This post explains how to implement perimeter and internal boundary protections in AWS and Azure to meet FAR 52.204-21 and CMMC 2.0 Level 1 (SC.L1-B.1.X) expectations, focusing on concrete controls, configuration steps, small-business scenarios, and audit evidence you can collect.
What this control requires (practical interpretation)
At Level 1 the requirement is "basic cyber hygiene" and for boundary protection it typically means implementing controls that monitor and control communications at external boundaries and key internal boundaries: enforce allowlists, restrict inbound and outbound traffic to only necessary ports and IPs/subnets, segment sensitive systems (for example, private data stores or CUI processing servers), and log/monitor boundary activity so you can demonstrate controls during an audit under the Compliance Framework.
AWS: Perimeter and internal boundary implementation steps
In AWS, implement a layered approach: place public-facing services behind a load balancer (ALB/NLB) in public subnets, run application tiers in private subnets within a VPC, and place databases/storage on isolated private subnets with Security Groups (SGs) that only permit traffic from the application SG. Use Network ACLs for coarse-grained subnet-level deny-by-default filtering; use Security Groups for stateful, least-privilege rules. Enforce management access via AWS Systems Manager Session Manager (avoid opening SSH/RDP to the internet), use AWS Network Firewall or WAF for HTTP protections, and enable VPC Flow Logs + CloudWatch Logs and CloudTrail for audit evidence.
# Example: allow only app SG to reach DB SG (AWS CLI)
aws ec2 create-security-group --group-name db-sg --description "DB SG" --vpc-id vpc-0123456789abcdef0
aws ec2 authorize-security-group-ingress --group-id sg-db123 \
--protocol tcp --port 3306 --source-group sg-app123
# Enable VPC Flow Logs
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-0123... \
--traffic-type ALL --log-group-name /aws/vpc/flow-logs --deliver-logs-permission-arn arn:aws:iam::123:role/flow-logs-role
Azure: Perimeter and internal boundary implementation steps
In Azure, use an Application Gateway (with WAF) or Azure Front Door for internet-facing web traffic, and place backend app and DB tiers in separate subnets within a Virtual Network (VNet). Protect subnets with Network Security Groups (NSGs) that follow deny-all, allow-specific pattern; use Service Endpoints or Private Link for platform services (Storage, SQL) to keep traffic on the Microsoft backbone instead of the internet. Use Azure Firewall (or third-party NGFW) for centralized egress controls and Azure Bastion or Azure AD + Just-In-Time (JIT) where management access is required. Enable NSG flow logs and send diagnostics to a Log Analytics workspace for retention and queries.
# Example: NSG rule allowing only App subnet to reach DB on 1433 (Azure CLI)
az network nsg create --resource-group RG --name db-nsg
az network nsg rule create --resource-group RG --nsg-name db-nsg --name AllowAppToSql \
--priority 100 --source-address-prefixes VirtualNetwork --source-port-ranges '*' \
--destination-address-prefixes '*' --destination-port-ranges 1433 --access Allow \
--protocol Tcp --direction Inbound
# Enable NSG flow logs
az network watcher flow-log create --name nsgFlowLogs --resource-group RG --nsg db-nsg \
--storage-account storageacct --enabled true --retention 90 --workspace LogAnalyticsWorkspaceId
Small-business real-world scenario
Imagine a small defense contractor hosting a three-tier web app that handles contract metadata (CUI). Implement an ALB/Front Door for HTTPS, an application tier in a private autoscaling group, and a database in a separate private subnet. Security Groups/NSGs: web SG allows only 443 from the internet; app SG allows 443 from web SG and needs outbound 443 for API calls only; db SG allows 1433 or 3306 only from app SG. Use PrivateLink / VPC/Service Endpoints for storage and secrets (e.g., S3 or Azure Storage + Key Vault) so storage access never traverses the public internet. Use Systems Manager / Azure Bastion to manage VMs without exposing ports. This setup achieves the control by restricting boundary crossing and demonstrating least privilege paths.
Logging, monitoring, evidence and continuous compliance
For Compliance Framework evidence: enable and retain logs (VPC Flow Logs, CloudTrail, AWS Config; NSG flow logs, Azure Activity Logs, Diagnostic Settings). Configure alerts for anomalous boundary events (port scans, unexpected egress) using GuardDuty+Security Hub or Azure Sentinel/Monitor. Automate compliance checks with AWS Config rules (e.g., vpc-flow-logs-enabled, restricted-common-ports) and Azure Policy initiatives (audit NSG flow logs, enforce private endpoints). Keep logs for the retention period required by your contract and export summarized reports that show denied traffic at boundaries and rule changes to support an audit.
Compliance tips, best practices, and risks of not implementing
Best practices: design deny-by-default network rules; use security groups that reference other SGs (not CIDR ranges) for safer segmentation; centralize controls via AWS Organizations/Azure Management Groups + service control policies/ Azure Policy; enforce infrastructure-as-code and code review for network changes; enable multi-factor authentication and least privilege for cloud console access. Risks if you don’t implement: exposure of CUI or contractor data to internet scanning and exploitation, lateral movement inside your environment, loss of contract eligibility or audit failures, and inability to produce logs showing controls were active. For small businesses, the easiest high-impact controls are private subnets for sensitive systems, SG/NSG tightening, and enabling flow/logging immediately.
Summary: Implement layered perimeter defenses (WAF, load balancers), strict internal segmentation using SGs/NSGs and subnet isolation, centralized firewall/egress controls, and robust logging/monitoring to meet FAR 52.204-21 / CMMC 2.0 Level 1 expectations. Use AWS and Azure native services—ALB/NLB, Network Firewall, WAF, Security Groups, VPC Flow Logs, Application Gateway, Azure Firewall, NSG flow logs, and Private Link—to create clearly defined boundaries, automate continuous checks with Config/Policy, and produce the logs and evidence required for compliance reviews.
