Network Segmentation Patterns
Design network segmentation that contains blast radius and limits lateral movement. Covers micro-segmentation, VLAN design, firewall zones, east-west traffic control, zero-trust segmentation, and the patterns that prevent network breaches from spreading.
Network segmentation divides a network into isolated zones so that a breach in one zone cannot spread to others. Without segmentation, an attacker who compromises a single workstation can reach the database server, the payment system, and the backup infrastructure — all on the same flat network.
Segmentation Levels
Level 0: Flat network (no segmentation)
Everything can reach everything
Attacker moves freely after initial compromise
Level 1: Zone-based (DMZ, internal, database)
Firewalls between zones
Perimeter defense, some internal boundaries
Level 2: VLAN segmentation
Separate broadcast domains per function
ACLs between VLANs
Level 3: Micro-segmentation
Per-workload firewall rules
Identity-based access (not IP-based)
Zero-trust: verify every connectionZone Architecture
Internet
│
┌────┴────┐
│ WAF │
└────┬────┘
│
┌────────┴────────┐
│ DMZ Zone │
│ Web Servers │
│ API Gateways │
└────────┬────────┘
│ (Firewall)
┌────────┴────────┐
│ Application Zone │
│ App Servers │
│ Microservices │
└────────┬────────┘
│ (Firewall)
┌────────┴────────┐
│ Database Zone │
│ PostgreSQL │
│ Redis │
└────────┬────────┘
│ (Firewall)
┌────────┴────────┐
│ Management Zone │
│ Jenkins/CI │
│ Monitoring │
│ Bastion Hosts │
└─────────────────┘
Rules:
DMZ → App: Allowed (specific ports)
DMZ → Database: DENIED (must go through App)
App → Database: Allowed (specific ports)
Database → App: DENIED (no reverse connections)
Management → All: Allowed (monitoring, deployment)
All → Management: DENIED (except metrics export)Cloud VPC Segmentation
# Terraform: Network segmentation in AWS
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
# Public subnet (DMZ equivalent)
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
tags = { Name = "public-dmz" }
}
# Application subnet (private)
resource "aws_subnet" "app" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.2.0/24"
tags = { Name = "app-private" }
}
# Database subnet (isolated)
resource "aws_subnet" "db" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.3.0/24"
tags = { Name = "db-isolated" }
}
# Security group: App can reach DB, nothing else can
resource "aws_security_group" "db" {
vpc_id = aws_vpc.main.id
ingress {
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [aws_security_group.app.id]
}
# No egress (database should not initiate connections)
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = []
}
}Micro-Segmentation
# Kubernetes NetworkPolicy: Per-pod segmentation
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: payment-service-policy
spec:
podSelector:
matchLabels:
app: payment-service
policyTypes: ["Ingress", "Egress"]
ingress:
- from:
- podSelector:
matchLabels:
app: order-service # Only order-service can call payment
ports:
- port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: payment-db # Can only reach its own database
ports:
- port: 5432
- to: # External payment processor
- ipBlock:
cidr: 203.0.113.0/24
ports:
- port: 443Anti-Patterns
| Anti-Pattern | Consequence | Fix |
|---|---|---|
| Flat network | Full lateral movement on breach | Zone-based segmentation minimum |
| Allow-all egress | Data exfiltration undetected | Restrict egress, DNS filtering |
| IP-based rules only | Rules break on IP change | Identity-based micro-segmentation |
| No east-west monitoring | Internal threats invisible | Monitor inter-zone traffic |
| Over-permissive security groups | Effectively no segmentation | Least-privilege, audit regularly |
Network segmentation is the most cost-effective security control. It does not prevent breaches — it prevents breaches from becoming disasters.
