Cloud Firewall

4 Types of Cloud Firewalls and Why You Need Them

What Is a Cloud Firewall?

Like traditional firewalls, cloud firewalls are security products that filter out potentially malicious network traffic. The difference is that cloud firewalls are hosted in the cloud and provided as a service by security vendors.

Cloud-based firewalls can be used to create virtual barriers around cloud platforms, infrastructure, and applications. A cloud firewall can also protect on-premises infrastructure, but this requires routing of traffic between cloud and on-premise environments.

This is part of a series of articles about cloud security.

In this article:

How Cloud Firewalls Work

Like on-premises firewalls, firewalls running in a cloud identify and control applications, grant access through user-based policies, and prevent known and unknown threats from entering the network perimeter.

Cloud firewalls are deployed as virtual appliances in a cloud environment. They can inspect and filter traffic between virtual machines (VMs), containers, and other resources in the cloud, and the public Internet. Firewalls inspect traffic at the network layer, protecting the cloud environment against threats like malware, data leaks, and denial of service (DoS).

Cloud firewalls provide visibility into network and application traffic across multi-cloud environments. Advanced solutions offer automation and centralized management, enabling developers to build security into the cloud development lifecycle. Many cloud firewalls are aligned with a modern continuous integration and continuous delivery (CI/CD) process.

Another key capability of cloud firewalls is network segmentation and microsegmentation policies. These can help isolate sensitive applications and data into secure segments, blocking lateral movement of threats and simplifying compliance.

Learn more in our blog post: Microsegmentation in the Cloud Native World

Types of Cloud Firewalls

Public Cloud Firewall

A public cloud firewall is a virtual network security appliance deployed in a public cloud, such as Amazon Web Services (AWS) or Azure. In general, public cloud firewalls tend to provide similar functionality to hardware firewalls. However, in hybrid cloud deployments, public cloud firewalls offer significant advantages over on-premises appliances in terms of scalability and availability.

Firewall as a Service

Firewall as a Service (FWaaS) is a cloud-based security solution based on next generation firewall (NGFW) technology, which typically includes deep packet filtering, URL filtering, advanced threat prevention, intrusion prevention system (IPS), and DNS security.

FWaaS enables organizations to eliminate firewall appliances, simplify IT infrastructure, and improve overall network security. FWaaS is centrally managed from a single console, allowing organizations to overcome the challenges associated with NGFW appliances.

With no physical appliances to maintain, there is no change management, patch management, or outage coordination. It becomes much simpler to set and enforce consistent policies across the organization.

The key difference between cloud firewall and firewall as a service is that in FWaaS, a managed service provider or cloud provider controls firewall rules, security policies, threat intelligence, and the underlying firewall infrastructure.

SaaS Firewall

Software-as-a-Service (SaaS) firewalls are designed to protect an organization’s network by filtering incoming traffic and appropriately identifying threats. A SaaS firewall is designed and deployed in a cloud data center to protect an organization’s network and users. It flags unauthorized traffic and helps block malicious intruders from entering the network.

There are two other variants of SaaS firewalls:

  • Security as a Service (SECaaS) — A cloud-delivered network security service priced on a subscription basis through a cloud provider.
  • Firewall as a Service (FWaaS) — FWaaS solutions (described above) are also sometimes considered a SaaS firewall. These solutions elastically scale to meet the size, needs, and unique requirements of the network.

Web Application Firewall (WAF)

A web application firewall (WAF) is a security solution, commonly deployed as a cloud-based service, that is designed to protect web applications from a variety of cyber threats, such as cross-site scripting (XSS), SQL injection, and other types of attacks that can compromise the security of web-based systems.

In addition to protecting against cyber threats, WAFs can also be used to enforce security policies and ensure compliance with industry regulations and standards.

WAFs operate by analyzing incoming traffic to a web application and blocking requests that are deemed to be malicious or suspicious. This is done by comparing the requests against a set of predefined rules that define what is considered acceptable traffic and what is not.

Related content: Read our Kubernetes firewall guide

Why Do You Need a Cloud Firewall?

One of the main advantages of cloud firewalls is that they usually have lower upfront costs because you don’t need to purchase any equipment. Overhead is also reduced when there is no need to host hardware in the data center.

For example, FWaaS is managed, configured, and updated by third-party vendors to offload the administrative burden on companies. These vendor-managed services often include ongoing maintenance, such as firmware updates, and are often deployed much faster than can be done in-house. In addition to cost and resource benefits, cloud firewalls have several additional intangible benefits:

  • Scalability – Easier deployment allows organizations to scale their security solutions to support more locations or higher bandwidth requirements. As bandwidth needs grow, the cloud firewall automatically adjusts consistency to handle situations such as mitigating DDoS attacks without bandwidth throttling issues.
  • Availability – Cloud firewall providers with existing infrastructure have built-in redundancy that provides a level of resiliency unmatched by on-site firewall solutions. Cloud providers can also quickly deploy future updates, patches, and downloads.
  • Ability to filter traffic from numerous sources – Including public networks, traffic between tenants, virtual networks, and virtual data centers. By improving the security of connections between physical data centers and the cloud, businesses are better able to move to cloud-based infrastructure.

Enhancing workload security with Calico’s firewall-centric controls

Calico Enterprise and Calico Cloud offer a universal firewall integration, plus granular workload-based security controls, including IDS/IPS, DDoS, DPI, and WAF. Calico delivers the following security controls to support cloud firewalls:

  • Intrusion detection and prevention – Calico’s IDS/IPS solution ingests threat feeds from AlienVault and custom sources to pinpoint the source of malicious activity. It identifies zero-day threats, actively creates a security moat around critical workloads to mitigate risk, deploys honeypods to thwart zero-day attacks, and automatically quarantines potentially malicious workloads.
  • Deep packet inspection – Calico’s DPI inspects network data in detail and performs signature-based detection of potential threats. It further enriches IP-based network packet information with container and Kubernetes metadata to identify the source and destination of packets.
  • Application-level security and WAF – Calico provides application-level visibility and enforces security controls for application protection on all east-west traffic. It provides workload-centric WAF that leverages Modsecurity, a popular open source WAF that provides a core rule set for the most common security risks identified by OWASP, and also enables operators to BYO rule sets or leverage subscription-based rules.
  • Universal firewall integration – The Calico Egress Gateway provides universal firewall integration, enabling Kubernetes resources to securely access endpoints behind a firewall. This allows you to extend your existing firewall manager and zone-based architecture to Kubernetes for cloud-native architecture.

Next Steps:

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!