Firewall syýasaty we ACL

1) Maksatlar we ýörelgeler

• Least privilege: diňe zerur zatlara rugsat bermek (aç-açan allow, implicit deny).
• Segmentation: gurşawyň izolýasiýasy (prod/stage/dev), tenantlar, kritiki konturlar (PCI/KMS/DB).
• Egress-control: gidýän traffik FQDN/IP sanawlary we şahsy endpoint 'ler bilen çäklenýär.
• Identity-aware (L7): kararlar diňe IP boýunça däl-de, tassyklanan many (SPIFFE/OIDC) boýunça kabul edilýär.
• Infrastructure as Code: kod, review/CI/CD ýaly düzgünler, üýtgeşmeleriň barlagy.

2) Taksonomiýa: nirede we näme süzýäris

2. 1 Gatlaklar we ýagdaý

L3/L4 stateless: nusgawy ACL (CIDR, protokol, port).
L3/L4 stateful: security groups/NSG, baglanyşyklary yzarlamak.
L7-aware: proxy/WAF/mesh RBAC (usullar, ýollar, JWT-claims, SNI).
Inline vs out-of-band: inline-faervol traffigi ugrukdyrýar; out-of-band - analiz/alert.

2. 2 Konturlar

Perimeter: edge/WAF/Anti-DDoS.
Core: transit hub / меж-VPC/VNet.
Workload: SG/NSG на VM/ENI/POD.
App-level: Envoy/Istio/NGINX policy, service-to-service mTLS.

3) Bulut modelleri

AWS

Security Group (SG): stateful на ENI/instance/LB.
Network ACL (NACL): kiçi ulgamlarda stateless, düzgünleriň tertibi, iki taraplaýyn ýazgylar.
AWS Network Firewall/GWLB: L7 inspeksiýasy/IDS.
Maslahat: "SG - esasy gözegçilik, NACL - iri däneli diwar/deny-listi".

Azure

NSG (stateful), ASG (taglar boýunça programma toparlary), L7/IDS üçin Azure FW, Private Endpoints.
Maslahat: NSG-de sabnet + NIC, ASG arkaly hyzmat bellikleri.

GCP

VPC Firewall Rules (stateful), Hierarchical FW (guramaçylyk/bukjalar), Cloud Armor (L7), Private Service Connect.
Maslahat: org-level guardrails + taslama allow.

4) Düzgünleriň dizaýny: nagyşlar

4. 1 Esasy toplumlar

Deny all egress → FQDN/IP arkaly: bukjaly ammarlara, artefakt-registrlere, daşarky API-lere (hususy/kesgitlenen çykyşlar arkaly) rugsat berýäris.
East-West minimal: hyzmatlar diňe zerur endikler bilen aragatnaşyk saklaýar.
Admin giriş: bastion/JIT arkaly MFA, sessiýalary ýazga almak.

4. 2 Bellikler we toparlar

IP ýerine labels/tags ulanyň: 'env', 'service', 'tier', 'tenant', 'pci = true'.
Belligi üýtgedeniňizde syýasaty täzelemek - IP torlary el bilen redaktirlemezden.

4. 3 Durmuş sikli

Propose → Evaluate (staging) → Enforce (prod), dry-run/urma ýazgylary bilen.
Könelişmek: Her düzgün üçin TTL/owner, ulanylmaýanlary awto-barlamak.

5) Kubernetes we hyzmat-meş

5. 1 NetworkPolicy (L3/L4)

Iň az - "zerur zatlardan başga hemme zady gadagan etmek".

yaml apiVersion: networking. k8s. io/v1 kind: NetworkPolicy metadata: { name: deny-all, namespace: core }
spec:
podSelector: {}
policyTypes: ["Ingress","Egress"]
kind: NetworkPolicy metadata: { name: api-egress }
spec:
podSelector: { matchLabels: { app: api } }
egress:
- to:
- namespaceSelector: { matchLabels: { ns: db } }
ports: [{ protocol: TCP, port: 5432 }]
- to:
- ipBlock: { cidr: 10. 100. 0. 0/16 } # Private endpoints ports: [{ protocol: TCP, port: 443 }]

