CoursesAdvanced cloud securityNetwork & data-plane security

Segmentation & private connectivity

VPC design, PrivateLink/Private Service Connect, no public paths.

Advanced30 min · lesson 4 of 15

The network is your second containment layer after identity. Even if a credential leaks, tight segmentation and private connectivity decide whether an attacker reaches one service or the whole estate. The goal is default-closed: nothing is reachable until you deliberately open the smallest possible path.

Private subnets and no accidental public paths

Put workloads that do not need to be on the internet in private subnets with no route to an internet gateway, and let a load balancer or API gateway be the only public front door. Security groups (stateful, attached to resources) should reference each other by identity rather than by CIDR: the app tier allows the load balancer security group, the database allows the app security group, and nothing allows 0.0.0.0/0 except the edge. That way scaling never widens the surface and there is no IP list to maintain.

least-privilege security groups by reference
# Database SG allows Postgres ONLY from the app SG — no CIDRs, no public path.
resource "aws_security_group_rule" "db_from_app" {
type = "ingress"
from_port = 5432
to_port = 5432
protocol = "tcp"
security_group_id = aws_security_group.db.id
source_security_group_id = aws_security_group.app.id # identity, not IP
}
# App SG allows HTTP only from the load-balancer SG.
resource "aws_security_group_rule" "app_from_lb" {
type = "ingress"
from_port = 8080
to_port = 8080
protocol = "tcp"
security_group_id = aws_security_group.app.id
source_security_group_id = aws_security_group.lb.id
}
# The DB lives in a private subnet with no route to an internet gateway.

Reach managed services privately

You do not have to send traffic to a managed database, queue, or partner API across the public internet even when it has a public endpoint. PrivateLink (AWS), Private Service Connect (GCP), and Private Endpoints (Azure) project a service into your VPC as a private interface, so the data plane stays on the cloud provider backbone. That removes a whole class of exposure: there is no public route to firewall, no data traversing the open internet, and access is governed by your network policy plus IAM.

PrivateLink keeps traffic off the internet
1consumer VPC
private subnets only
2interface endpoint
the service, as a private ENI
3provider service
reached over the cloud backbone
4no IGW / NAT
nothing exits to the public internet
The service may have a public endpoint too — but your workloads never use it, so a misconfigured public route cannot expose the path.
The default VPC is not a starting point
Default VPCs ship with public subnets, an internet gateway, and permissive defaults so that "hello world" just works. That is the opposite of what production wants. Build VPCs deliberately with private subnets, scoped egress, and identity-referenced security groups — and delete or ignore the default VPC rather than growing production inside it.