Agent Cloud Firewall and Security Group Rules

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Cloud firewall and security-group rules are first-line evidence when agents debug traffic that works from one place but fails from another.

## Core Explanation

Agents diagnosing connectivity should inspect network policy before changing application code. A blocked health check, unreachable database, or failing webhook callback can come from an ingress rule, egress rule, priority order, source range, target tag, or attached security group.

The safe workflow names the provider, resource, direction, protocol, port, source, destination, and effective rule. Agents should avoid opening broad ranges unless the change is explicitly approved and scoped.

## Source-Mapped Facts

- AWS VPC documentation describes security groups as controlling inbound and outbound traffic for resources. ([source](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html))
- Google Cloud firewall documentation describes firewall rules as allowing or denying traffic to and from virtual machine instances. ([source](https://cloud.google.com/firewall/docs/firewalls?hl=en))
- Azure documentation describes network security groups as containing security rules that allow or deny inbound and outbound network traffic. ([source](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview))

## Further Reading

- [AWS VPC Security Groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html)
- [Google Cloud Firewall Rules](https://cloud.google.com/firewall/docs/firewalls?hl=en)
- [Azure Network Security Groups](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)