Skip to content

Commit 1576a18

Browse files
committed
copy edits
1 parent 5db0bfd commit 1576a18

3 files changed

Lines changed: 124 additions & 122 deletions

File tree

  • docs/guides/platform/migrate-to-linode
    • migrating-from-aws-security-groups-to-cloud-firewalls
    • migrating-from-azure-firewall-to-cloud-firewalls
    • migrating-from-google-cloud-next-generation-firewall-to-cloud-firewalls

docs/guides/platform/migrate-to-linode/migrating-from-aws-security-groups-to-cloud-firewalls/index.md

Lines changed: 38 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -14,27 +14,27 @@ external_resources:
1414

1515
AWS Security Groups are virtual firewalls that control inbound and outbound traffic to AWS resources like EC2 instances. They operate at the instance level and allow administrators to define traffic rules based on IP addresses, protocols, and ports.
1616

17-
[Akamai Cloud Firewall](https://techdocs.akamai.com/cloud-computing/docs/cloud-firewall) is a network-level firewall service that controls traffic for Linode instances and NodeBalancers, Akamai Cloud’s load balancing service. Cloud Firewall supports inbound and outbound traffic management with Linode instances and inbound traffic for NodeBalancers. It operates at [Layers 3 and 4](https://www.akamai.com/glossary/what-are-network-layers), providing IP, protocol, and port filtering.
17+
[Cloud Firewalls](https://techdocs.akamai.com/cloud-computing/docs/cloud-firewall) on Akamai Cloud is a network-level firewall service that lets users control traffic for Linode instances and NodeBalancers, Akamai Cloud’s load balancing service. Cloud Firewalls support inbound and outbound traffic management for Linode instances and inbound traffic for NodeBalancers. They operate at [Layers 3 and 4](https://www.akamai.com/glossary/what-are-network-layers) of the [OSI model](https://en.wikipedia.org/wiki/OSI_model) (see diagram below), providing IP, protocol, and port filtering.
1818

19-
![OSI layers 1–7 with attack vectors noted for Layers 3 (Network), 4 (Transport), 5 (Session), and 7 (Application).](network-layers-diagram.png)
19+
This guide includes steps on how to migrate a basic security setup from AWS Security Groups to Cloud Firewalls. It covers planning, documenting your configuration, creating equivalent rules with Cloud Firewalls, and testing the results.
2020

21-
This guide explains how to migrate a basic security setup from AWS Security Groups to Akamai Cloud Firewall. It covers planning, documenting your configuration, creating equivalent rules on Akamai Cloud Firewall, and testing the results.
21+
![OSI layers 1–7 with attack vectors noted for Layers 3 (Network), 4 (Transport), 5 (Session), and 7 (Application).](network-layers-diagram.png)
2222

2323
## Feature Comparison
2424

25-
Before beginning the migration process, it's important to understand the capabilities and limitations of both AWS Security Groups and Akamai Cloud Firewall. This helps you identify which rules can be migrated directly and which require additional configuration.
25+
Before beginning the migration process, it's important to understand the capabilities and specifications of both AWS Security Groups and Cloud Firewalls. This can help you identify which rules can be migrated directly and which may require additional configuration.
2626

27-
### What AWS Security Groups Offer
27+
### Features of AWS Security Groups
2828

2929
AWS Security Groups allow you to create sets of firewall rules that control traffic based on IP addresses, CIDR blocks, ports, and protocols. Security groups are stateful (i.e. return traffic is automatically allowed) and attach directly to the network interfaces of your AWS resources.
3030

31-
### What Cloud Firewall Offers
31+
### Features of Cloud Firewalls
3232

33-
Akamai Cloud Firewall is a Layer 3/4 stateless packet filter designed for simplicity and performance. It allows users to specify rules that allow or deny traffic based on source IP, destination port, and protocol (e.g. TCP, UDP, ICMP, and IPEncap). It does not inspect application-layer traffic, but it is effective at managing access to services based on IP and port-level rules.
33+
Cloud Firewalls on Akamai Cloud is a Layer 3/4 stateless packet filter designed for simplicity and performance. It allows users to specify rules that allow or deny traffic based on source IP, destination port, and protocol (e.g. TCP, UDP, ICMP, and IPEncap). The Cloud Firewalls service does not inspect application-layer traffic; however, it is effective at managing access to services based on IP and port-level rules.
3434

