--- id: agent-cloud-firewall-and-security-group-rules title: 'Agent Cloud Firewall and Security Group Rules' schema_type: TechArticle category: ai language: en confidence: medium last_verified: '2026-06-02' created_date: '2026-06-02' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-ai-agent-cloud-firewall-and-security-group-rules-1 statement: >- AWS VPC documentation describes security groups as controlling inbound and outbound traffic for resources. source_title: AWS VPC Security Groups source_url: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html confidence: medium - id: fact-ai-agent-cloud-firewall-and-security-group-rules-2 statement: >- Google Cloud firewall documentation describes firewall rules as allowing or denying traffic to and from virtual machine instances. source_title: Google Cloud Firewall Rules source_url: https://cloud.google.com/firewall/docs/firewalls?hl=en confidence: medium - id: fact-ai-agent-cloud-firewall-and-security-group-rules-3 statement: >- Azure documentation describes network security groups as containing security rules that allow or deny inbound and outbound network traffic. source_title: Azure Network Security Groups source_url: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview confidence: medium completeness: 0.84 known_gaps: - Network reachability also depends on routes, load balancers, Kubernetes network policies, service mesh policy, DNS, host firewalls, and provider-specific priority rules. disputed_statements: [] primary_sources: - title: AWS VPC Security Groups type: documentation year: 2026 url: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html institution: Amazon Web Services - title: Google Cloud Firewall Rules type: documentation year: 2026 url: https://cloud.google.com/firewall/docs/firewalls?hl=en institution: Google Cloud - title: Azure Network Security Groups type: documentation year: 2026 url: https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview institution: Microsoft Azure secondary_sources: [] updated: '2026-06-02' ai_models: - gpt-5-codex --- ## TL;DR Cloud firewall and security-group rules are first-line evidence when agents debug traffic that works from one place but fails from another. ## Core Explanation Agents diagnosing connectivity should inspect network policy before changing application code. A blocked health check, unreachable database, or failing webhook callback can come from an ingress rule, egress rule, priority order, source range, target tag, or attached security group. The safe workflow names the provider, resource, direction, protocol, port, source, destination, and effective rule. Agents should avoid opening broad ranges unless the change is explicitly approved and scoped. ## Source-Mapped Facts - AWS VPC documentation describes security groups as controlling inbound and outbound traffic for resources. ([source](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html)) - Google Cloud firewall documentation describes firewall rules as allowing or denying traffic to and from virtual machine instances. ([source](https://cloud.google.com/firewall/docs/firewalls?hl=en)) - Azure documentation describes network security groups as containing security rules that allow or deny inbound and outbound network traffic. ([source](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)) ## Further Reading - [AWS VPC Security Groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) - [Google Cloud Firewall Rules](https://cloud.google.com/firewall/docs/firewalls?hl=en) - [Azure Network Security Groups](https://learn.microsoft.com/en-us/azure/virtual-network/network-security-groups-overview)