Firewall Configuration

Security groups get restructured around service roles — web servers, application servers, databases each have dedicated groups with minimal inbound rules. We reference security group IDs instead of CIDR ranges so rules stay valid across infrastructure changes. Network ACLs add subnet-level stateless filtering for broad traffic controls. All rules are Terraform-managed with PR-based change reviews.

nftables (or iptables on older systems) provides host-level defense — a second layer behind cloud firewalls. Default policy: drop. Explicit rules allow only required inbound ports from expected sources. Outbound rules restrict egress to known destinations — preventing data exfiltration and C2 communication. Connection tracking limits established connections and rejects invalid packets.

NetworkPolicies enforce pod-to-pod communication rules at the container level. Default deny-all ingress per namespace, then explicit allow rules for required service-to-service paths. Cilium or Calico handles enforcement with L3/L4 or L7 filtering. We test policies in audit mode before enforcement to avoid breaking existing communication patterns.

We generate a firewall rule inventory documenting every rule: source, destination, port, protocol, and business justification. Unused rules get identified via flow log analysis and removed. Periodic rule reviews (quarterly recommended) catch drift. Compliance reports map rules to security frameworks (SOC 2, ISO 27001) for audit readiness. You get firewall rules you actually understand.