You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/platform/migrate-to-linode/migrating-from-aws-security-groups-to-cloud-firewalls/index.md
+38-36Lines changed: 38 additions & 36 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,27 +14,27 @@ external_resources:
14
14
15
15
AWS Security Groups are virtual firewalls that control inbound and outbound traffic to AWS resources like EC2 instances. They operate at the instance level and allow administrators to define traffic rules based on IP addresses, protocols, and ports.
16
16
17
-
[Akamai Cloud Firewall](https://techdocs.akamai.com/cloud-computing/docs/cloud-firewall) is a network-level firewall service that controls traffic for Linode instances and NodeBalancers, Akamai Cloud’s load balancing service. Cloud Firewall supports inbound and outbound traffic management with Linode instances and inbound traffic for NodeBalancers. It operates at [Layers 3 and 4](https://www.akamai.com/glossary/what-are-network-layers), providing IP, protocol, and port filtering.
17
+
[Cloud Firewalls](https://techdocs.akamai.com/cloud-computing/docs/cloud-firewall)on Akamai Cloud is a network-level firewall service that lets users control traffic for Linode instances and NodeBalancers, Akamai Cloud’s load balancing service. Cloud Firewalls support inbound and outbound traffic management for Linode instances and inbound traffic for NodeBalancers. They operate at [Layers 3 and 4](https://www.akamai.com/glossary/what-are-network-layers) of the [OSI model](https://en.wikipedia.org/wiki/OSI_model) (see diagram below), providing IP, protocol, and port filtering.
18
18
19
-

19
+
This guide includes steps on how to migrate a basic security setup from AWS Security Groups to Cloud Firewalls. It covers planning, documenting your configuration, creating equivalent rules with Cloud Firewalls, and testing the results.
20
20
21
-
This guide explains how to migrate a basic security setup from AWS Security Groups to Akamai Cloud Firewall. It covers planning, documenting your configuration, creating equivalent rules on Akamai Cloud Firewall, and testing the results.
21
+

22
22
23
23
## Feature Comparison
24
24
25
-
Before beginning the migration process, it's important to understand the capabilities and limitations of both AWS Security Groups and Akamai Cloud Firewall. This helps you identify which rules can be migrated directly and which require additional configuration.
25
+
Before beginning the migration process, it's important to understand the capabilities and specifications of both AWS Security Groups and Cloud Firewalls. This can help you identify which rules can be migrated directly and which may require additional configuration.
26
26
27
-
### What AWS Security Groups Offer
27
+
### Features of AWS Security Groups
28
28
29
29
AWS Security Groups allow you to create sets of firewall rules that control traffic based on IP addresses, CIDR blocks, ports, and protocols. Security groups are stateful (i.e. return traffic is automatically allowed) and attach directly to the network interfaces of your AWS resources.
30
30
31
-
### What Cloud Firewall Offers
31
+
### Features of Cloud Firewalls
32
32
33
-
Akamai Cloud Firewall is a Layer 3/4 stateless packet filter designed for simplicity and performance. It allows users to specify rules that allow or deny traffic based on source IP, destination port, and protocol (e.g. TCP, UDP, ICMP, and IPEncap). It does not inspect application-layer traffic, but it is effective at managing access to services based on IP and port-level rules.
33
+
Cloud Firewalls on Akamai Cloud is a Layer 3/4 stateless packet filter designed for simplicity and performance. It allows users to specify rules that allow or deny traffic based on source IP, destination port, and protocol (e.g. TCP, UDP, ICMP, and IPEncap). The Cloud Firewalls service does not inspect application-layer traffic; however, it is effective at managing access to services based on IP and port-level rules.
34
34
35
35
### What’s Not Directly Portable
36
36
37
-
Because Akamai Cloud Firewall doesn’t currently support Layer 7 inspection, features such as pattern matching, geographic filtering, and rate limiting cannot be replicated natively. These must be implemented at the application level using reverse proxies like NGINX or additional third-party services.
37
+
Since Cloud Firewalls doesn’t currently support Layer 7 inspection, features such as pattern matching, geographic filtering, and rate limiting cannot be replicated natively. These must be implemented at the application level using reverse proxies like NGINX or other third-party services.
38
38
39
39
## Before You Begin
40
40
@@ -46,11 +46,11 @@ Because Akamai Cloud Firewall doesn’t currently support Layer 7 inspection, fe
46
46
47
47
1. You need an AWS account with a user or role that has permission to list, view, and modify EC2 networking settings and Security Groups.
48
48
49
-
1. Ensure the AWS CLI (v2) is installed locally and configured (via `aws configure`) for the appropriate credentials and default region.
49
+
1. Ensure the version 2 of the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) is installed locally and configured (via `aws configure`) for the appropriate credentials and default region.
50
50
51
51
### Example Environment Used in This Guide
52
52
53
-
The example used throughout this guide involves an AWS Security Group associated with a single EC2 instance. The EC2 is configured for several services:
53
+
The example used throughout this guide involves an AWS Security Group associated with a single EC2 instance. The EC2 is configured for multiple services:
54
54
55
55
- Web traffic handled by NGINX on ports `80` and `443`
56
56
- PostgreSQL database on port `5432`
@@ -59,13 +59,13 @@ The example used throughout this guide involves an AWS Security Group associated
59
59
60
60
The AWS Security Group is configured with inbound rules to restrict access to known IP addresses.
61
61
62
-
The equivalent setup on Akamai Cloud uses a single Linode instance running the same services. Akamai Cloud Firewall is used to recreate the access controls previously handled by the AWS Security Group.
62
+
The equivalent setup on Akamai Cloud uses a single Linode instance running the same services. The Cloud Firewalls service is used to recreate the access controls previously handled by the AWS Security Group.
63
63
64
64

