Domain 1: Cloud Concepts, Architecture & Design Module 10 of 70

Module 10: Network and Virtualization Security

CCSP Domain 1 — Cloud Concepts, Architecture & Design Section C 6 min read
Cloud network security questions test whether you understand that traditional network controls (firewalls, IDS) still apply but are implemented differently. The exam expects you to know what changes in virtualized, multi-tenant network environments — and what stays the same.

Virtual Networks and Isolation

Cloud providers create virtual networks that logically isolate tenants sharing the same physical infrastructure. The exam tests your understanding of how this isolation is achieved and where it can fail.

Virtual Private Clouds (VPCs)

A VPC is a logically isolated network within the cloud provider's infrastructure. The customer defines subnets, route tables, and access controls. The exam expects you to know that VPCs provide isolation from other tenants but the underlying physical network is shared. If a question asks about network-level multi-tenant isolation, VPCs are the primary mechanism.

Microsegmentation

Traditional network segmentation uses VLANs and subnets. Cloud microsegmentation applies security policies at the individual workload level — each VM, container, or serverless function can have its own security rules. The exam treats microsegmentation as a cloud-native improvement over traditional network segmentation.

Cloud Firewalls and Security Groups

Cloud security groups and network ACLs replace traditional firewall appliances. The exam tests the difference between stateful and stateless rules:

  • Security groups (stateful): If you allow inbound traffic, the return traffic is automatically allowed. Rules only need to specify one direction.
  • Network ACLs (stateless): Each direction must be explicitly configured. Inbound rules do not automatically create return path rules.

The exam may present a scenario where a network ACL blocks legitimate return traffic because the administrator only configured inbound rules. Understanding stateful vs. stateless is essential.

Software-Defined Networking (SDN)

SDN separates the control plane from the data plane, allowing programmatic network management. In cloud environments, SDN enables rapid network provisioning, dynamic traffic routing, and policy-based management at scale. The exam may ask about SDN benefits in the context of security automation — the ability to programmatically respond to threats by modifying network configurations in real time.

Cloud-Specific Network Threats

Side-Channel Attacks

In shared infrastructure, attackers on the same physical host may exploit CPU cache timing, memory access patterns, or other side channels to extract information from neighboring tenants. The exam treats this as a real (if sophisticated) threat that justifies dedicated hosting for highly sensitive workloads.

Data Exfiltration via DNS

DNS tunneling encodes data in DNS queries to exfiltrate information through allowed DNS traffic. Cloud environments with permissive outbound DNS policies are vulnerable. The exam may present this as a scenario where a firewall blocks all outbound traffic except DNS, yet data is still leaving the network.

Man-in-the-Middle in Cloud

Within a shared cloud network, improperly configured virtual networks may allow traffic interception between tenants. The exam expects you to know that encryption in transit (TLS) is essential even within the cloud provider's internal network, not just between the customer and the cloud.

Network Monitoring in the Cloud

Traditional network taps and packet capture are difficult in virtualized environments. Cloud providers offer flow logs, traffic mirroring, and cloud-native monitoring tools. The exam tests whether you understand that the customer may not have the same network visibility in the cloud as on-premises, and that SLAs should address monitoring capabilities.

Exam insight: When a question describes limited network visibility in a cloud environment, the answer often involves cloud-native monitoring tools (flow logs, cloud SIEM integration) rather than trying to deploy traditional network monitoring appliances.

Key Takeaways

Cloud networks are virtualized and shared. VPCs provide logical isolation. Microsegmentation enables workload-level security. Security groups are stateful; network ACLs are stateless. SDN enables programmatic security response. Side-channel attacks are a real threat in shared infrastructure. Network monitoring requires cloud-native tools. Always encrypt traffic, even within the cloud.

Next Module Module 11: Cloud Secure Data Lifecycle and Design Principles