CoursesAWS security engineeringNetwork security & segmentation

VPC segmentation

Identity-referenced SGs, private subnets, blast radius.

Advanced30 min · lesson 10 of 15

The network is your second containment layer after identity: even if a credential leaks, tight segmentation decides whether an attacker reaches one service or the whole estate. The goal is default-closed — nothing reachable until you deliberately open the smallest path.

Security groups by reference, private by default

Security groups are stateful allowlists attached to an ENI; return traffic is automatic. Reference them by group ID rather than CIDR so tiers allow each other by identity — the DB SG allows the app SG, the app SG allows the load-balancer SG, and nothing allows 0.0.0.0/0 except the edge. Then scaling never widens the surface and there is no IP list to maintain. Network ACLs are the stateless, subnet-level complement, evaluating numbered rules in both directions.

identity-referenced security groups
# DB allows Postgres ONLY from the app SG — no CIDRs, no public path.
resource "aws_security_group_rule" "db_from_app" {
type = "ingress"
from_port = 5432 to_port = 5432 protocol = "tcp"
security_group_id = aws_security_group.db.id
source_security_group_id = aws_security_group.app.id # identity, not IP
}
# The DB lives in a private subnet with no route to an internet gateway.

Subnet tiers and blast radius

Put internet-facing load balancers in public subnets and everything else — app tiers, databases, caches — in private subnets with no route to an internet gateway. Multi-account structure (a VPC per environment, prod isolated from staging) bounds a compromise to one account. The default VPC ships public subnets and permissive defaults precisely so "hello world" works; build production VPCs deliberately and leave the default one unused.

Default-closed VPC design
public tier
load balancer / NAT
the only internet-facing hop
private tiers
app subnet
allows only the LB security group
data subnet
allows only the app security group
Reference by SG identity, keep data private, isolate environments by account. A foothold in one tier cannot freely reach the rest.
The default VPC is not a starting point
Default VPCs exist for convenience, not production: public subnets, an internet gateway, and open defaults. Build VPCs with private subnets, scoped egress, and identity-referenced security groups — and ignore or delete the default rather than growing production inside it.