Deep Packet Inspection (DPI) is the most suitable method as it operates at the application layer (Layer 7) to examine the actual data payload of network packets, not just the headers. For a cloud-native application processing sensitive data, this allows for the identification of malicious code, intrusion attempts, and the exfiltration of sensitive data patterns that would be invisible to lower-level network controls. DPI provides the granular visibility required to enforce security policies based on the content of the traffic, which is essential for preventing sophisticated data breaches and meeting compliance mandates.

B. Implementing network security groups (NSGs) with inbound and outbound rules.

NSGs are stateful firewalls operating at Layers 3 and 4. They filter traffic based on IP addresses and ports but do not inspect the packet's content.

C. Using encryption without any inspection tools.

Encryption protects data confidentiality in transit but is a countermeasure to eavesdropping, not an inspection mechanism. It can actually obscure traffic from security tools.

D. Relying on endpoint security software.

Endpoint security protects individual compute instances (VMs, containers) but does not provide a comprehensive view or control over the network traffic flowing between different application components.

1. National Institute of Standards and Technology (NIST). (2020). NIST Special Publication 800-204A

Building Secure Microservices-based Applications Using Service-Mesh Architecture. Section 4.3.2

"Traffic Management

" discusses the capabilities of service mesh architectures

which are common in cloud-native applications

to perform Layer 7 traffic inspection and apply security policies based on application-level data. This is a direct application of DPI principles.

2. Al-Ayyoub

M.

Jararweh

Y.

& Al-Sa'di

M. (2018). A Survey on Network Intrusion Detection in Cloud Computing. Journal of Network and Computer Applications

115

57-75. The paper discusses various intrusion detection techniques for the cloud

highlighting that "Deep Packet Inspection (DPI) is a technique that examines the payload part of a packet... to detect protocol non-compliance

viruses

spam

intrusions or any predefined criteria to decide whether a packet may pass or not." (Section 3.1.2). This confirms DPI's role in content-level inspection.

3. Zardari

Z. A.

Jung

L. T.

& Zakaria

N. (2014). Cloud-based deep packet inspection for intrusion detection. In 2014 International Conference on Computer and Information Sciences (ICCOINS). The paper states

"DPI is a form of network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point... It is considered as a key component of Network Intrusion Detection System (NIDS)." (Section II.A). This emphasizes its function as a detailed inspection mechanism.