5. 2 L7 RBAC в mesh (Istio/Envoy)

mTLS + JWT/claims/scopes/paths.

yaml apiVersion: security. istio. io/v1 kind: AuthorizationPolicy metadata: { name: api-rbac }
spec:
selector: { matchLabels: { app: api } }
rules:
- from:
- source:
principals: ["spiffe://svc. payments"]
to:
- operation: { methods: ["POST"], paths: ["/v1/payouts"] }
when:
- key: request. headers[x-tenant]
values: ["eu-1","eu-2"]

6) Egress-gözegçilik we hususy perimetrler

PaaS/registrler/ammar üçin PrivateLink/Private Service Connect programmasyny saýlaň.
Galan egress allowlist FQDN we kesgitlenen IP bilen NAT/proxy arkaly (daşarky allowlist üçin).
Pod/VM-iň göni internete girmegini blokirläň; diňe egress-şlýuz arkaly kadadan çykmalar.

7) DNS we SNI-aňly düzgünler

Split-horizon: içki zolaklar daşardan bölünmeýär.
Gidýän HTTPS (SNI allow) üçin FQDN/SNI goldawly FW/Proxy.
Üpjün edijileriň anyk domenlerine pinning belläň; IP üýtgemelerine gözegçilik ediň.

8) Tölegler, audit, gözegçilik etmek

Flow logs (VPC/VNet/NSG/NACL) goşuň, SIEM-e iberiň.
Loglarda 'trace _ id' arkaly programmalar bilen baglanyşdyryň.
Metrikler: hit/miss düzgünleri, top-talkers, drop-rates, traffigiň asimmetriýasy, "egress syzmagy".
Hasabatlar: "ulanylmaýan düzgünler", "iň giň çözgütler".

9) Kod hökmünde dolandyrmak (IaC) we barlamak

Terraform/CloudFormation + şablonlar boýunça modully syýasatlar.
Policy as Code (OPA/Gatekeeper/Conftest): '0' -a gadaganlyk. 0. 0. 0/0 ', talap' description/owner/ttl ', prod/dev.
CI: lint, statanaliz, elýeterlilik simulýatorlary (reachability analyzer), meýilnama-görmek, mandat peer review.

10) Elýeterliligi we bulam-bujarlygy barlamak

Dürli kiçi ulgamlardan/AZ/sebitlerden synthetic-nusgalar: TCP/443, DB/dellallaryň aýratyn portlary.
DR ýollaryny barlamak üçin wagtlaýyn deny: garaşlylygy kesmek → retries/circuit/fallback işlemeli.
MTU/MSS: perimeters (esasanam IPsec/NAT-T) -de bölekleriň ýokdugyna göz ýetiriň.

11) Öndürijilik we ygtybarlylyk

Merkezleşdirilen dar ýerden gaça duruň: inline-FW (GWLB/scale sets).
Merkezleriň arasynda paýlamak üçin ECMP/AS-path/BGP.
TLS-gözegçilik profilleri: nokady (gymmat) goşmak, açar yzlaryny aýratyn saklamak, gabat gelmek.

12) Konwensiýalaryň mysallary (gysgaldylan salgylanmalar)

12. 1 AWS SG: API → Postgres + S3 PrivateLink

hcl resource "aws_security_group" "api" {
name    = "sg-api"
description = "Ingress from ALB, egress to DB and PrivateLink"
vpc_id   = var. vpc_id

ingress { from_port=8080 to_port=8080 protocol="tcp" security_groups=[aws_security_group. alb. id] }
egress { from_port=5432 to_port=5432 protocol="tcp" security_groups=[aws_security_group. db. id] }
egress { from_port=443 to_port=443 protocol="tcp" prefix_list_ids=[aws_vpc_endpoint. s3. prefix_list_id] }
tags = { owner="team-api", env=var. env, ttl="2026-01-01" }
}

12. 2 Azure NSG: deny-by-default + allow bastion

bash az network nsg rule create -g rg -n allow-bastion --nsg-name nsg-app \
--priority 100 --direction Inbound --access Allow --protocol Tcp \
--source-address-prefixes 10. 0. 0. 10 --source-port-ranges "" \
--destination-port-ranges 22 --destination-address-prefixes 10. 1. 0. 0/16

