VPC Architecture & Network Segmentation

Virtual Private Clouds (VPCs) are the foundation of cloud network security. Proper segmentation isolates workloads, limits blast radius, and implements defense in depth.

VPC Fundamentals Across Providers

Concept	AWS VPC	Azure VNet	GCP VPC
Network isolation	VPC	Virtual Network	VPC Network
Subnet	Subnet (AZ-bound)	Subnet (region)	Subnet (region)
Route table	Route Table	Route Table	Routes
Internet access	Internet Gateway	N/A (implicit)	Cloud NAT
Private access	NAT Gateway	NAT Gateway	Cloud NAT
Peering	VPC Peering	VNet Peering	VPC Peering

Secure VPC Architecture

Multi-Tier Architecture

┌─────────────────────────────────────────────────────────────┐
│                         VPC (10.0.0.0/16)                    │
├─────────────────────────────────────────────────────────────┤
│  Public Subnet (10.0.1.0/24)                                │
│  ┌─────────────────────────────────────────────────────┐    │
│  │  Load Balancer, NAT Gateway, Bastion Host           │    │
│  └─────────────────────────────────────────────────────┘    │
├─────────────────────────────────────────────────────────────┤
│  Private Subnet - Application (10.0.10.0/24)                │
│  ┌─────────────────────────────────────────────────────┐    │
│  │  Web Servers, API Servers, Application Layer        │    │
│  └─────────────────────────────────────────────────────┘    │
├─────────────────────────────────────────────────────────────┤
│  Private Subnet - Data (10.0.20.0/24)                       │
│  ┌─────────────────────────────────────────────────────┐    │
│  │  Databases, Cache, Data Stores                       │    │
│  └─────────────────────────────────────────────────────┘    │
└─────────────────────────────────────────────────────────────┘

AWS VPC Configuration

# Terraform - Secure VPC
resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true

  tags = {
    Name = "production-vpc"
  }
}

# Public subnet
resource "aws_subnet" "public" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "us-east-1a"
  map_public_ip_on_launch = false  # Never auto-assign public IPs

  tags = {
    Name = "public-subnet"
    Tier = "public"
  }
}

# Private subnet - no internet route
resource "aws_subnet" "private" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.10.0/24"
  availability_zone = "us-east-1a"

  tags = {
    Name = "private-subnet"
    Tier = "private"
  }
}

Azure VNet Configuration

# Create VNet with subnets
az network vnet create \
    --name production-vnet \
    --resource-group myRG \
    --address-prefix 10.0.0.0/16 \
    --subnet-name public-subnet \
    --subnet-prefix 10.0.1.0/24

# Add private subnet
az network vnet subnet create \
    --name private-subnet \
    --vnet-name production-vnet \
    --resource-group myRG \
    --address-prefix 10.0.10.0/24

GCP VPC Configuration

# Create custom VPC
gcloud compute networks create production-vpc \
    --subnet-mode=custom

# Create subnets
gcloud compute networks subnets create public-subnet \
    --network=production-vpc \
    --region=us-central1 \
    --range=10.0.1.0/24

gcloud compute networks subnets create private-subnet \
    --network=production-vpc \
    --region=us-central1 \
    --range=10.0.10.0/24 \
    --enable-private-ip-google-access

Network Segmentation Best Practices

Blast Radius Limitation

Each workload environment should be isolated:

Environment	VPC/VNet	Peering	Purpose
Production	prod-vpc	Limited	Live workloads
Staging	staging-vpc	To prod (read-only)	Pre-production testing
Development	dev-vpc	None	Developer sandboxes
Shared Services	shared-vpc	Hub	DNS, logging, security

Micro-Segmentation

Beyond traditional network segmentation:

Traditional: Network → Subnet → Host
Cloud-native: Network → Subnet → Security Group → Application

Security groups provide application-level segmentation:

• Web tier: Only accepts 443 from load balancer
• App tier: Only accepts from web tier on specific port
• Data tier: Only accepts from app tier on database port

VPC Flow Logs

Essential for network visibility:

# AWS - Enable VPC Flow Logs
aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-12345678 \
    --traffic-type ALL \
    --log-destination-type cloud-watch-logs \
    --log-group-name vpc-flow-logs

# Azure - Enable NSG Flow Logs
az network watcher flow-log create \
    --name myFlowLog \
    --nsg myNSG \
    --resource-group myRG \
    --storage-account myStorageAccount \
    --enabled true

# GCP - Enable VPC Flow Logs on subnet
gcloud compute networks subnets update private-subnet \
    --region=us-central1 \
    --enable-flow-logs

Private Connectivity

VPC Endpoints / Private Link

Keep traffic off the public internet:

Service	AWS	Azure	GCP
Storage	S3 Gateway Endpoint	Private Endpoint	Private Service Connect
Database	RDS via Interface Endpoint	Private Endpoint	Private Service Connect
APIs	API Gateway Private	Private Endpoint	Private Service Connect

Next, we'll configure security groups and NACLs for granular traffic control. :::