Nerd Level Tech logo
|
Lesson 13 of 24

Network & Infrastructure Security

VPC Architecture & Network Segmentation

4 min read

Virtual Private Clouds (VPCs) are the foundation of cloud network security. Proper segmentation isolates workloads, limits blast radius, and implements defense in depth.

VPC Fundamentals Across Providers

Concept AWS VPC Azure VNet GCP VPC
Network isolation VPC Virtual Network VPC Network
Subnet Subnet (AZ-bound) Subnet (region) Subnet (region)
Route table Route Table Route Table Routes
Internet access Internet Gateway N/A (implicit) Cloud NAT
Private access NAT Gateway NAT Gateway Cloud NAT
Peering VPC Peering VNet Peering VPC Peering

Secure VPC Architecture

Multi-Tier Architecture

┌─────────────────────────────────────────────────────────────┐
│                         VPC (10.0.0.0/16)                    │
├─────────────────────────────────────────────────────────────┤
│  Public Subnet (10.0.1.0/24)                                │
│  ┌─────────────────────────────────────────────────────┐    │
│  │  Load Balancer, NAT Gateway, Bastion Host           │    │
│  └─────────────────────────────────────────────────────┘    │
├─────────────────────────────────────────────────────────────┤
│  Private Subnet - Application (10.0.10.0/24)                │
│  ┌─────────────────────────────────────────────────────┐    │
│  │  Web Servers, API Servers, Application Layer        │    │
│  └─────────────────────────────────────────────────────┘    │
├─────────────────────────────────────────────────────────────┤
│  Private Subnet - Data (10.0.20.0/24)                       │
│  ┌─────────────────────────────────────────────────────┐    │
│  │  Databases, Cache, Data Stores                       │    │
│  └─────────────────────────────────────────────────────┘    │
└─────────────────────────────────────────────────────────────┘

AWS VPC Configuration

# Terraform - Secure VPC
resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
  enable_dns_support   = true

  tags = {
    Name = "production-vpc"
  }
}

# Public subnet
resource "aws_subnet" "public" {
  vpc_id                  = aws_vpc.main.id
  cidr_block              = "10.0.1.0/24"
  availability_zone       = "us-east-1a"
  map_public_ip_on_launch = false  # Never auto-assign public IPs

  tags = {
    Name = "public-subnet"
    Tier = "public"
  }
}

# Private subnet - no internet route
resource "aws_subnet" "private" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.10.0/24"
  availability_zone = "us-east-1a"

  tags = {
    Name = "private-subnet"
    Tier = "private"
  }
}

Azure VNet Configuration

# Create VNet with subnets
az network vnet create \
    --name production-vnet \
    --resource-group myRG \
    --address-prefix 10.0.0.0/16 \
    --subnet-name public-subnet \
    --subnet-prefix 10.0.1.0/24

# Add private subnet
az network vnet subnet create \
    --name private-subnet \
    --vnet-name production-vnet \
    --resource-group myRG \
    --address-prefix 10.0.10.0/24

GCP VPC Configuration

# Create custom VPC
gcloud compute networks create production-vpc \
    --subnet-mode=custom

# Create subnets
gcloud compute networks subnets create public-subnet \
    --network=production-vpc \
    --region=us-central1 \
    --range=10.0.1.0/24

gcloud compute networks subnets create private-subnet \
    --network=production-vpc \
    --region=us-central1 \
    --range=10.0.10.0/24 \
    --enable-private-ip-google-access

Network Segmentation Best Practices

Blast Radius Limitation

Each workload environment should be isolated:

Environment VPC/VNet Peering Purpose
Production prod-vpc Limited Live workloads
Staging staging-vpc To prod (read-only) Pre-production testing
Development dev-vpc None Developer sandboxes
Shared Services shared-vpc Hub DNS, logging, security

Micro-Segmentation

Beyond traditional network segmentation:

Traditional: Network → Subnet → Host
Cloud-native: Network → Subnet → Security Group → Application

Security groups provide application-level segmentation:

  • Web tier: Only accepts 443 from load balancer
  • App tier: Only accepts from web tier on specific port
  • Data tier: Only accepts from app tier on database port

VPC Flow Logs

Essential for network visibility:

# AWS - Enable VPC Flow Logs
aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-12345678 \
    --traffic-type ALL \
    --log-destination-type cloud-watch-logs \
    --log-group-name vpc-flow-logs

# Azure - Enable NSG Flow Logs
az network watcher flow-log create \
    --name myFlowLog \
    --nsg myNSG \
    --resource-group myRG \
    --storage-account myStorageAccount \
    --enabled true

# GCP - Enable VPC Flow Logs on subnet
gcloud compute networks subnets update private-subnet \
    --region=us-central1 \
    --enable-flow-logs

Private Connectivity

VPC Endpoints / Private Link

Keep traffic off the public internet:

Service AWS Azure GCP
Storage S3 Gateway Endpoint Private Endpoint Private Service Connect
Database RDS via Interface Endpoint Private Endpoint Private Service Connect
APIs API Gateway Private Private Endpoint Private Service Connect

Next, we'll configure security groups and NACLs for granular traffic control. :::

Quiz

Module 4: Network & Infrastructure Security

Take Quiz