65
65
66
66
## Document Your Current Configuration
67
67
68
-
Before making changes, it's essential to fully understand your existing AWS EC2 and Security Group configuration. Document how traffic flows to your EC2 instance by noting which ports are open and which services are bound to each port. This can help you set up equivalent access controls using Akamai Cloud Firewall.
68
+
Before making changes, it's essential to fully understand your existing AWS EC2 and Security Group configuration. Document how traffic flows to your EC2 instance by noting which ports are open and which services are bound to each port. This can help you set up equivalent access controls using Cloud Firewalls.
69
69
70
70
### Review AWS Security Group Rules
71
71
@@ -82,7 +82,7 @@ Use the AWS Console or `aws` CLI to export or list your active Security Group ru
82
82

83
83
{{< /tab >}}
84
84
{{< tab "AWS CLI" >}}
85
-
To access this information from the `aws` CLI, run the following commands:
85
+
To access this information using the `aws` CLI, run the following commands:
86
86
87
87
1. Query for security group(s) associated with the EC2 instance, replacing {{< placeholder "AWS_REGION" >}} and {{< placeholder "EC2_INSTANCE_ID" >}} with your values:
88
88
@@ -231,17 +231,17 @@ The example in this guide only has inbound rules, with traffic allowed for speci
231
231
232
232

