Cloud Firewall Management: AWS, Azure, and GCP Security Groups in One Dashboard
Your Palo Alto policies live in Panorama. Your FortiGate rules are in FortiManager. Your AWS Security Groups are scattered across 14 accounts. Your Azure NSGs were created by a developer who left six months ago. And your auditor wants a unified view of all of it by Friday. Welcome to cloud firewall management in 2026.
This is not a theoretical problem. Every organization running hybrid infrastructure — and that is most organizations — faces the same challenge: cloud security groups and on-premises firewalls serve the same function (controlling network access) but use completely different models, APIs, and terminology. Managing them separately creates blind spots. Managing them together requires normalization.
The Three Cloud Firewall Models
Before talking about unified management, you need to understand what makes each cloud provider's firewall model different. They all control traffic. They all use rules. But the abstractions, defaults, and evaluation logic vary in ways that break assumptions from on-premises firewall management.
AWS Security Groups and NACLs
AWS uses a two-layer model. Security Groups are stateful firewalls attached to ENIs (Elastic Network Interfaces) at the instance level. Network ACLs (NACLs) are stateless firewalls at the subnet level. Most teams rely primarily on Security Groups.
AWS Security Group Characteristics
- Stateful: Return traffic is automatically allowed. No need for explicit outbound rules matching inbound sessions.
- Default deny inbound: No inbound traffic allowed unless explicitly permitted. Default allow outbound.
- No deny rules: Security Groups can only allow traffic. You cannot create an explicit deny. This is fundamentally different from traditional firewalls.
- Reference other SGs: Rules can reference other Security Group IDs instead of IP ranges, enabling dynamic, identity-based access control.
- Multi-attach: A single instance can have up to 5 Security Groups. Rules are evaluated as a union (if any SG allows it, traffic flows).
The "no deny rules" behavior is the biggest conceptual gap for teams coming from traditional firewalls. On a Palo Alto or FortiGate, you build rules with explicit allow and deny actions, ordered by priority. In AWS, the only way to block specific traffic is to not allow it — or use NACLs, which add complexity and are frequently misconfigured.
Azure Network Security Groups (NSGs)
Azure NSGs sit closer to the traditional firewall model. They support both allow and deny rules with explicit priority ordering. NSGs can be attached to subnets or individual NICs, and Azure evaluates rules by priority number (lowest number wins).
Azure NSG Characteristics
- Allow and deny: Both rule actions supported. Priority-based evaluation (100-4096).
- Default rules: Azure creates default rules (priority 65000+) that allow VNet traffic, load balancer traffic, and deny all other inbound. You cannot delete defaults, only override with higher-priority rules.
- Application Security Groups: ASGs provide logical grouping of VMs — similar to AWS SG references but with an extra abstraction layer.
- Augmented rules: A single rule can specify multiple IPs, ports, and service tags. Service tags like "Internet" or "AzureLoadBalancer" map to Microsoft-managed IP ranges.
- Flow logs: NSG Flow Logs provide traffic visibility but require separate enablement and storage configuration per NSG.
Azure also offers Azure Firewall as a managed, centralized firewall service — closer to a traditional NGFW with threat intelligence, FQDN filtering, and centralized logging. Many enterprises run both NSGs (microsegmentation) and Azure Firewall (perimeter control), adding another layer to manage.
GCP VPC Firewall Rules and Policies
Google Cloud takes yet another approach. VPC Firewall Rules are defined at the VPC network level and apply to instances based on target tags or service accounts. In 2023, Google introduced Hierarchical Firewall Policies at the organization and folder level, adding top-down policy inheritance.
GCP Firewall Characteristics
- Tag-based targeting: Rules target instances via network tags or service accounts, not IP addresses. This is powerful but creates visibility challenges — you need to know which instances carry which tags.
- Priority-based: Rules have numeric priority (0-65535, lower wins). Both allow and deny actions supported.
- Implied rules: GCP has two implied rules: deny all ingress (priority 65535) and allow all egress (priority 65535). These cannot be deleted.
- Hierarchical policies: Organization-level and folder-level policies are evaluated before VPC rules. A "goto_next" action delegates evaluation to the next level.
- Logging per-rule: Firewall Rules Logging is toggled per rule, not per resource. Costs scale with traffic volume.
GCP's hierarchical model is the most flexible of the three but also the most complex to audit. A rule that appears to allow traffic at the VPC level might be overridden by an organization-level deny policy — and determining that requires checking multiple policy layers.
The Normalization Challenge
Here is the core problem. A Palo Alto firewall rule has a source zone, destination zone, source address, destination address, application, service, and action. An AWS Security Group rule has a protocol, port range, and source (IP or SG reference). An Azure NSG rule has a priority, direction, access action, protocol, source, and destination. A GCP firewall rule has a direction, action, priority, target tags, and IP ranges.
Same intent — control network access. Five completely different data models. Unified management means normalizing these into a common schema without losing the provider-specific semantics that matter for implementation.
| Concept | Traditional FW | AWS SG | Azure NSG | GCP FW Rule |
|---|---|---|---|---|
| Rule action | Allow / Deny / Drop | Allow only | Allow / Deny | Allow / Deny |
| Rule ordering | Sequential (top-down) | Unordered (union) | Priority number | Priority number |
| Statefulness | Configurable | Stateful (SG) / Stateless (NACL) | Stateful | Stateful |
| Target scope | Zone / Interface | ENI / Instance | Subnet / NIC | Tag / Service Account |
| Identity references | Address objects | SG IDs, Prefix Lists | ASGs, Service Tags | Tags, Service Accounts |
| Default egress | Deny all | Allow all | Allow all (default rule) | Allow all (implied rule) |
A proper normalization layer translates each provider's native rules into a common policy model — source, destination, service, action, and metadata — while preserving the original representation for implementation. This is what separates a real unified management platform from a dashboard that just shows rules side by side.
Compliance in Hybrid Environments
Compliance frameworks do not care which cloud provider you use. PCI DSS Requirement 1 requires you to "install and maintain network security controls" — whether those controls are Palo Alto policies, AWS Security Groups, or Azure NSGs. ISO 27001 Annex A.13 requires network segmentation controls. SOC 2 CC6.1 requires logical access controls. The auditor asks one question: "Show me your controls and prove they work."
Compliance Requirements That Span Cloud and On-Prem
- PCI DSS 4.0 (Req 1.2): Network security controls must be configured and maintained. Applies to any system component in the cardholder data environment — including cloud workloads.
- ISO 27001:2022 (A.8.22): Networks shall be segregated based on business requirements. Cloud VPCs, subnets, and security groups are in scope.
- SOC 2 (CC6.1, CC6.6): Logical access controls and boundary protection. Auditors expect evidence of rule review, change approval, and periodic recertification across all environments.
- KRITIS / BAIT / VAIT: German critical infrastructure and financial regulations require documented change processes for all network security controls, with no exemption for cloud-hosted services.
The challenge is evidence. On-premises firewalls have configuration exports and syslog. AWS has CloudTrail and VPC Flow Logs. Azure has Activity Log and NSG Flow Logs. GCP has Audit Logs and Firewall Rules Logging. Each generates evidence in different formats, stored in different locations, with different retention policies.
A unified cloud firewall management platform consolidates this evidence into a single audit trail. Every rule change — whether it was a Security Group modification in us-east-1, an NSG update in West Europe, or a Palo Alto commit in your data center — appears in one timeline with who changed what, when, why, and who approved it.
What Unified Cloud Firewall Management Looks Like
"Unified" does not mean identical. Each provider's firewall model has legitimate differences that exist for good reasons. Unified management means three things:
Single Pane of Glass
All firewall rules, security groups, and NSGs visible in one interface. Filter by provider, region, compliance framework, or risk level. No context switching between AWS Console, Azure Portal, and GCP Console.
Normalized Policy View
Cross-provider rules translated into a common schema. Identify equivalent rules, conflicting policies, and gaps across environments. "This AWS SG allows 0.0.0.0/0 on port 22" and "this PAN rule allows any-to-any SSH" are the same risk.
Consistent Change Process
Same request-review-approve-implement workflow regardless of whether the change targets an on-prem firewall or a cloud security group. One audit trail. One approval chain. One compliance report.
Common Cloud Firewall Risks
Cloud security groups are easy to create and even easier to misconfigure. Unlike on-premises firewalls where changes typically go through a network team, cloud security groups are often modified by developers, DevOps engineers, or automation pipelines with minimal oversight. These are the patterns we see most frequently:
Open 0.0.0.0/0 Rules
The most common cloud security finding. SSH (22), RDP (3389), or database ports open to the entire internet. Often created during debugging and never reverted.
Stale Security Groups
Security Groups attached to terminated instances or unused ENIs. They accumulate over time and obscure the actual security posture. AWS does not automatically clean them up.
Cross-Account Blind Spots
Organizations with multiple AWS accounts or Azure subscriptions often have no centralized view of security group rules. Each account is managed independently — if at all.
Terraform Drift
Infrastructure-as-code defines the intended state. Console changes create drift. Without continuous monitoring, the actual security group configuration diverges from what Terraform thinks it is.
Building a Hybrid Firewall Management Strategy
If you are managing both on-premises firewalls and cloud security groups, here is a practical approach to unification:
Step 1: Inventory Everything
You cannot manage what you cannot see. Start by building a complete inventory: every firewall, every security group, every NSG, every GCP firewall rule. Include the owner, the last modification date, and the associated workload. Most teams discover 30-40% more security groups than they expected.
Step 2: Define a Common Policy Standard
Establish a normalized rule format that works across providers. At minimum: source, destination, service/port, action, business justification, owner, and review date. Map each provider's native fields to this standard. This becomes your single source of truth for compliance reporting.
Step 3: Unify Change Control
Every security group change should go through the same workflow as an on-premises firewall change: request, risk assessment, approval, implementation, verification. The implementation method differs (API call vs. CLI command), but the governance process is identical. This is what auditors care about.
Step 4: Automate Drift Detection
Cloud environments change faster than on-premises networks. Continuous monitoring catches unauthorized changes, Terraform drift, and policy violations in near real-time. Alert on deviations from your approved baseline — especially 0.0.0.0/0 rules and changes to production security groups.
Step 5: Consolidate Reporting
Generate compliance reports that span all environments. When your PCI QSA asks about network segmentation controls, the answer should not be "let me check three different consoles." A single report covering all firewalls and security groups — with change history, approval records, and current rule analysis — is what separates teams that pass audits from teams that survive them.
Getting Started
Managing cloud security groups alongside traditional firewalls is not optional anymore — it is the baseline expectation for any compliance framework published after 2020. The tools and approaches exist. The challenge is execution.
FwChange provides unified visibility across on-premises firewalls and cloud security groups from AWS, Azure, and GCP. Multi-vendor policy normalization, structured change workflows, and automated compliance mapping — in a single dashboard that deploys in hours, not months.
Start with a free firewall audit to see how your current on-premises and cloud security posture maps to compliance frameworks. No sales call, no commitment — just clarity on where your gaps are.
See How Your Firewall Rules Score
Upload your config and get a free compliance report with shadow rule detection, conflict analysis, and optimization recommendations.
Stay Updated
Get firewall management tips, compliance guides, and product updates.
No spam. Unsubscribe anytime.