Segmentation & private connectivity
VPC design, PrivateLink/Private Service Connect, no public paths.
The network is your second containment layer after identity. Even if a credential leaks, tight segmentation and private connectivity decide whether an attacker reaches one service or the whole estate. The goal is default-closed: nothing is reachable until you deliberately open the smallest possible path.
Private subnets and no accidental public paths
Put workloads that do not need to be on the internet in private subnets with no route to an internet gateway, and let a load balancer or API gateway be the only public front door. Security groups (stateful, attached to resources) should reference each other by identity rather than by CIDR: the app tier allows the load balancer security group, the database allows the app security group, and nothing allows 0.0.0.0/0 except the edge. That way scaling never widens the surface and there is no IP list to maintain.
# Database SG allows Postgres ONLY from the app SG — no CIDRs, no public path.resource "aws_security_group_rule" "db_from_app" {type = "ingress"from_port = 5432to_port = 5432protocol = "tcp"security_group_id = aws_security_group.db.idsource_security_group_id = aws_security_group.app.id # identity, not IP}# App SG allows HTTP only from the load-balancer SG.resource "aws_security_group_rule" "app_from_lb" {type = "ingress"from_port = 8080to_port = 8080protocol = "tcp"security_group_id = aws_security_group.app.idsource_security_group_id = aws_security_group.lb.id}# The DB lives in a private subnet with no route to an internet gateway.
Reach managed services privately
You do not have to send traffic to a managed database, queue, or partner API across the public internet even when it has a public endpoint. PrivateLink (AWS), Private Service Connect (GCP), and Private Endpoints (Azure) project a service into your VPC as a private interface, so the data plane stays on the cloud provider backbone. That removes a whole class of exposure: there is no public route to firewall, no data traversing the open internet, and access is governed by your network policy plus IAM.