233
233
234
-
{{< note >}}
234
+
{{< note title="Note Your Own Firewall Configuration">}}
235
235
Your firewall may have both inbound and outbound rules, with traffic allowed or denied for specific IP addresses.
236
236
{{< /note >}}
237
237
238
238
### Plan Your Rule-Mapping Strategy
239
239
240
-
After documenting your AWS configuration, plan how to translate those rules into Akamai Cloud Firewall’s syntax and feature set.
240
+
After documenting your AWS configuration, plan how to translate those rules using the Cloud Firewalls syntax and feature set.
241
241
242
242
In this example, core services are exposed on ports `22`, `80`, `443`, `5432`, and `6379`. The AWS Security Group allows access to certain ports (`5432` and `6379`) only from an approved IP allowlist, while traffic from any source can reach ports `22`, `80`, `443`. These rules must be recreated on Akamai Cloud to maintain equivalent protection.
243
243
244
-
Create a side-by-side comparison, mapping AWS Security Group rules to their Akamai Cloud Firewall equivalents. For example, a rule that allows PostgreSQL traffic (TCP `5432`) from a specific IP should be represented as an Akamai Cloud Firewall rule allowing TCP traffic on port `5432` from that same IP.
244
+
It can be helpful to create a side-by-side comparison, mapping AWS Security Group rules to their Cloud Firewalls equivalents. For example, a rule that allows PostgreSQL traffic (TCP `5432`) from a specific IP should be represented as a Cloud Firewalls rule allowing TCP traffic on port `5432` from that same IP.
## Create Equivalent Rules on Akamai Cloud Firewall
260
+
## Create Equivalent Rules with Cloud Firewalls
261
261
262
262
Once the planning and documentation are complete, begin building your new configuration in Akamai Cloud.
263
263
264
-
Akamai Cloud Firewall rules can be managed through the [Akamai Cloud Manager](https://cloud.linode.com/) web interface or via the [Linode CLI](https://techdocs.akamai.com/cloud-computing/docs/cli). This section demonstrates both methods.
264
+
Cloud Firewalls rules can be managed through the [Cloud Manager](https://cloud.linode.com/) web interface or via the [Linode CLI](https://techdocs.akamai.com/cloud-computing/docs/cli). This section demonstrates both methods.
265
265
266
-
### Enable Akamai Cloud Firewall
266
+
### Enable Cloud Firewalls
267
267
268
268
{{< tabs >}}
269
-
{{< tab "Akamai Cloud Manager">}}
270
-
1. From the Akamai Cloud Manager, navigate to **Firewalls** and click **Create Firewall**.
269
+
{{< tab "Cloud Manager">}}
270
+
1. While logged into Cloud Manager, navigate to **Firewalls** and click **Create Firewall**.
271
271
272
-
1. Specify a label for the Akamai Cloud Firewall and accept the defaults for the inbound and outbound policies. Initially, you do not need to assign any services. You can focus on rule creation first, then associate services later. Click **Create Firewall**.
272
+
1. Specify a label for the Cloud Firewall and accept the defaults for the inbound and outbound policies, and click **Create Firewall**. Initially, you do not need to assign any services. You can focus on rule creation first, then associate services later.
273
273
274
274
Once the Cloud Firewall has been created, you should see an initially empty list of inbound and outbound firewall rules.
275
275
276
-

276
+

277
277
{{< /tab >}}
278
278
{{< tab "Linode CLI">}}
279
279
Use the Linode CLI to create a firewall, replacing {{< placeholder "CLOUD_FIREWALL_LABEL">}} with a label of your choosing (e.g. `my-cloud-firewall`):
Recreate each of the rules documented from your AWS Security Group.
301
301
302
302
{{< tabs >}}
303
-
{{< tab "Akamai Cloud Manager">}}
304
-
1. Within the web UI, create a new rule by clicking **Add An Inbound Rule**.
303
+
{{< tab "Cloud Manager">}}
304
+
1. Select your Cloud Firewall, and create a new rule by clicking **Add An Inbound Rule**.
305
305
306
306
1. Specify a label and description for the rule. For example:
307
307
308
-

308
+

309
309
310
310
1. Next, selectthe protocol and which ports to apply this rule to. You can selectfrom commonly used ports or select**Custom** to specify a custom port range. For example:
311
311
312
-

312
+

313
313
314
-
1. For Sources, specify whether you want the rule to apply to **all** IPv4 or IPv6 addresses, or if you want to provide specific IP addresses. If providing specific IP addresses, add them one at a time.
314
+
1. For Sources, specify whether you want the rule to apply to **all** IPv4 or IPv6 addresses, or if you want to provide specific IP addresses. If providing specific IP addresses, add them one at a time. See our guide on [managing firewall rules](https://techdocs.akamai.com/cloud-computing/docs/manage-firewall-rules) for syntax specifications.
315
315
316
-

