Aviatrix Blog 
In a recent webinar on cloud network security, Aviatrix and our partner, CloudNation, dived into the complexities and challenges of cloud network security. Joost Wolfsen, Cloud Consultant at CloudNation, Mark Noorman, Team Manager/Cloud Architect at CloudNation, Dan Sheldon, Director of Solutions Engineering EMEA, and I tackled some of the most common issues when it comes to security:
- The necessity of cloud network security: The group discussed how the evolution of cloud computing and the increasing deployment of mission-critical applications in cloud environments have created new security challenges and requirements.
- Available security options: Mark and Joost explored cloud-native networking security solutions in major platforms like Azure and AWS, along with a candid discussion of potential drawbacks associated with various approaches.
- Aviatrix’s Cloud Networking Security solution: I offered a detailed look at how Aviatrix’s platform addresses common security challenges in multicloud environments.
- Comparative analysis: How different security solutions stack up against each other.
The Necessity of Cloud Network Security
Why do we need network security in the cloud? Joost, Mark, and I covered some of the threats to enterprise networks:
- Bad actors trying to disturb your public services – As Mark explained, the public cloud is by default publicly accessible. It’s supposed to bring your workloads and your applications close to your customers and your partners. Unfortunately, that means that it is by default accessible by bad actors, malicious threats, and other threats to your workloads.
- Malicious ransomware traffic and data exfiltration – If someone wants to disturb your services, they can attack your network with malicious ransomware or try to extract data.
- Once compromised, contain systems – If you’ve been compromised, you want to contain the attack as much as possible.
- Visibility on and control over traffic patterns – To detect and contain threats, you want full visibility over your network’s traffic.
- Foundational part of cloud security – Public cloud providers have developed a lot of services to enable you to take those security measures. The network firewall is at the heart of those measures. It’s a foundational feature that you always want to enable and take advantage of.
Public Cloud Security Options
The public cloud service providers offer native options for cloud security: Azure Firewall, AWS Network Firewall and Google Cloud Firewall rules. Each service offers different features and with varying characteristics and limits.
Mark and Joost reviewed each cloud provider’s native security options.
The Azure Approach
Mark reviewed the deployment options, advantages, cost considerations, architecture implications, and security features of Azure in detail. He highlighted a few major benefits of Azure’s solution:
- Simplicity through automation – Azure Virtual WAN handles most routing to and from the firewall and spokes automatically.
- Streamlined routing – Azure Firewall uses a single private IP, simplifying routing configuration for traffic inspection.
- Sizing and pricing flexibility – Azure offers different sizing options as well as Basic, Standard, and Premium plans that customers can select from depending on their needs.
- Security intelligence – Azure uses over 70,000 threat intelligence signatures, with Microsoft continually expanding this capability.
Mark also outlined some considerations for Azure:
- Public IPs can create access issues – In Azure Virtual WAN, you can only choose the total number of public IPs. Changing this number replaces existing IPs, which can be problematic if those IPs are whitelisted by external partners.
- Cost is tied to traffic volume – Traffic volume significantly impacts overall costs.
- Centralized role requires design planning – Since Azure Firewall acts as a central checkpoint for all traffic between spoke VNets, regions, external providers, and on-premises connections, network design requires careful capacity planning.
- Security customization is limited – Premium SKU includes intrusion detection/prevention, but with limited customization (only on/off toggle).
Next, Joost turned to AWS’s solution.
The AWS Solution
Benefits of the AWS solution include:
- The AWS Network Firewall offers comprehensive filtering – The AWS Network Firewall provides filtering for egress traffic and non-HTTPS ingress traffic. Note that for HTTPS ingress traffic, Amazon recommends using their WAF (Web Application Firewall) service.
- IDPS (Intrusion Detection and Prevention System) functionality strengthens security – An IDPS helps AWS users alert and block possible and active threats.
- Architecture models provide customization – For network architecture, you can choose between a north-south traffic model, east-west traffic model, and combined model with varying inspection and egress methods.
- Rule groups organize firewall rules – AWS Rule Groups make rules more readable and easier to update. AWS offers managed rule groups based on the Suricata open-source project. Admins can selectively add or remove rule groups based on specific threat mitigation needs.
Some security and design considerations with AWS include:
- Cost optimization is necessary – Too many endpoints can cause high network charges.
- Complexity causes challenges – Implementing an AWS solution requires complex user-defined routing configurations. Troubleshooting becomes difficult, especially in multi-account AWS environments. Once set up properly, it’s relatively stable if not frequently changed
Mark explained that both Azure and AWS are actively developing their solutions to strengthen security and become increasingly more user-friendly.
Next, the discussion turned to the Aviatrix solution.
Aviatrix’s Cloud Networking Security Solution
I examined cloud-native architectures across AWS, Azure, and GCP, highlighting their hub-based designs. He explained some of the limitations of cloud provider native firewalls, including:
- Cost structure issues – Cloud provider native firewalls (Azure Firewall, AWS Network Firewall) charge per GB of traffic processed. This creates unpredictable pricing as costs scale with traffic volume
- Multicloud challenges – Cloud-native firewalls are inherently not multicloud solutions, so organizations using multiple cloud providers must use different firewalls (Azure Firewall for Azure, AWS Network Firewall for AWS). This creates inconsistency across environments.
- Architectural flexibility issues – Azure Firewall represents a single choke point – if a major rule is accidentally deleted, it affects all traffic. Port exhaustion on public IPs for egress traffic affects all workloads. In contrast, AWS Network Firewall can use multiple firewall endpoints, each with its own route table, creating some isolation.
Considering the limitations of native cloud firewalls, I demonstrated the benefits of the Aviatrix Cloud Firewall:
- Consistent multicloud experience – The Aviatrix Cloud Firewall provides identical architecture across any hyperscaler. It offers consistent features, support, and pricing across cloud providers.
- Predictable pricing – Uses a licensing model rather than data processing charges, which creates more predictable costs not tied to traffic volume. Aviatrix can often help reduce costs compared to cloud-native solutions.
- Cloud integration – The Aviatrix Cloud Firewall uses a control plane that integrates with cloud provider APIs and understands it’s operating in the cloud environment..
The three suggested that organizations currently using Azure Network Firewall or AWS Network Firewall should consider evaluating Aviatrix as a simplified, multicloud, cloud-native security solution. Schedule a demo to explore how this solution could simplify and secure your network.