Network Segmentation

🔥 Vibe Prompt

"Design a segmented network: DMZ, application, database, management zones with firewall rules."

Network Zones

Internet
   ↓
[Firewall] → DMZ (Web servers, load balancers)
                 ↓
              [Firewall] → App Zone (API servers)
                              ↓
                           [Firewall] → DB Zone (databases)
                                              ↓
                                        [Firewall] → Management (bastion, monitoring)

Firewall Rules

# Internet → DMZ
- Allow: 80 (HTTP), 443 (HTTPS) from 0.0.0.0/0
- Deny: all else

# DMZ → App Zone
- Allow: 8000-8100 (API) from DMZ subnet
- Deny: all else

# App Zone → DB Zone
- Allow: 5432 (Postgres), 6379 (Redis) from App subnet
- Deny: all else

# Management → All
- Allow: 22 (SSH) from Jump subnet (your IP only)
- Allow: 9090 (Prometheus) from Jump subnet

Zero Trust Network

- No implicit trust based on network location
- Every request must authenticate
- Micro-segmentation (per-service firewall)
- Encrypt all traffic (even internal)
- Continuous verification

AWS Security Groups (Micro-segmentation)

resource "aws_security_group" "api" {
  name = "api-sg"
  vpc_id = aws_vpc.main.id
}

resource "aws_security_group_rule" "api_from_alb" {
  type = "ingress"
  from_port = 8000
  to_port = 8000
  protocol = "tcp"
  source_security_group_id = aws_security_group.alb.id
  security_group_id = aws_security_group.api.id
}

resource "aws_security_group_rule" "db_from_api" {
  type = "ingress"
  from_port = 5432
  to_port = 5432
  protocol = "tcp"
  source_security_group_id = aws_security_group.api.id
  security_group_id = aws_security_group.db.id
}

Network Security Best Practices

| Practice | Purpose | |----------|---------| | Default deny | Minimize attack surface | | Least privilege | Only necessary ports | | Micro-segmentation | Limit blast radius | | Encrypt in transit | Prevent sniffing | | Flow logs | Detect anomalies | | IDS/IPS | Block known attacks |

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials


為什麼要學網路分割與隔離?

網路分割與隔離 是 security-network 課程的核心章節之一。

在真實世界中

網路分割與隔離 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。

你將從本章獲得

  • 🎯 完整的知識體系:從核心原理到實作細節,條理分明
  • 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
  • 🔍 除錯技巧:常見錯誤的分析與解決方案
  • 🚀 下一步指引:學完後該往哪個方向繼續深入

銜接下一章

本章為你建立了 網路分割與隔離 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。

會員專屬免費教學

本章節為註冊會員專屬的免費開放內容!請先登入或註冊會員,即可立即解鎖閱讀。

立即登入 / 註冊