316
+

317
317
318
318
1. Finally, decide whether the rule is meant to serve as an allowlist (Accept) or denylist (Drop). For this example migration from AWS Security Groups, the action would be Accept. Click **Add Rule**.
319
319
@@ -448,13 +448,15 @@ When using the web UI, rules must be created one at a time. With the Linode CLI,
448
448
449
449
You can attach multiple Linodes or NodeBalancers to the Cloud Firewall. Note that inbound and outbound rules apply to Linode instances, whereas only inbound rules apply to NodeBalancers.
450
450
451
+
See our additional [migration documentation](https://www.linode.com/docs/guides/platform/migrate-to-linode/) for guidance on migrating other services -- such as compute instances -- to Akamai Cloud.
452
+
451
453
{{< tabs >}}
452
-
{{< tab "Akamai Cloud Manager">}}
454
+
{{< tab "Cloud Manager">}}
453
455
1. Navigate to the **Linodes** tab for your Cloud Firewall and click **Add Linodes to Firewall**:
454
456
455
-

457
+

456
458
457
-
1. From the list, selectwhich Linode (or Linodes) to assign to this Cloud Firewall and click **Add**:
459
+
1. From the list, selectwhich Linode (or Linodes) to assign to the Cloud Firewall and click **Add**:
458
460
459
461

460
462
@@ -499,7 +501,7 @@ The firewall rules you specified should now be applied to the Linode (or Linodes
499
501
500
502
## Test and Validate Your Configuration
501
503
502
-
After applying rules to your Akamai Cloud Firewall, confirm that they behave as expected under real traffic conditions. Note that your firewall configurations may require different testing methods than those listed in this section.
504
+
After applying rules to your Cloud Firewalls, confirm that they behave as expected under real traffic conditions. Note that your firewall configurations may require different testing methods than those listed in this section.
503
505
504
506
### Simulate Expected and Blocked Traffic
505
507
@@ -617,7 +619,7 @@ From an IP on the allowlist, test access to each service and confirm that the co
617
619
618
620
### Log and Monitor Behavior
619
621
620
-
Akamai Cloud Firewall does not provide per-packet or rule-level logging. To verify behavior, rely on logs from the services themselves. For example:
622
+
The Cloud Firewalls service does not show per-packet or rule-level logging. To verify behavior, rely on logs from the services themselves. For example:
621
623
622
624
- NGINX access logs, as configured in individual virtual server configuration files, are found in`/etc/nginx/sites-available`.
623
625
- SSH authentication logs are located at `/var/log/auth.log`.
@@ -630,14 +632,14 @@ Connection and activity logs from these services can help to confirm whether tra
630
632
631
633
Ongoing monitoring helps identify any overlooked configuration issues or unexpected traffic patterns. Continue observing application logs and metrics post-migration. Make sure services are available to intended users and there are no spikes in error rates or timeouts.
632
634
633
-
If legitimate traffic is being blocked or malicious traffic is being allowed, refine your Akamai Cloud Firewall rules. It may take a few iterations to achieve parity with your original AWS Security Group behavior.
635
+
If legitimate traffic is being blocked or malicious traffic is being allowed, refine your Cloud Firewalls rules. It may take a few iterations to achieve parity with your original AWS Security Group behavior.
634
636
635
637
## Finalize Your Migration
636
638
637
639
Once you've validated the new firewall configuration, clean up legacy resources and update internal references:
638
640
639
641
- Find components that were connecting with your AWS EC2 instance.
640
-
- Create equivalent Akamai Cloud Firewall rules to allow traffic from legitimate components.
642
+
- Create equivalent rules with Cloud Firewalls to allow traffic from legitimate components.
0 commit comments