Micro-Segmentation for Cloud Networks
Network segmentation strategies using security groups, NACLs, and service mesh policies.
Micro-Segmentation for Cloud Networks
Goal
Limit lateral movement so a compromised workload cannot reach unrelated systems.
Layers
- VPC / VNet isolation Separate prod, staging, shared services
- Subnet tiers Public ALB only; app and data in private subnets
- Security groups Default deny; allowlist ports per service
- Service mesh mTLS + L7 authorization between pods
Kubernetes example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-allow-frontend-only
spec:
podSelector:
matchLabels:
app: api
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- protocol: TCP
port: 8080Verification
- Run network reachability tests from CI after policy changes
- Map actual flows vs intended policy quarterly
- Document exceptions with owner and review date