I designed least-privilege cloud micro-perimeters using Azure Network Security Groups and AWS security groups, scoping each rule to specific source CIDRs and ports. The result removed every any-to-any rule and enforced tier isolation between web, app, and data subnets.

Objective & Context

Cloud NSGs and security groups are stateful, software-defined firewalls applied at the subnet or interface level. This lab builds a three-tier segmentation model where each tier only accepts traffic from the tier above, mapping to NIST SP 800-53 SC-7 and CIS cloud benchmarks.

  • T1190 Exploit Public-Facing Application – only the web tier exposes 443 to the internet.
  • T1210 Exploitation of Remote Services – the data tier rejects all but app-tier sources.

Environment & Prerequisites

  • Azure subscription (Reader + Network Contributor) and AWS account.
  • Azure CLI 2.5x and AWS CLI v2 configured.
  • Three subnets per cloud representing web, app, and data tiers.

Step-by-Step Execution

1. Create an Azure NSG rule allowing only HTTPS inbound

az network nsg rule create -g rg --nsg-name web-nsg -n allow-https --priority 100 --destination-port-ranges 443 --access Allow --protocol Tcp

2. Scope the data tier to the app subnet only

az network nsg rule create -g rg --nsg-name db-nsg -n allow-app --priority 100 --source-address-prefixes 10.0.2.0/24 --destination-port-ranges 5432 --access Allow

3. Equivalent AWS security-group ingress

aws ec2 authorize-security-group-ingress --group-id sg-db --protocol tcp --port 5432 --source-group sg-app
{"Return": true, "SecurityGroupRules": [{"IpProtocol": "tcp", "FromPort": 5432}]}

Validation & Testing

From the web tier attempt a direct connection to the data tier; it must time out. Use Azure NSG flow logs and AWS VPC Flow Logs to confirm the DENY verdict. Pass criteria: only adjacent-tier traffic is permitted and no rule allows 0.0.0.0/0 except web 443.

Advanced: Troubleshooting
  • Rule has no effect: NSGs evaluate by priority; a lower number wins – check rule ordering.
  • Unexpected allow: a subnet and NIC NSG both apply; review effective rules with az network nic list-effective-nsg.
  • AWS asymmetric block: security groups are stateful; NACLs are not – verify which layer drops.

Key Results

  • Eliminated 100% of any-to-any rules across 6 NSGs/security groups.
  • Reduced internet-exposed ports to a single 443 entry point.
  • Enforced 3-tier isolation validated by flow-log DENY verdicts.
  • Cut the data-tier reachable source set from the whole VPC to 1 app subnet.