RedTalk: Network ACLs Behave Differently Amongst Public Cloud Providers

Gaurav Kumar

06.07.18 6:00 AM

The Issue: Network ACLs Behave Differently Amongst Public Cloud Providers

Not all firewalls are created equal. Some are generous... some are not...and not all firewall controls amongst the public cloud providers behave the same way.

Every cloud service provider - AWS, Microsoft Azure, and Google Cloud Platform (GCP) - provides native firewall capabilities. When a firewall ACL has been modified, what happens to the existing connections?

RedLock’s CSI Team observed that rule updates made to AWS ACLs are dynamically applied to new and existing connections. In Azure and GCP, however, rule updates made to the ACLs are not dynamically applied to existing connections. This means that if for some reason (malicious or not), an ACL rule allows an unintended open connection, existing connections that have already been established will not be dynamically terminated when corrected rules are applied.

The Mitigation: How to Enforce Updated ACLs in Azure and GCP

To mitigate this issue, we recommend that administrators terminate existing connections impacted by the bad ACL rules, by restarting the service or applications.


See RedLock Cloud 360 platform in Action


RedLock | Demo Request

Get a demo to see how RedLock can help you with:

  • Compliance assurance
  • Security governance
  • SOC enablement 

 Request a Demo


Subscribe to Email Updates

Recent Posts