1.3 Summarize cloud concepts and connectivity options
📘CompTIA Network+ (N10-009)
What are Network Security Lists?
A Network Security List (NSL) is a cloud-based security feature used to control network traffic in and out of cloud resources, such as virtual machines (VMs) or subnets. They act like rulesets that decide which traffic is allowed or blocked.
Think of an NSL as a filter for network packets. It examines traffic based on protocol, IP address, or port and allows or denies it.
Key Concepts
- Rules
- NSLs are made up of security rules.
- Each rule specifies:
- Direction: Whether the rule applies to incoming (ingress) or outgoing (egress) traffic.
- Source IP or Range: Where the traffic is coming from.
- Destination IP or Range: Where the traffic is going.
- Protocol: TCP, UDP, ICMP, etc.
- Port or Port Range: Specific ports the rule applies to (like port 80 for HTTP or 443 for HTTPS).
- Action: Whether the traffic is allowed or denied.
- Stateless vs Stateful
- NSLs are stateless, which means:
- Each rule is independent.
- If you allow incoming traffic on a port, the outgoing traffic does not automatically get allowed.
- You must create a separate rule for outbound traffic if needed.
- Contrast with Security Groups: Security Groups are often stateful, automatically allowing response traffic back out.
- NSLs are stateless, which means:
- Priority
- Rules are evaluated based on their priority number.
- Lower numbers have higher priority.
Example:- Rule 100 allows port 80 (HTTP).
- Rule 200 blocks all other traffic.
Traffic for port 80 is allowed because rule 100 has higher priority (lower number).
- Default Rules
- Most cloud providers (like Oracle Cloud or AWS equivalent) create default NSLs for new subnets or VMs.
- Default rules often allow all outbound traffic but block most inbound traffic.
- You can modify these to fit your security needs.
How NSLs Work in an IT Environment
Imagine you have a web server VM in a cloud subnet. To protect it:
- You create a Network Security List attached to the subnet.
- You add rules such as:
- Allow inbound traffic on TCP port 80 (HTTP) and 443 (HTTPS) from the internet.
- Deny all other inbound traffic.
- Allow outbound traffic to any IP so the server can fetch updates.
The NSL acts as a gatekeeper, filtering traffic at the network level before it reaches the VM.
Why NSLs Are Important for the Exam
- Traffic Filtering: NSLs help enforce security policies at the network boundary of your cloud environment.
- Granular Control: You can control traffic at the subnet or instance level.
- Stateless Nature: Remember, NSLs are stateless, unlike Security Groups. This is a common exam question.
- Complementary to Security Groups: NSLs are network-level controls, while Security Groups are instance-level controls. Often, they work together.
Exam Tips
- Know the difference between NSLs (stateless) and Security Groups (stateful).
- Remember NSLs use:
- IP addresses, protocols, ports, direction, action, and priority.
- Understand default rules exist in most cloud environments and can be modified.
- Know that priority numbers determine which rule applies first.
Quick Table for Easy Recall
| Feature | NSL | Security Group |
|---|---|---|
| Stateful? | No (stateless) | Yes (stateful) |
| Level | Subnet / Network | Instance / VM |
| Default action | Usually block inbound, allow outbound | Usually allow all outbound, block inbound |
| Priority | Rules have numbers, lower = higher priority | Not needed, evaluates automatically |
| Use case | Control traffic for subnets or groups of VMs | Control traffic for individual VMs |
✅ Summary:
Network Security Lists are stateless filters applied to cloud networks or subnets. They allow you to define which traffic can come in or go out, using rules based on IP, port, protocol, and priority. Unlike Security Groups, they do not automatically allow return traffic. Knowing NSLs and how they compare to Security Groups is essential for the CompTIA Network+ exam.
