Like traditional firewalls, cloud firewalls are security products that filter out potentially malicious network traffic. The difference is that cloud firewalls are hosted in the cloud and provided as a service by security vendors.
Cloud-based firewalls can be used to create virtual barriers around cloud platforms, infrastructure, and applications. A cloud firewall can also protect on-premises infrastructure, but this requires routing of traffic between cloud and on-premise environments.
This is part of a series of articles about cloud security.
In this article:
Like on-premises firewalls, firewalls running in a cloud identify and control applications, grant access through user-based policies, and prevent known and unknown threats from entering the network perimeter.
Cloud firewalls are deployed as virtual appliances in a cloud environment. They can inspect and filter traffic between virtual machines (VMs), containers, and other resources in the cloud, and the public Internet. Firewalls inspect traffic at the network layer, protecting the cloud environment against threats like malware, data leaks, and denial of service (DoS).
Cloud firewalls provide visibility into network and application traffic across multi-cloud environments. Advanced solutions offer automation and centralized management, enabling developers to build security into the cloud development lifecycle. Many cloud firewalls are aligned with a modern continuous integration and continuous delivery (CI/CD) process.
Another key capability of cloud firewalls is network segmentation and microsegmentation policies. These can help isolate sensitive applications and data into secure segments, blocking lateral movement of threats and simplifying compliance.
Learn more in our blog post: Microsegmentation in the Cloud Native World
A public cloud firewall is a virtual network security appliance deployed in a public cloud, such as Amazon Web Services (AWS) or Azure. In general, public cloud firewalls tend to provide similar functionality to hardware firewalls. However, in hybrid cloud deployments, public cloud firewalls offer significant advantages over on-premises appliances in terms of scalability and availability.
Firewall as a Service (FWaaS) is a cloud-based security solution based on next generation firewall (NGFW) technology, which typically includes deep packet filtering, URL filtering, advanced threat prevention, intrusion prevention system (IPS), and DNS security.
FWaaS enables organizations to eliminate firewall appliances, simplify IT infrastructure, and improve overall network security. FWaaS is centrally managed from a single console, allowing organizations to overcome the challenges associated with NGFW appliances.
With no physical appliances to maintain, there is no change management, patch management, or outage coordination. It becomes much simpler to set and enforce consistent policies across the organization.
The key difference between cloud firewall and firewall as a service is that in FWaaS, a managed service provider or cloud provider controls firewall rules, security policies, threat intelligence, and the underlying firewall infrastructure.
Software-as-a-Service (SaaS) firewalls are designed to protect an organization’s network by filtering incoming traffic and appropriately identifying threats. A SaaS firewall is designed and deployed in a cloud data center to protect an organization’s network and users. It flags unauthorized traffic and helps block malicious intruders from entering the network.
There are two other variants of SaaS firewalls:
A web application firewall (WAF) is a security solution, commonly deployed as a cloud-based service, that is designed to protect web applications from a variety of cyber threats, such as cross-site scripting (XSS), SQL injection, and other types of attacks that can compromise the security of web-based systems.
In addition to protecting against cyber threats, WAFs can also be used to enforce security policies and ensure compliance with industry regulations and standards.
WAFs operate by analyzing incoming traffic to a web application and blocking requests that are deemed to be malicious or suspicious. This is done by comparing the requests against a set of predefined rules that define what is considered acceptable traffic and what is not.
Related content: Read our Kubernetes firewall guide
One of the main advantages of cloud firewalls is that they usually have lower upfront costs because you don’t need to purchase any equipment. Overhead is also reduced when there is no need to host hardware in the data center.
For example, FWaaS is managed, configured, and updated by third-party vendors to offload the administrative burden on companies. These vendor-managed services often include ongoing maintenance, such as firmware updates, and are often deployed much faster than can be done in-house. In addition to cost and resource benefits, cloud firewalls have several additional intangible benefits:
Calico Enterprise and Calico Cloud offer a universal firewall integration, plus granular workload-based security controls, including IDS/IPS, DDoS, DPI, and WAF. Calico delivers the following security controls to support cloud firewalls:
Next Steps: