Enhanced Traffic Control: Define Custom IPv4 Protocols for VPC Security and ACL Rules
NACLs are like a country’s immigration control deciding who can enter or leave the country (subnet), while Security Groups are like state-level checkpoints controlling who can access specific areas or facilities (instances) within it.
Organizations aim to enhance their network security posture by implementing fine-grained traffic control across VPC resources that host and run critical workloads on the cloud. Achieving effective traffic management requires a layered approach, providing multiple checkpoints for traffic inspection and control across subnet-level and instance-level resources within the cloud environment.
A strong cloud security posture enables the implementation of security controls which help prevent unauthorized access and ensure secure communication across VPC resources.
Introducing foundational firewall security controls within IBM Cloud network VPC through Security groups and Network Access control layers
Security Groups and Network ACLs are crucial components of a robust VPC security strategy, designed to regulate and protect network traffic. This feature enhancement introduces the capability to define all IPv4 protocols within VPC Network ACLs and Security Group rules, enabling more granular control over resource connectivity across multi-cloud and hybrid infrastructures. By doing so, organizations can strengthen security, support seamless workload integration, and scale their enterprise growth through enhanced scalability and pervasive connectivity use cases.
Complexities of fine-grained traffic control
Organizations seek to establish strong security by implementing effective traffic control mechanisms within their VPC environments. There are several ways to achieve this, such as configuring Security Groups, Network ACLs, or selectively disabling anti-spoofing for specific network functions that require advanced traffic handling.
Challenges Anti spoofing disabling
The purpose of disabling anti spoofing is to validate the source IP address of incoming packets and prevent malicious actors from sending packets with forged (spoofed) IP addresses. This can introduce multiple issues and operational challenges within a VPC environment.
-
Increases the risk of spoofed traffic, lateral attacks, and traceability issues — so it should only be disabled for trusted, controlled workloads.
-
This added complexity not only heightens security risks but also makes network troubleshooting, auditing, and compliance enforcement more difficult, especially in large-scale or hybrid cloud environments.
Security group and NACL control inbound and outbound traffic to and from a network resources based on protocol, port, and IP address — essentially acting as a secure firewall.
Security Groups and Network ACLs offer broader and more flexible protection compared to anti-spoofing mechanisms alone. While anti-spoofing primarily validates the authenticity of source IP addresses, SGs and NACLs provide fine-grained, policy-based traffic control at both the instance and subnet levels. They enable organizations to define precise inbound and outbound rules based on IP ranges, ports, and protocols, ensuring controlled and authorized communication across workloads. Additionally, these controls are easier to manage and audit, support scalable configurations across hybrid and multi-cloud environments, and enhance defence-in-depth by complementing anti-spoofing with stateful and stateless filtering capabilities.
Security Groups and Network ACLs together form the foundational firewall security controls within a VPC. They enable organizations to define and enforce granular traffic rules that protect workloads at both the subnet and instance levels. While Network ACLs act as stateless, subnet-level filters managing inbound and outbound traffic at the network boundary, Security Groups serve as stateful, instance-level firewalls that control access to individual resources. This layered approach strengthens the overall security posture by providing multiple checkpoints for traffic inspection and control.
Enterprise workflows are designed to support and configure complex network topologies, facilitating the deployment of IPv4 protocols across a multi-cloud hybrid infrastructure, with a strong emphasis on security across on-premises environments and other cloud providers.
The enhanced traffic control feature introduces support for all IPv4 protocols, enabling the creation of comprehensive VPC Network ACL and Security Group rule policies for improved network security management.
Fig 2: IBM Cloud fine granular security control via SG and NACL for all IPV4 protocol
Benefits Enhanced Traffic Control: Define Custom IPv4 Protocols for VPC Security group and ACL Rules
Enabling Security Groups and Network ACLs to support all IPv4 protocols enhances flexibility, control, and security across cloud environments. It allows administrators to define traffic rules for a wider range of applications and services that use custom or non-standard protocols beyond TCP, UDP, and ICMP. This comprehensive support ensures consistent enforcement of security policies across diverse workloads, simplifies policy management for hybrid and multi-cloud deployments, and reduces the risk of misconfigurations or exposure from unsupported protocols. Ultimately, it improves network visibility, compliance, and the overall security posture of VPC environments.
Use Cases: When to use Security group and ACL Rules
-
Custom Application Protocols (GRE, ESP, AH): Secure and manage workloads using tunnelling or encryption protocols such as GRE (47), ESP (50), and AH (51) for VPN and custom network services.
-
Network Appliances (IP-in-IP, ICMP, IGMP): Support virtual appliances such as firewalls, load balancers, and NAT gateways that rely on IP-in-IP (4), ICMP (1), or IGMP (2).
Enhance user experience through secure network configuration using SG and NACL in IBM Cloud
To ensure a secure and compliant cloud environment, a Virtual Private Cloud (VPC) will be provisioned on IBM Cloud with well-defined Security Group (SG) and Network Access Control List (NACL) rules. These configurations will provide layered network protection by controlling inbound and outbound traffic at both the instance and subnet levels, enhancing overall application security and network isolation. The approach ensures that workloads within the VPC adhere to best practices for access control, minimizing exposure and strengthening the security posture of the deployment.
The following snapshot illustrates enhanced IPv4 protocol support, which can be secured through SG and NACL configurations supporting all protocols defined by IANA.
Figure 3 Illustrates the interface for selecting protocols—by name or number—when configuring IPv4 Security Group and ACL rules.
The figure illustrates a user interface designed to help configure network protocols when creating IPv4 Security Group (SG) and Access Control List (ACL) rules. It provides options to select protocols either by their commonly known names or by their corresponding numeric values, giving users flexibility based on their preference or requirement. This interface aims to simplify the rule-creation process by making protocol identification more intuitive. Users can easily browse the available protocol types and choose the one that aligns with their security or traffic-control needs. By supporting both numeric and named protocol representations, the interface ensures compatibility with various networking standards (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ). It also helps reduce configuration errors by clearly displaying protocol options. The interface is particularly useful for administrators who manage complex network environments. It allows them to precisely define how traffic is filtered or allowed. Overall, the figure highlights a streamlined method for selecting the right protocol while setting up SG or ACL configurations.
Fig: 4 Preview the rules that are created based on the protocols chosen.
The interface provides a preview of the rules that are generated based on the selected protocols. This helps users verify whether the configurations match their intended network policies. It ensures accuracy before the rules are finalized and applied.
IBM Cloud In conclusion, the introduction of IBM cloud custom IPv4 protocol support in Security Groups and Network ACLs empowers organizations to achieve fine-grained, protocol-level traffic control across their VPC environments. This capability not only enhances security posture and compliance but also broadens support for specialized workloads such as VPNs, network appliances, and hybrid routing setups. By defining rules based on specific protocol identifiers, enterprises can implement precise segmentation, optimize observability, and ensure consistent policy enforcement across diverse network architectures.
To learn more about SG and NACL start implementing them for your business needs, refer to the Security group and NACL Guide
#ibmcloud-vpc #CloudNetworking #Network #ibmcloud
_______________________________________________________
Senior Product Manager, IBM IaaS Networking