Firewall policies and ACLs

1) Goals and principles

• Least privilege: allow only necessary (explicit allow, implicit deny).
• Segmentation: isolation of environments (prod/stage/dev), tenants, critical contours (PCI/KMS/DB).
• Egress control: outbound traffic is limited to FQDN/IP lists and private endpoints.
• Identity-aware (L7): Decisions are made by authenticated entity (SPIFFE/OIDC), not just IP.
• Infrastructure as Code: rules as code, review/CI/CD, audit changes.

2) Taxonomy: where and what we filter

2. 1 Layers and status

L3/L4 stateless: classic ACLs (CIDR, protocol, port).
L3/L4 stateful: security groups/NSG, monitor connections.
L7-aware: proxy/WAF/mesh RBAC (methods, paths, JWT-claims, SNI).
Inline vs out-of-band: Inline firewall routes traffic; out-of-band - analysis/alert.

2. 2 Contours

Perimeter: edge/WAF/Anti-DDoS.
Core: transit hub / меж-VPC/VNet.
Workload: SG/NSG на VM/ENI/POD.
App-level: Envoy/Istio/NGINX policy, service-to-service mTLS.

3) Cloud models

AWS

Security Group (SG): stateful на ENI/instance/LB.
Network ACL (NACL): stateless on subnets, order of rules, bidirectional entries.
AWS Network Firewall/GWLB: L7 Inspection/IDS.

Recommendation: "SG - basic control, NACL - coarse-grained fencing/deny-list."

Azure

NSG (stateful), ASG (application groups by tag), Azure FW for L7/IDS, Private Endpoints.
Recommendation: NSG on sabnet + NIC, service tags via ASG.

GCP

VPC Firewall Rules (stateful), Hierarchical FW (organizational/folder), Cloud Armor (L7), Private Service Connect.
Recommendation: org-level guardrails + project allow.

4) Rule Design: Patterns

4. 1 Basic sets

Deny all egress → allowed via FQDN/IP to: batch repositories, artifact registers, third-party APIs (via private/fixed outputs).
East-West minimum: services communicate only with the necessary dependencies.
Admin access: via bastion/JIT with MFA, recording sessions.

4. 2 Tags and groups

Use labels/tags instead of IP: 'env', 'service', 'tier', 'tenant', 'pci = true'.
Update policy when tag is changed - no manual editing of IP grids.

4. 3 Life cycle

Propose → Evaluate (staging) → Enforce (prod), with dry-run/hit logs.
Aging: TTL/owner for each rule, auto-checking unused.

5) Kubernetes and service mesh

5. 1 NetworkPolicy (L3/L4)

The minimum is "ban everything except what is needed."

yaml apiVersion: networking. k8s. io/v1 kind: NetworkPolicy metadata: { name: deny-all, namespace: core }
spec:
podSelector: {}
policyTypes: ["Ingress","Egress"]
kind: NetworkPolicy metadata: { name: api-egress }
spec:
podSelector: { matchLabels: { app: api } }
egress:
- to:
- namespaceSelector: { matchLabels: { ns: db } }
ports: [{ protocol: TCP, port: 5432 }]
- to:
- ipBlock: { cidr: 10. 100. 0. 0/16 } # Private endpoints ports: [{ protocol: TCP, port: 443 }]

5. 2 L7 RBAC в mesh (Istio/Envoy)

mTLS + JWT authorization/claims/scopes/paths.

yaml apiVersion: security. istio. io/v1 kind: AuthorizationPolicy metadata: { name: api-rbac }
spec:
selector: { matchLabels: { app: api } }
rules:
- from:
- source:
principals: ["spiffe://svc. payments"]
to:
- operation: { methods: ["POST"], paths: ["/v1/payouts"] }
when:
- key: request. headers[x-tenant]
values: ["eu-1","eu-2"]

6) Egress control and private perimeters

Prefer PrivateLink/Private Service Connect over PaaS/registers/repositories.
The rest of the egress via NAT/proxy with allowlist FQDN and fixed IP (for third-party allowlist).
Block direct access of pods/VM to the Internet; exceptions only through the egress gateway.

7) DNS and SNI-aware rules

Split-horizon: Inner zones do not resolve from the outside.
FW/Proxy with FQDN/SNI support for outgoing HTTPS (SNI allow).
Fix pinning to specific vendor domains; monitor changes to their IP.

8) Logs, audit, observability

Enable flow logs (VPC/VNet/NSG/NACL), send to SIEM.
Correlate with applications via 'trace _ id' in the logs.
Metrics: hit/miss rules, top-talkers, drop-rates, traffic asymmetry, egress leaks.

Reports: "unused rules," "widest permissions."

9) Management as code (IaC) and checks

Terraform/CloudFormation + modular policies by templates.
Policy as Code (OPA/Gatekeeper/Conftest): no '0. 0. 0. 0/0 ', requirement' description/owner/ttl ', prohibition of mixing prod/dev.
CI: lint, static analysis, reachability analyzer, plan view, mandatory peer review.