3535
### What’s Not Directly Portable
3636

37-
Because Akamai Cloud Firewall doesn’t currently support Layer 7 inspection, features such as pattern matching, geographic filtering, and rate limiting cannot be replicated natively. These must be implemented at the application level using reverse proxies like NGINX or additional third-party services.
37+
Since Cloud Firewalls doesn’t currently support Layer 7 inspection, features such as pattern matching, geographic filtering, and rate limiting cannot be replicated natively. These must be implemented at the application level using reverse proxies like NGINX or other third-party services.
3838

3939
## Before You Begin
4040

@@ -46,11 +46,11 @@ Because Akamai Cloud Firewall doesn’t currently support Layer 7 inspection, fe
4646

4747
1. You need an AWS account with a user or role that has permission to list, view, and modify EC2 networking settings and Security Groups.
4848

49-
1. Ensure the AWS CLI (v2) is installed locally and configured (via `aws configure`) for the appropriate credentials and default region.
49+
1. Ensure the version 2 of the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) is installed locally and configured (via `aws configure`) for the appropriate credentials and default region.
5050

5151
### Example Environment Used in This Guide
5252

53-
The example used throughout this guide involves an AWS Security Group associated with a single EC2 instance. The EC2 is configured for several services:
53+
The example used throughout this guide involves an AWS Security Group associated with a single EC2 instance. The EC2 is configured for multiple services:
5454

5555
- Web traffic handled by NGINX on ports `80` and `443`
5656
- PostgreSQL database on port `5432`
@@ -59,13 +59,13 @@ The example used throughout this guide involves an AWS Security Group associated
5959

6060
The AWS Security Group is configured with inbound rules to restrict access to known IP addresses.
6161

62-
The equivalent setup on Akamai Cloud uses a single Linode instance running the same services. Akamai Cloud Firewall is used to recreate the access controls previously handled by the AWS Security Group.
62+
The equivalent setup on Akamai Cloud uses a single Linode instance running the same services. The Cloud Firewalls service is used to recreate the access controls previously handled by the AWS Security Group.
6363

6464
![Architecture diagram of AWS EC2 instance and services environment with equivalent setup on Akamai Cloud.](example-environment-architecture.svg)
6565

6666
## Document Your Current Configuration
6767

68-
Before making changes, it's essential to fully understand your existing AWS EC2 and Security Group configuration. Document how traffic flows to your EC2 instance by noting which ports are open and which services are bound to each port. This can help you set up equivalent access controls using Akamai Cloud Firewall.
68+
Before making changes, it's essential to fully understand your existing AWS EC2 and Security Group configuration. Document how traffic flows to your EC2 instance by noting which ports are open and which services are bound to each port. This can help you set up equivalent access controls using Cloud Firewalls.
6969

7070
### Review AWS Security Group Rules
7171

@@ -82,7 +82,7 @@ Use the AWS Console or `aws` CLI to export or list your active Security Group ru
8282
![AWS Console screenshot listing EC2 Security Group rules.](security-group-rules-list.png)
8383
{{< /tab >}}
8484
{{< tab "AWS CLI" >}}
85-
To access this information from the `aws` CLI, run the following commands:
85+
To access this information using the `aws` CLI, run the following commands:
8686

8787
1. Query for security group(s) associated with the EC2 instance, replacing {{< placeholder "AWS_REGION" >}} and {{< placeholder "EC2_INSTANCE_ID" >}} with your values:
8888

@@ -231,17 +231,17 @@ The example in this guide only has inbound rules, with traffic allowed for speci
231231

232232
![Visual flowchart of inbound port permissions in the example setup.](inbound-permissions-diagram.svg)
233233

234-
{{< note >}}
234+
{{< note title="Note Your Own Firewall Configuration" >}}
235235
Your firewall may have both inbound and outbound rules, with traffic allowed or denied for specific IP addresses.
236236
{{< /note >}}
237237

238238
### Plan Your Rule-Mapping Strategy
239239

240-
After documenting your AWS configuration, plan how to translate those rules into Akamai Cloud Firewall’s syntax and feature set.
240+
After documenting your AWS configuration, plan how to translate those rules using the Cloud Firewalls syntax and feature set.
241241

242242
In this example, core services are exposed on ports `22`, `80`, `443`, `5432`, and `6379`. The AWS Security Group allows access to certain ports (`5432` and `6379`) only from an approved IP allowlist, while traffic from any source can reach ports `22`, `80`, `443`. These rules must be recreated on Akamai Cloud to maintain equivalent protection.
243243

