Zero Trust Network Architecture
Implementing zero trust networking from scratch. Covers identity-based access, microsegmentation, mTLS, network policies, and replacing VPNs with zero trust proxies.
Traditional network security operates on the castle-and-moat model: everything inside the perimeter is trusted, everything outside is not. Zero trust eliminates the concept of a trusted network. Every request is authenticated, authorized, and encrypted — regardless of where it originates. The principle is simple: never trust, always verify.
The shift to zero trust isn’t optional. With remote work, cloud infrastructure, and SaaS adoption, the network perimeter no longer exists. Your employees access resources from home WiFi, coffee shops, and airplanes. Your infrastructure spans three cloud providers. The perimeter is everywhere, which means it’s nowhere.
Zero Trust Principles
- Verify explicitly: Authenticate and authorize every request based on all available signals (identity, device health, location, resource sensitivity)
- Least privilege access: Grant minimum permissions needed for the task, with just-in-time and just-enough-access policies
- Assume breach: Design systems to limit blast radius. Segment networks, encrypt all traffic, and continuously monitor for anomalies
Microsegmentation
Instead of a flat network where any workload can talk to any other, microsegmentation creates fine-grained zones with explicit communication policies.
Kubernetes Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: api-server-policy
namespace: production
spec:
podSelector:
matchLabels:
app: api-server
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: api-gateway
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: database
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: cache
ports:
- protocol: TCP
port: 6379Default deny all: Start by denying all traffic, then explicitly allow only required communication paths. This is the opposite of traditional networking (allow all, block known bad).
Mutual TLS (mTLS)
mTLS ensures both client and server authenticate each other with certificates. This prevents:
- Man-in-the-middle attacks
- Unauthorized service-to-service communication
- Traffic interception on the network
Service Mesh Implementation
Service meshes (Istio, Linkerd) automate mTLS between all services:
# Istio PeerAuthentication - require mTLS for all services
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: production
spec:
mtls:
mode: STRICTWith STRICT mode, any unencrypted communication is rejected. This is the simplest and most impactful zero trust control for service-to-service communication.
Identity-Based Access
Replace IP-based firewall rules with identity-based policies. Instead of “allow traffic from 10.0.1.0/24”, use “allow traffic from service-account api-server”.
SPIFFE/SPIRE
SPIFFE (Secure Production Identity Framework for Everyone) provides cryptographic identity to every workload:
spiffe://company.com/cluster/production/namespace/payments/sa/payment-serviceEach workload gets a short-lived X.509 certificate (SVID) that proves its identity. No shared secrets, no API keys, no static credentials rotating on a quarterly basis.
Replacing VPNs with Zero Trust Proxies
Traditional VPNs grant full network access once authenticated. This violates least-privilege — a compromised VPN session gives an attacker access to the entire network.
Zero trust proxies (Cloudflare Access, Zscaler Private Access, Tailscale) provide per-application access:
| Feature | VPN | Zero Trust Proxy |
|---|---|---|
| Network access | Full L3 access to subnet | Per-application only |
| Auth frequency | Once at connection | Every request |
| Device posture | Optional | Required |
| Logging | Connection-level | Request-level |
| Lateral movement | Easy (full network) | Impossible (no network access) |
Implementation Roadmap
Phase 1: Visibility (Month 1-2)
- Deploy network monitoring to map all communication flows
- Identify every service-to-service dependency
- Catalog all external access points
Phase 2: Identity (Month 3-4)
- Implement service mesh with mTLS (Istio/Linkerd)
- Deploy SPIFFE/SPIRE for workload identity
- Migrate from IP-based to identity-based policies
Phase 3: Segmentation (Month 5-6)
- Implement network policies (default deny)
- Segment by environment (prod/staging/dev)
- Segment by sensitivity (PCI, HIPAA, general)
Phase 4: Access Control (Month 7-9)
- Replace VPN with zero trust proxy
- Implement device posture checking
- Enable just-in-time privileged access
Phase 5: Continuous Verification (Month 10-12)
- Deploy anomaly detection on network flows
- Implement continuous authentication (re-verify on risk signals)
- Automate policy enforcement and drift detection
Zero trust isn’t a product you buy — it’s a security philosophy you implement incrementally. Start with mTLS and network policies, which provide the highest security value per engineering effort.
