CloudNexus Network Security & Firewalls Documentation

Overview

CloudNexus provides a multi-layered network security framework designed to protect cloud infrastructure against modern threats. Our firewall and security stack operates at Layers 3, 4, and 7 of the OSI model, delivering stateful packet inspection, deep packet analysis, and automated threat response across all global regions.

Note: All firewall rules are evaluated in priority order. Higher priority values take precedence. Default action is DENY for inbound traffic.

Architecture

Our security plane is distributed across edge proxies, regional gateways, and compute nodes. Traffic flows through a zero-trust validation mesh before reaching workloads.

🌐 Internet

→

🛡️ WAF / DDoS Shield

↓

🔐 Regional Gateway

→

🔍 IDS/IPS Engine

↓

🧱 Stateful Firewall

→

⚡ VPC / Workloads

Each node in the chain logs metadata to the Security Audit Pipeline. Packet inspection happens in hardware-accelerated NICs to maintain < 2ms latency overhead.

Firewall Rules & Policies

Define granular access controls using our declarative rule engine. Rules support CIDR ranges, port groups, protocol filters, and geolocation restrictions.

Field	Type	Description
`priority`	integer	Evaluation order (1 = highest). Range: 1-65535
`action`	enum	`ALLOW`, `DENY`, `LOG`, `RATE_LIMIT`
`protocol`	string	TCP, UDP, ICMP, or ANY
`source_cidr`	string	IPv4/IPv6 CIDR notation
`ports`	array	Single ports or ranges (e.g., 80, 443, 8000-9000)

                    
                    # Example: Allow HTTPS from trusted office IP
resource "cnx_firewall_rule" "office_access" {
  priority   = 10
  action     = "ALLOW"
  protocol   = "TCP"
  ports      = [443]
  source_cidr = "203.0.113.0/24"
  description = "Corporate VPN gateway"
}

DDoS Mitigation

CloudNexus automatically filters volumetric, protocol, and application-layer attacks. Mitigation thresholds are adjustable per network interface:

Volumetric: Syn floods, UDP reflection, amplification attacks
Protocol: Fragmented packets, malformed headers, ACK floods
Application: HTTP floods, slowloris, API abuse

When traffic exceeds baseline + 2σ for 3 consecutive seconds, scrubbing centers activate within 800ms. Legitimate traffic is prioritized via TLS fingerprint validation and CAPTCHA challenges at Layer 7.

IDS/IPS Integration

Inline Intrusion Prevention System rules are synced daily with CVE databases, MITRE ATT&CK framework updates, and industry threat intelligence feeds. Custom signatures can be deployed via the API.

Warning: Aggressive IPS signatures may impact stateful connections. Enable dry_run mode for 24 hours before production deployment.

Detection logs are forwarded to CloudNexus SIEM endpoints in JSON format. Fields include src_ip, dst_port, threat_id, severity, and mitre_tactic.

Network Segmentation

Isolate workloads using Virtual Private Clouds (VPCs) and security groups. Cross-VPC traffic requires explicit peering or Transit Gateway routing.

Private Subnets: No public IP assignment, NAT gateway required for outbound
Security Groups: Stateful, instance-level firewalls
Network ACLs: Stateless, subnet-level controls

Microsegmentation is enforced via eBPF-based policies at the kernel level, enabling L7 application awareness without proxy overhead.

Infrastructure as Code

Manage firewall rules, DDoS policies, and network segments declaratively. Supported providers include Terraform, Pulumi, and CloudFormation-compatible templates.

                    
                    // Terraform: Enable DDoS scrubbing on VPC
resource "cnx_network_policy" "production_ddos" {
  vpc_id      = cnx_vpc.main.id
  ddos_protection = true
  scrubbing_tier = "enterprise"
  alert_thresholds = {
    pps  = 100000
    bps  = 5000000000
    icmp = true
  }
}

Compliance & Auditing

All network security configurations are logged to an immutable audit trail. CloudNexus maintains the following certifications applicable to network infrastructure:

ISO 27001:2022 (Information Security Management)
SOC 2 Type II (Security, Availability, Confidentiality)
PCI DSS v4.0 (Network Segmentation & Firewall Requirements)
FedRAMP Moderate (for government tenants)

Audit exports support CSV, JSON, and STIX/TAXII formats. Retention defaults to 365 days; extended retention up to 7 years is available via compliance add-on.

Frequently Asked Questions

How fast are firewall rule updates applied?

Rule changes propagate globally within 150ms. Stateful connections established before the change remain unaffected until timeout or reset.

Can I import existing iptables/nftables rules?

Yes. Our CLI tool cnx migrate-firewall parses standard iptables/nftables formats and converts them to CloudNexus declarative policies.

Is there a free tier for security features?

Basic stateful firewall and DDoS protection are included in all plans. Advanced IPS signatures, SIEM streaming, and compliance reporting require the Security+ tier.