1. OSI Networking Model
- A theoretical model of the network stack (not a real implementation)
- Defines how data communication happens across layers
- In cloud environments, packet filtering (firewall) operates at Layer 4 (Transport)
- This is where tools like Security Groups and Network ACLs work
2. Security Groups & Network ACLs in AWS
Key Differences
| Feature | Security Group | Network ACL |
|---|---|---|
| Operates at | Interface (ENI) level | Subnet level |
| Rule types | Allow only | Allow + Deny |
| Conflict resolution | N/A | Priority (lower number = higher priority) |
| Default behavior | All outbound allowed, all inbound blocked | All traffic allowed (default NACL) |
Common Rule Attributes (both SG and NACL)
Each rule evaluates:
- IP – source or destination IP address
- Protocol –
tcp,udp,icmp - Port – specific port or port range
Traffic Directions
Both Security Groups and NACLs support:
- Ingress (Inbound) – incoming traffic rules
- Egress (Outbound) – outgoing traffic rules
Scope
- Both Security Groups and Network ACLs are scoped to a VPC
3. Network Security Groups (NSG) in Azure
- In Azure, NSG can be applied at both interface level and subnet level (unlike AWS where these are separate constructs)
- NSG supports both allow and deny rules, so priority is required to resolve conflicts
- Best practice: Avoid sequential priority numbers (e.g., 100, 110) – leave gaps to allow future rule insertions
- NSG rules can be created once and applied to multiple VNets
Quick Comparison: AWS vs Azure Network Security
| Concept | AWS | Azure |
|---|---|---|
| Interface-level firewall | Security Group | NSG |
| Subnet-level firewall | Network ACL (NACL) | NSG |
| Allow-only rules | Security Group | – |
| Allow + Deny rules | NACL | NSG |
| Priority-based evaluation | NACL (lower = higher priority) | NSG (lower = higher priority) |
| Scope | VPC | VNet |
