SEC05-BP02: Control traffic flow within your network layers

When designing your network topology, you should apply multiple controls with a defense in depth approach for both inbound and outbound traffic, including the use of security groups, network ACLs, subnets, and firewalls. Within AWS, you can choose from multiple firewall options for controlling traffic flow, including AWS WAF for applications, AWS Network Firewall for VPCs, and AWS Shield for DDoS protection.

Implementation guidance

Controlling traffic flow within network layers is essential for implementing a robust security posture. By applying multiple layers of traffic controls, you can ensure that only authorized traffic flows between network segments while blocking malicious or unauthorized communications.

Key steps for implementing this best practice:

  1. Implement layered traffic controls:
    • Deploy multiple security controls at different network layers
    • Use security groups for instance-level traffic filtering
    • Configure Network ACLs for subnet-level access control
    • Implement network firewalls for advanced traffic inspection
    • Apply web application firewalls for application-layer protection
  2. Configure inbound traffic controls:
    • Restrict inbound traffic to only necessary ports and protocols
    • Implement source-based access controls using IP ranges or security groups
    • Configure load balancers with appropriate security settings
    • Use AWS WAF to protect web applications from common attacks
    • Enable DDoS protection with AWS Shield
  3. Manage outbound traffic controls:
    • Control outbound internet access through NAT gateways or instances
    • Implement egress filtering to prevent data exfiltration
    • Use VPC endpoints to keep AWS service traffic within the AWS network
    • Configure proxy servers for controlled internet access
    • Monitor and log all outbound connections
  4. Implement micro-segmentation:
    • Create granular security groups for specific application components
    • Use security group references to control inter-service communication
    • Implement network policies for container environments
    • Apply zero-trust networking principles
    • Segment traffic based on application tiers and data sensitivity
  5. Configure advanced traffic inspection:
    • Deploy AWS Network Firewall for deep packet inspection
    • Implement intrusion detection and prevention systems
    • Use traffic mirroring for security analysis
    • Configure SSL/TLS inspection where appropriate
    • Integrate with threat intelligence feeds
  6. Monitor and analyze traffic flows:
    • Enable VPC Flow Logs for comprehensive traffic visibility
    • Implement real-time traffic monitoring and alerting
    • Use network analytics tools for traffic pattern analysis
    • Set up automated responses to suspicious traffic patterns
    • Regularly review and optimize traffic control rules

Implementation examples

Example 1: Layered security group configuration

Example 2: AWS Network Firewall configuration

Example 3: AWS WAF configuration for application layer protection

Example 4: VPC endpoints for controlled AWS service access

AWS services to consider

AWS Security Groups

Acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic. Provides stateful packet filtering and supports security group references for micro-segmentation.

AWS Network ACLs

Provides an additional layer of security for your VPC that acts as a firewall for controlling traffic in and out of subnets. Offers stateless packet filtering with explicit allow and deny rules.

AWS Network Firewall

A managed service that makes it easy to deploy essential network protections for all of your Amazon VPCs. Provides fine-grained control over network traffic with stateful inspection.

AWS WAF (Web Application Firewall)

Helps protect your web applications or APIs against common web exploits and bots. Provides application-layer protection with customizable rules and managed rule sets.

AWS Shield

Provides managed DDoS protection that safeguards applications running on AWS. Shield Standard is automatically included, while Shield Advanced provides enhanced protections.

VPC Endpoints

Enables you to privately connect your VPC to supported AWS services without requiring an internet gateway. Helps control and secure traffic to AWS services.

Benefits of controlling traffic flow within network layers

  • Enhanced security posture: Multiple layers of controls provide comprehensive protection against various attack vectors
  • Reduced attack surface: Granular traffic controls limit potential entry points for attackers
  • Improved compliance: Supports regulatory requirements for network security and data protection
  • Better incident containment: Traffic controls help limit the spread of security incidents
  • Enhanced visibility: Detailed traffic controls provide better monitoring and analysis capabilities
  • Flexible security policies: Layered approach allows for different security policies at different network levels
  • Scalable protection: Controls can be applied consistently across large and complex network architectures

Related Resources

Copyright © 2025 Cloudvisor. Distributed under the MIT license.

Powered by Just the Docs, a documentation theme for Jekyll.