12. 3 GCP hierarchical firewall: org-guardrail

yaml direction: INGRESS priority: 1000 action: deny enableLogging: true match:
layer4Configs: [{ ipProtocol: "all" }]
srcIpRanges: ["0. 0. 0. 0/0"]
targetResources: ["organizations/123456"]

12. 4 Envoy RBAC (L7 allow)

yaml
- name: envoy. filters. http. rbac typed_config:
rules:
action: ALLOW policies:
payments-post:
permissions: [{ url_path: { path: "/v1/payouts", ignore_case: true } }]
principals: [{ authenticated: { principal_name: { exact: "spiffe://svc. payments" } } }]

13) Antipatternler

`0. 0. 0. 0/0 'in ingress/egress "wagtlaýyn" → hemişelik galýar.
"Gar bölekleri" (konsoldaky el bilen düzedişler) kody we barlagy bolmazdan.
Prod/stage/dev üçin umumy SG/NSG; kritiki we kritiki däl kiçi ulgamlaryň garyşmagy.
Egress-gözegçiligiň we şahsy endpointleriň ýoklugy → açarlaryň/syrlaryň syzmagy.
DNS/SNI-ni äsgermezlik etmek: üpjün edijiniň IP-sine rugsat berildi - ertir ol üýtgedi we tutuş diapazon açyldy.
Flow logs we runbook ýok → forensika mümkin däl.

14) iGaming/Maliýe aýratynlyklary (PCI/düzgünleşdiriji)

Aýry-aýry VRF/segmentde PCI CDE, internet ýok; PSP/loglara girmek - mTLS we HMAC bilen private connectivity/proxy arkaly.
Data residency: PII/töleg wakalary - ýurduň/sebitiň içinde; sebitara - diňe agregatlar/anonim.
KMS/Vault/HSM: aýry-aýry kiçi ulgamlar/SG, diňe mTLS müşderileri gysga şahadatnamalar bilen.
WORM-audit: üýtgemeýän ammarda FW/flow ýazgylary (Object Lock), kadalaşdyryjy iň pes ≥ retenşn.
Hyzmatdaşlar (PSP/KYC): FQDN allowlist, statiki egress IP, üpjün edijiler boýunça SLA gözegçiligi.

15) Prod-taýynlyk çek-sanawy

• Bitewi segmentasiýa modeli (hub-and-spoke, VRF), kesişmesiz CIDR.
• Deny-by-default на egress; PaaS/ammar üçin şahsy endpoints.
• Workload üçin SG/NSG stateful, NACL/route-filters - kiçi torlara/merkezlere.
• K8s: NetworkPolicy «deny-all», mesh mTLS + L7 RBAC.
• IP ýerine bellikler/toparlar; owner/TTL/description her düzgünde.
• IaC + Policy-as-Code; CI elýeterlilik simulýasiýasy; hökmany peer review.
• Flow logs goşuldy; daşbordlar top-talkers, drop-rates; "egress syzmagy" üçin alertler.
• Administration Access üçin Bastion/JIT; MFA; sessiýalary ýazga almak.
• Runbook 'i: düzgüni nädip goşmaly/aýyrmaly, hadysada nädip işlemeli; "öli" düzgünleriň yzygiderli barlaglary.
• PCI/Maliýe üçin: CDE izolýasiýasy, WORM-audit, PSP/KYC üçin FQDN-allow, statik egress IP.

16) TL; DR

Goragy gatlaklara görä guruň: workloadlarda SG/NSG stateful, kiçi torlarda NACL/route-filters, mesh/proxy L7 RBAC, perimetrde WAF/edge. Adaty - deny-by-default, egress diňe gözegçilik nokatlary ýa-da private endpoints arkaly. Düzgünleri kod hökmünde beýan ediň, syýasatçylar we elýeterlilik simulýatorlary bilen barlaň, akym ýazgylaryny ýygnaň. iGaming/Maliýe üçin PSP/KYC-e PCI segmentasiýasyny, WORM auditini we berk FQDN-allow goşuň.