Network Security Groups

Table of Contents

• Overview
• When to Use
• Quick Start
• Reference Guides
• Best Practices

Overview

Implement network security groups and firewall rules to enforce least privilege access, segment networks, and protect infrastructure from unauthorized access.

When to Use

• Inbound traffic control
• Outbound traffic filtering
• Network segmentation
• Zero-trust networking
• DDoS mitigation
• Database access restriction
• VPN access control
• Multi-tier application security

Quick Start

Minimal working example:

# aws-security-groups.yaml
Resources:
  # VPC Security Group
  VPCSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: VPC security group
      VpcId: vpc-12345678
      SecurityGroupIngress:
        # Allow HTTP from anywhere
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: 0.0.0.0/0
          Description: "HTTP from anywhere"

        # Allow HTTPS from anywhere
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
          Description: "HTTPS from anywhere"

        # Allow SSH from admin network only
        - IpProtocol: tcp
// ... (see reference guides for full implementation)

Reference Guides

Detailed implementations in the references/ directory:

Guide	Contents
AWS Security Groups	AWS Security Groups
Kubernetes Network Policies	Kubernetes Network Policies
GCP Firewall Rules	GCP Firewall Rules
Security Group Management Script	Security Group Management Script

Best Practices

✅ DO

• Implement least privilege access
• Use security groups for segmentation
• Document rule purposes
• Regularly audit rules
• Separate inbound and outbound rules
• Use security group references
• Monitor rule changes
• Test access before enabling

❌ DON'T

• Allow 0.0.0.0/0 for databases
• Open all ports unnecessarily
• Mix environments in single SG
• Ignore egress rules
• Allow all protocols
• Forget to document rules
• Use single catch-all rule
• Deploy without firewall