10) Reachability testing and chaos

Synthetic samples from different subnets/AZ/regions: TCP/443, specific ports of database/brokers.
Temporary deny to check DR paths: disabling → dependency should trigger retries/circuit/fallback.
MTU/MSS: Make sure there is no fragmentation on perimeters (especially IPsec/NAT-T).

11) Performance and reliability

Avoid a centralized bottleneck: Scale inline-FW (GWLB/scale sets).
ECMP/AS-path/BGP for distribution between hubs.
TLS inspection profiles: include point (expensive), store key prints separately, comply with compliance.

12) Examples of configs (references, shortened)

12. 1 AWS SG: API → Postgres + S3 PrivateLink

hcl resource "aws_security_group" "api" {
name    = "sg-api"
description = "Ingress from ALB, egress to DB and PrivateLink"
vpc_id   = var. vpc_id

ingress { from_port=8080 to_port=8080 protocol="tcp" security_groups=[aws_security_group. alb. id] }
egress { from_port=5432 to_port=5432 protocol="tcp" security_groups=[aws_security_group. db. id] }
egress { from_port=443 to_port=443 protocol="tcp" prefix_list_ids=[aws_vpc_endpoint. s3. prefix_list_id] }
tags = { owner="team-api", env=var. env, ttl="2026-01-01" }
}

12. 2 Azure NSG: deny-by-default + allow bastion

bash az network nsg rule create -g rg -n allow-bastion --nsg-name nsg-app \
--priority 100 --direction Inbound --access Allow --protocol Tcp \
--source-address-prefixes 10. 0. 0. 10 --source-port-ranges "" \
--destination-port-ranges 22 --destination-address-prefixes 10. 1. 0. 0/16

12. 3 GCP hierarchical firewall: org-guardrail

yaml direction: INGRESS priority: 1000 action: deny enableLogging: true match:
layer4Configs: [{ ipProtocol: "all" }]
srcIpRanges: ["0. 0. 0. 0/0"]
targetResources: ["organizations/123456"]

12. 4 Envoy RBAC (L7 allow)

yaml
- name: envoy. filters. http. rbac typed_config:
rules:
action: ALLOW policies:
payments-post:
permissions: [{ url_path: { path: "/v1/payouts", ignore_case: true } }]
principals: [{ authenticated: { principal_name: { exact: "spiffe://svc. payments" } } }]

13) Antipatterns

`0. 0. 0. 0/0 'in ingress/egress "temporarily" → remains forever.
"Snowflakes" (manual edits in the console) without code and revision.
Common SG/NSG for prod/stage/dev; mixing critical and non-critical subnets.
Lack of egress control and private endpoints → leaking keys/secrets out.
Ignoring DNS/SNI: allowed the supplier's IP - tomorrow it has changed and the entire range has opened.
There are no flow logs and runbooks → phasing is impossible.

14) Specifics of iGaming/Finance (PCI/Regulatory)

PCI CDE in a separate VRF/segment, no internet; access to PSP/logs - via private connectivity/proxy with mTLS and HMAC.
Data residency: PII/payment events - within the country/region; interregionally - only aggregates/anonymous.
KMS/Vault/HSM: individual subnets/SG, only mTLS clients with short certificates.
WORM audit: FW/flow logs in unchanging storage (Object Lock), retention ≥ regulatory minimum.
Partners (PSP/KYC): FQDN allowlist, static egress IP, SLA monitoring by provider.

15) Prod Readiness Checklist

• Unified segmentation model (hub-and-spoke, VRF), CIDR without intersections.
• Deny-by-default на egress; private endpoints to PaaS/storage.
• SG/NSG stateful for workload, NACL/route-filters - on subnets/hubs.
• K8s: NetworkPolicy «deny-all», mesh mTLS + L7 RBAC.
• Tags/groups instead of IP; owner/TTL/description for each rule.
• IaC + Policy-as-Code; CI with reachability simulation; mandatory peer review.
• Flow logs enabled; dashboards top-talkers, drop-rates; alerts to "egress leakage."
• Bastion/JIT for admin access; MFA; logging sessions.
• Runbook 'and: how to add/remove a rule, how to work in an incident; regular revisions of "dead" rules.
• For PCI/Finance: CDE isolation, WORM audit, FQDN-allow for PSP/KYC, static egress IP.

16) TL; DR

Build protection by layers: SG/NSG stateful on workloads, NACL/route-filters on subnets, L7 RBAC in mesh/proxy, WAF/edge on the perimeter. By default - deny-by-default, egress only through controlled points or private endpoints. Describe the rules as code, check them with policies and reachability simulators, collect flow logs. For iGaming/Finance, add PCI segmentation, WORM auditing, and strict FQDN-allow to PSP/KYC.