- Cloud security group configuration: AWS SG, GCP Firewall Rules, Azure NSG
- UFW configuration on Ubuntu instances with application profiles
- Nftables setup for advanced host-level filtering requirements
- Default-deny inbound with explicit allow rules per service
- Egress filtering to restrict outbound connections from application servers
- Cloudflare firewall rules and WAF rule management (see WAF page)
- Bastion host setup for secure SSH access without public instance exposure
- VPN configuration (WireGuard) for administrative access to private resources
- Security group drift detection and periodic rule review
- Firewall rule documentation and change management procedures
Security
Firewalls
Firewall rules and network access control.
Firewall configuration is one of the most fundamental security controls — and one of the most commonly neglected. Default cloud security group configurations often allow broad inbound access for convenience that never gets tightened. Hellenic Technologies implements a least-privilege firewall strategy across all three layers where we operate: cloud security groups that control what traffic reaches instances, host-level firewalls (UFW/nftables) that provide defence-in-depth at the OS level, and Cloudflare firewall rules that filter traffic at the edge before it reaches your infrastructure.
Cloud security groups (AWS Security Groups, GCP Firewall Rules, Azure NSGs) define the network perimeter at the VPC level. Our baseline configuration allows SSH from specific bastion IPs only, HTTP/HTTPS from the load balancer only (never directly to application servers), database ports only from application servers in the same VPC, and no other inbound traffic. Egress traffic is also restricted — outbound connections from application servers are limited to required external services.
Host-level firewalls run as a second layer of defence. UFW on Ubuntu instances provides simple iptables management with an application profile system. Nftables offers more flexibility for complex filtering requirements. These are configured to complement (not duplicate) cloud security group rules — they catch traffic that somehow bypasses network-level controls and provide isolation between services on the same host.
Firewall management services: