Network Segmentation
🔥 Vibe Prompt
"Design a segmented network: DMZ, application, database, management zones with firewall rules."
Network Zones
Internet
↓
[Firewall] → DMZ (Web servers, load balancers)
↓
[Firewall] → App Zone (API servers)
↓
[Firewall] → DB Zone (databases)
↓
[Firewall] → Management (bastion, monitoring)
Firewall Rules
# Internet → DMZ
- Allow: 80 (HTTP), 443 (HTTPS) from 0.0.0.0/0
- Deny: all else
# DMZ → App Zone
- Allow: 8000-8100 (API) from DMZ subnet
- Deny: all else
# App Zone → DB Zone
- Allow: 5432 (Postgres), 6379 (Redis) from App subnet
- Deny: all else
# Management → All
- Allow: 22 (SSH) from Jump subnet (your IP only)
- Allow: 9090 (Prometheus) from Jump subnet
Zero Trust Network
- No implicit trust based on network location
- Every request must authenticate
- Micro-segmentation (per-service firewall)
- Encrypt all traffic (even internal)
- Continuous verification
AWS Security Groups (Micro-segmentation)
resource "aws_security_group" "api" {
name = "api-sg"
vpc_id = aws_vpc.main.id
}
resource "aws_security_group_rule" "api_from_alb" {
type = "ingress"
from_port = 8000
to_port = 8000
protocol = "tcp"
source_security_group_id = aws_security_group.alb.id
security_group_id = aws_security_group.api.id
}
resource "aws_security_group_rule" "db_from_api" {
type = "ingress"
from_port = 5432
to_port = 5432
protocol = "tcp"
source_security_group_id = aws_security_group.api.id
security_group_id = aws_security_group.db.id
}
Network Security Best Practices
| Practice | Purpose | |----------|---------| | Default deny | Minimize attack surface | | Least privilege | Only necessary ports | | Micro-segmentation | Limit blast radius | | Encrypt in transit | Prevent sniffing | | Flow logs | Detect anomalies | | IDS/IPS | Block known attacks |
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials
為什麼要學網路分割與隔離?
網路分割與隔離 是 security-network 課程的核心章節之一。
在真實世界中
網路分割與隔離 並不是課本上的理論——它在真實的軟體開發中頻繁出現。無論你是正在接案、準備面試,還是想要提升自己的技術深度,理解這個主題都能讓你直接受益。
你將從本章獲得
- 🎯 完整的知識體系:從核心原理到實作細節,條理分明
- 💻 可運行的程式碼:每段程式碼都是完整的,可直接執行
- 🔍 除錯技巧:常見錯誤的分析與解決方案
- 🚀 下一步指引:學完後該往哪個方向繼續深入
銜接下一章
本章為你建立了 網路分割與隔離 的完整知識基礎。下一章將在此基礎上,帶你探索更進階的真實世界應用場景——你將學會如何將本章所學應用到更複雜的問題中。