244-
Create a side-by-side comparison, mapping AWS Security Group rules to their Akamai Cloud Firewall equivalents. For example, a rule that allows PostgreSQL traffic (TCP `5432`) from a specific IP should be represented as an Akamai Cloud Firewall rule allowing TCP traffic on port `5432` from that same IP.
244+
It can be helpful to create a side-by-side comparison, mapping AWS Security Group rules to their Cloud Firewalls equivalents. For example, a rule that allows PostgreSQL traffic (TCP `5432`) from a specific IP should be represented as a Cloud Firewalls rule allowing TCP traffic on port `5432` from that same IP.
245245

246246
### Back up Your Existing Configuration
247247

@@ -257,23 +257,23 @@ aws ec2 describe-security-group-rules \
257257
> sg-rules.json
258258
```
259259

260-
## Create Equivalent Rules on Akamai Cloud Firewall
260+
## Create Equivalent Rules with Cloud Firewalls
261261

262262
Once the planning and documentation are complete, begin building your new configuration in Akamai Cloud.
263263

264-
Akamai Cloud Firewall rules can be managed through the [Akamai Cloud Manager](https://cloud.linode.com/) web interface or via the [Linode CLI](https://techdocs.akamai.com/cloud-computing/docs/cli). This section demonstrates both methods.
264+
Cloud Firewalls rules can be managed through the [Cloud Manager](https://cloud.linode.com/) web interface or via the [Linode CLI](https://techdocs.akamai.com/cloud-computing/docs/cli). This section demonstrates both methods.
265265

266-
### Enable Akamai Cloud Firewall
266+
### Enable Cloud Firewalls
267267

268268
{{< tabs >}}
269-
{{< tab "Akamai Cloud Manager" >}}
270-
1. From the Akamai Cloud Manager, navigate to **Firewalls** and click **Create Firewall**.
269+
{{< tab "Cloud Manager" >}}
270+
1. While logged into Cloud Manager, navigate to **Firewalls** and click **Create Firewall**.
271271

272-
1. Specify a label for the Akamai Cloud Firewall and accept the defaults for the inbound and outbound policies. Initially, you do not need to assign any services. You can focus on rule creation first, then associate services later. Click **Create Firewall**.
272+
1. Specify a label for the Cloud Firewall and accept the defaults for the inbound and outbound policies, and click **Create Firewall**. Initially, you do not need to assign any services. You can focus on rule creation first, then associate services later.
273273

274274
Once the Cloud Firewall has been created, you should see an initially empty list of inbound and outbound firewall rules.
275275

276-
![Akamai Cloud Manager screenshot showing newly created firewall.](cloudmanager-firewall-created-ui.png)
276+
![Cloud Manager screenshot showing newly created firewall.](cloudmanager-firewall-created-ui.png)
277277
{{< /tab >}}
278278
{{< tab "Linode CLI" >}}
279279
Use the Linode CLI to create a firewall, replacing {{< placeholder "CLOUD_FIREWALL_LABEL" >}} with a label of your choosing (e.g. `my-cloud-firewall`):
@@ -300,20 +300,20 @@ linode-cli firewalls create \
300300
Recreate each of the rules documented from your AWS Security Group.
301301

302302
{{< tabs >}}
303-
{{< tab "Akamai Cloud Manager" >}}
304-
1. Within the web UI, create a new rule by clicking **Add An Inbound Rule**.
303+
{{< tab "Cloud Manager" >}}
304+
1. Select your Cloud Firewall, and create a new rule by clicking **Add An Inbound Rule**.
305305

306306
1. Specify a label and description for the rule. For example:
307307

308-
![Akamai Cloud Manager UI for adding an inbound firewall rule.](add-inbound-rule-ui.png)
308+
![Cloud Manager UI for adding an inbound firewall rule.](add-inbound-rule-ui.png)
309309

310310
1. Next, select the protocol and which ports to apply this rule to. You can select from commonly used ports or select **Custom** to specify a custom port range. For example:
311311

312-
![Akamai Cloud Manager UI for selecting protocol and port range.](specify-port-range-ui.png)
312+
![Cloud Manager UI for selecting protocol and port range.](specify-port-range-ui.png)
313313

314-
1. For Sources, specify whether you want the rule to apply to **all** IPv4 or IPv6 addresses, or if you want to provide specific IP addresses. If providing specific IP addresses, add them one at a time.
314+
1. For Sources, specify whether you want the rule to apply to **all** IPv4 or IPv6 addresses, or if you want to provide specific IP addresses. If providing specific IP addresses, add them one at a time. See our guide on [managing firewall rules](https://techdocs.akamai.com/cloud-computing/docs/manage-firewall-rules) for syntax specifications.
