Cloud Network Security Groups with Azure NSG and AWS SG
I designed least-privilege cloud micro-perimeters using Azure Network Security Groups and AWS security groups, scoping each rule to specific source CIDRs and ports. The result removed every any-to-any rule and enforced tier isolation between web, app, and data subnets.
Objective & Context
Cloud NSGs and security groups are stateful, software-defined firewalls applied at the subnet or interface level. This lab builds a three-tier segmentation model where each tier only accepts traffic from the tier above, mapping to NIST SP 800-53 SC-7 and CIS cloud benchmarks.
- T1190 Exploit Public-Facing Application – only the web tier exposes 443 to the internet.
- T1210 Exploitation of Remote Services – the data tier rejects all but app-tier sources.
Environment & Prerequisites
- Azure subscription (Reader + Network Contributor) and AWS account.
- Azure CLI 2.5x and AWS CLI v2 configured.
- Three subnets per cloud representing web, app, and data tiers.
Step-by-Step Execution
1. Create an Azure NSG rule allowing only HTTPS inbound
az network nsg rule create -g rg --nsg-name web-nsg -n allow-https --priority 100 --destination-port-ranges 443 --access Allow --protocol Tcp2. Scope the data tier to the app subnet only
az network nsg rule create -g rg --nsg-name db-nsg -n allow-app --priority 100 --source-address-prefixes 10.0.2.0/24 --destination-port-ranges 5432 --access Allow3. Equivalent AWS security-group ingress
aws ec2 authorize-security-group-ingress --group-id sg-db --protocol tcp --port 5432 --source-group sg-app{"Return": true, "SecurityGroupRules": [{"IpProtocol": "tcp", "FromPort": 5432}]}
Validation & Testing
From the web tier attempt a direct connection to the data tier; it must time out. Use Azure NSG flow logs and AWS VPC Flow Logs to confirm the DENY verdict. Pass criteria: only adjacent-tier traffic is permitted and no rule allows 0.0.0.0/0 except web 443.
Advanced: Troubleshooting
- Rule has no effect: NSGs evaluate by priority; a lower number wins – check rule ordering.
- Unexpected allow: a subnet and NIC NSG both apply; review effective rules with
az network nic list-effective-nsg. - AWS asymmetric block: security groups are stateful; NACLs are not – verify which layer drops.
Key Results
- Eliminated 100% of any-to-any rules across 6 NSGs/security groups.
- Reduced internet-exposed ports to a single 443 entry point.
- Enforced 3-tier isolation validated by flow-log DENY verdicts.
- Cut the data-tier reachable source set from the whole VPC to 1 app subnet.