to detect and stop malicious or prohibited activity across every account.
Ingress covers traffic initiated by a client to your cloud workloads. Examples include general public access to a website or application and partner access to an API gateway. The direction is inbound and client-initiated. Securing ingress protects your cloud applications from internet-facing attacks and unauthorized external access; it also prevents further lateral movement to the rest of your cloud deployment.
Egress covers workloads initiating traffic to somewhere else or what your cloud deployment needs to access to perform an operation or function. Examples of access include external payment gateways, API-based services, SaaS services, software updates, and external URLs. The direction is outbound and initiated on the application side. Securing egress protects applications from threats such as malware (by preventing command-and-control or C2 action) and data exfiltration.
East-west covers workload-to-workload traffic within the cloud environment or on-premises (hybrid). Examples include communications such as inter-region, endpoint services, private links, or PaaS constructs. These can be either client- or server-initiated. Securing east-west traffic prevents lateral movements of threats within your cloud deployment.
Examples of Cloud Firewalls
- Valtix Multi-Cloud Security Platform – The first and only multi-cloud network security platform delivered as a service. Provides full-featured, consistent security visibility and control across AWS, Azure, GCP, and OCI. Sign up in minutes for Free or Paid plans on Valtix.com or the AWS and Azure marketplaces.
- AWS Firewall – AWS Network Firewall is a managed service that provides basic building blocks to deploy essential network protections. TLS Decryption is not supported out of the box. Enterprise features such as built in decryption and URL Filtering are also missing. WAF must be purchased separately. AWS Firewall is, by definition, only applicable to AWS.
- Azure Firewall, Azure Firewall Premium – Azure Firewall Premium provides a stronger set of features, including TLS Decryption, but is weak on multi-subscription management and tag-based micro-segmentation. It also comes at a premium price tag and is not multi-cloud.
- GCP Firewall – GCP only provides several basic building blocks. GCP Firewall is like a security group – with only foundational firewall features. No content inspection or prevention, port, and IP-based egress control, and weak segmentation that doesn’t meet enterprise needs. Single cloud only.
- PAN Cloud NGFW – Palo Alto Cloud NGFW is an AWS-only offering. There is no support for Azure, and GCP has a separate IDS-only version that cannot inspect encrypted traffic. There’s yet another experience in OCI. With multiple products, the PAN solution fragments your security posture across multiple and hybrid cloud environments.