315315

316-
![Akamai Cloud Manager UI for entering source IP addresses.](specify-source-addresses-ui.png)
316+
![Cloud Manager UI for entering source IP addresses.](specify-source-addresses-ui.png)
317317

318318
1. Finally, decide whether the rule is meant to serve as an allowlist (Accept) or denylist (Drop). For this example migration from AWS Security Groups, the action would be Accept. Click **Add Rule**.
319319

@@ -448,13 +448,15 @@ When using the web UI, rules must be created one at a time. With the Linode CLI,
448448

449449
You can attach multiple Linodes or NodeBalancers to the Cloud Firewall. Note that inbound and outbound rules apply to Linode instances, whereas only inbound rules apply to NodeBalancers.
450450

451+
See our additional [migration documentation](https://www.linode.com/docs/guides/platform/migrate-to-linode/) for guidance on migrating other services -- such as compute instances -- to Akamai Cloud.
452+
451453
{{< tabs >}}
452-
{{< tab "Akamai Cloud Manager" >}}
454+
{{< tab "Cloud Manager" >}}
453455
1. Navigate to the **Linodes** tab for your Cloud Firewall and click **Add Linodes to Firewall**:
454456

455-
![Akamai Cloud Manager UI for attaching Linodes to the firewall.](attach-instances-ui.png)
457+
![Cloud Manager UI for attaching Linodes to the firewall.](attach-instances-ui.png)
456458

457-
1. From the list, select which Linode (or Linodes) to assign to this Cloud Firewall and click **Add**:
459+
1. From the list, select which Linode (or Linodes) to assign to the Cloud Firewall and click **Add**:
458460

459461
![List of Linode instances attached to the firewall in the UI.](attached-linodes-list-ui.png)
460462

@@ -499,7 +501,7 @@ The firewall rules you specified should now be applied to the Linode (or Linodes
499501

500502
## Test and Validate Your Configuration
501503

502-
After applying rules to your Akamai Cloud Firewall, confirm that they behave as expected under real traffic conditions. Note that your firewall configurations may require different testing methods than those listed in this section.
504+
After applying rules to your Cloud Firewalls, confirm that they behave as expected under real traffic conditions. Note that your firewall configurations may require different testing methods than those listed in this section.
503505

504506
### Simulate Expected and Blocked Traffic
505507

@@ -617,7 +619,7 @@ From an IP on the allowlist, test access to each service and confirm that the co
617619

618620
### Log and Monitor Behavior
619621

620-
Akamai Cloud Firewall does not provide per-packet or rule-level logging. To verify behavior, rely on logs from the services themselves. For example:
622+
The Cloud Firewalls service does not show per-packet or rule-level logging. To verify behavior, rely on logs from the services themselves. For example:
621623

622624
- NGINX access logs, as configured in individual virtual server configuration files, are found in `/etc/nginx/sites-available`.
623625
- SSH authentication logs are located at `/var/log/auth.log`.
@@ -630,14 +632,14 @@ Connection and activity logs from these services can help to confirm whether tra
630632

631633
Ongoing monitoring helps identify any overlooked configuration issues or unexpected traffic patterns. Continue observing application logs and metrics post-migration. Make sure services are available to intended users and there are no spikes in error rates or timeouts.
632634

633-
If legitimate traffic is being blocked or malicious traffic is being allowed, refine your Akamai Cloud Firewall rules. It may take a few iterations to achieve parity with your original AWS Security Group behavior.
635+
If legitimate traffic is being blocked or malicious traffic is being allowed, refine your Cloud Firewalls rules. It may take a few iterations to achieve parity with your original AWS Security Group behavior.
634636

635637
## Finalize Your Migration
636638

637639
Once you've validated the new firewall configuration, clean up legacy resources and update internal references:
638640
639641
- Find components that were connecting with your AWS EC2 instance.
640-
- Create equivalent Akamai Cloud Firewall rules to allow traffic from legitimate components.
642+
- Create equivalent rules with Cloud Firewalls to allow traffic from legitimate components.
641643
- Remove the AWS Security Group.
642644
- Remove the AWS EC2 instance.
643645

0 commit comments

Comments
 (0)