Network security in cloud environments layers multiple controls: Security Groups (stateful, instance-level firewall in AWS/GCP), Network ACLs (stateless, subnet-level), WAF (L7 HTTP filtering), and IDS/IPS (intrusion detection/prevention). DDoS mitigation relies on volumetric scrubbing (AWS Shield, Cloudflare Magic Transit), protocol filtering (SYN cookie defense), and anycast absorption. Defence-in-depth applies multiple independent layers — an attacker bypassing one control still faces the next.

Key Points

  • Security Groups are stateful: allow inbound port 443 automatically allows the return traffic — no need to explicitly allow outbound for established connections.
  • NACLs are stateless: must explicitly allow both inbound (port 443) and outbound (ephemeral ports 1024–65535 for return traffic) — forgetting the outbound ephemeral rule is a common misconfiguration.
  • Principle of least-network-access: Security Groups should allow only the minimum ports from the minimum source ranges — `0.0.0.0/0` on port 22 (SSH) or 3389 (RDP) is a critical finding in any cloud security audit.
  • AWS VPC Flow Logs capture 5-tuple (src IP, dst IP, src port, dst port, protocol) with action (ACCEPT/REJECT) — feed to CloudWatch Insights or Athena for threat hunting; log sampling rate is 100% by default.
  • DDoS mitigation layers: DNS-based (Route 53 health-based routing), Anycast absorption (Cloudflare), volumetric scrubbing (AWS Shield Advanced DRT), SYN cookies (kernel-level TCP protection), rate limiting (WAF).
  • SYN flood attack: attacker sends SYN packets with spoofed source IPs; server allocates half-open connection state per SYN, exhausting memory — SYN cookies encode state in the ISN (Initial Sequence Number) without allocating memory until ACK is received.
  • AWS Network Firewall (managed stateful IDS/IPS): Suricata-compatible rule groups for domain filtering, port scanning detection, and protocol anomaly detection — deployed in a dedicated inspection VPC.
  • East-west traffic (service-to-service within a cluster or VPC) is often unencrypted and unmonitored — use service mesh mTLS (Istio, Linkerd) or eBPF-based network policies (Cilium) to secure lateral traffic.

Real-World Example

AWS Shield Advanced protected a major gaming company from a 2.3 Tbps UDP reflection/amplification DDoS attack in 2020 — the largest ever recorded at the time — absorbing it across the AWS anycast network without impacting game server availability.