What does it take to be a cloud security architect?

In this short post, I will cover the foundation of network security. If you want to make your first steps in cloud security network security is an essential part, and this post is a good start. I will cover cloud network isolation, load balancers, securing traffic flow, and architectures. Begin by talking about cloud network isolation, as well as some other concepts. Network isolation is logical in nature as it isolates different portions of your cloud environment’s network.

On AWS, we call this the Virtual Private Cloud. This is known as a Virtual Network or VNet for short on Azure. And on GCP, we also have Virtual Private Cloud. With this cloud network isolation, we can isolate our various cloud resources into different VPCs or VNets so that they can only talk to other resources within the same portion of network isolation.
AWS resources that are in the same VPC can communicate with resources within that same VPC. We also have the concept of security groups where we have stateful traffic filtering, that is, traffic filtering for inbound and outbound communication. If we enable SSH on TCP Port 22, that works for both inbound and outbound SSH communication. Security groups operate at the resource level. If you have a compute instance, that stateful traffic filtering is happening on that compute instance level and not on the network level. On AWS, we have security groups. On Azure, its known as network security groups or NSGs. And on GCP, we don’t have security groups, but you can utilize GCP cloud firewalls at the network level
to perform stateful traffic filtering for GCP virtual private clouds.
Now peering provides a connection for the communication of resources and different network isolation groups. If you have resources in AWS that reside on one VPC and resources in another VPC, you would utilize VPC peering to enable communication between these different resources in different VPCs. On Azure, this is known as VNet peering. And on GCP, this is known as VPC Network Peering.

Let's take some examples, assume a company has some secrets that it considers so valuable that it doesn’t want to route this information through the public internet. We can take advantage of private connections so that certain traffic is only routed over the CSPs network to provide an extra layer of security and privacy. On AWS, this will be done through AWS Private Link. On Azure, we have Azure Private Link. And on GCP we would need to utilize Private Service Connect for similar private communication.
Cloud Load Balancers, Cloud Load Balancers help us protect the availability
of our cloud resources ensuring that the authorized parties who need to access our cloud resources are able to do so with the resources being available to them when needed. That availability is part of that CIA triad that we seek to support in security, we want to leverage these load balancers so that our resources aren’t overwhelmed as these load balancers
are part of the cloud service providers' recommendation for cloud architecture. On AWS, we have the Network Load Balancer. On Azure, we can leverage Azure Load Balancers. On GCP, we have the Cloud Load Balancing Service. Let's take another example. A company is concerned
with securing the traffic flow within its cloud environments. AWS slightly differs from Azure and GCP, which utilize firewalls to filter network traffic
within their cloud platforms whereas AWS also offers network access control lists in addition to firewalls for filtering traffic.
Flow logs provide us with logging on network traffic and this can be enabled on the network isolation groups, like VCP flow logs on AWS so that we can see how traffic is flowing inbound and outbound within our cloud network.
Subnets, subnets allow us to segment portions of network isolation groups
by IP address ranges. Similar to on-premises subnets, we can segment our cloud network using subnets by various IP ranges, and subnets would fit into a VCP or virtual network. NACLs, specifically on AWS, provide traffic filtering that is stateless. This means that we have to allow traffic inbound explicitly and outbound if we’re using network access control lists.

Cloud firewalls provide security to cloud networks by not only filtering traffic but also offering packet inspection, intrusion detection services
and intrusion prevention services for identifying and mitigating malicious activity.

In this example architecture:

we have an internet gateway sending VPC traffic out onto the internet with both public and private subnets associated with the VCP. We can also use a NACL for the public subnet that may block inbound traffic for SSH or remote desktop protocol since we do not want that sort of traffic flowing inbound from the public internet, and the security cloud admin can configure a second NACL for the private subnet that allows such traffic
for resources within that private subnet.

Another architecture shows Azure, and how the cloud security admin can leverage Azure Firewall to filter and inspect traffic before it hits the load balancer that is associated with a Vnet, which then handles distributing traffic flow to a virtual machine instance within a network security group.

On GCP, the Super Secret Company can leverage the GCP Cloud Load Balancing service for load balancing web traffic whether that be HTTP or encrypted HTTPS traffic to a web frontend services within the virtual private cloud. You can add a second load balancer for load balancing TCP and UDP, layer 4 network traffic to a Cloud Engine instance.
One load balancer facing the outside world for web traffic as well as an internal transport layer load balancer for handling TCP/UDP traffic to the Cloud Engine instance.

To summarize network security, network isolation logically isolates networks within our cloud environment. This is known as a virtual private cloud or VPC on AWS and GCP and is also known as a virtual network on Azure. Security groups provide stateful traffic filtering on the resource level. Peering, like VPC peering, allows the communication of resources
in different VPCs and private connections for routing traffic over the cloud service provider’s network. Cloud load balancers, Network Load Balancers on AWS, Azure Load Balancers on Azure, and Cloud Load Balancing on GCP, all of which support the availability of cloud resources by distributing the load so that these resources do not become overwhelmed and inaccessible to those that need them. Securing traffic flow, cover at how important flow logs are for visibility of traffic flow, subnets for segmenting network isolation groups, network access control lists, which offer stateless traffic filtering as well as firewalls that provide network layer security
by also providing packet inspection, intrusion detection, and intrusion prevention.

If you plan to take any security certification from any cloud vendor understanding and knowing these topics and architecture by heart is essential. Getting hands-on of design a cloud network is a foundation for being a successful cloud security architect.