Network Segmentation
๐ฅ Vibe Prompt
"Design a segmented network: DMZ, application, database, management zones with firewall rules."
Network Zones
Internet
โ
[Firewall] โ DMZ (Web servers, load balancers)
โ
[Firewall] โ App Zone (API servers)
โ
[Firewall] โ DB Zone (databases)
โ
[Firewall] โ Management (bastion, monitoring)
Firewall Rules
# Internet โ DMZ
- Allow: 80 (HTTP), 443 (HTTPS) from 0.0.0.0/0
- Deny: all else
# DMZ โ App Zone
- Allow: 8000-8100 (API) from DMZ subnet
- Deny: all else
# App Zone โ DB Zone
- Allow: 5432 (Postgres), 6379 (Redis) from App subnet
- Deny: all else
# Management โ All
- Allow: 22 (SSH) from Jump subnet (your IP only)
- Allow: 9090 (Prometheus) from Jump subnet
Zero Trust Network
- No implicit trust based on network location
- Every request must authenticate
- Micro-segmentation (per-service firewall)
- Encrypt all traffic (even internal)
- Continuous verification
AWS Security Groups (Micro-segmentation)
resource "aws_security_group" "api" {
name = "api-sg"
vpc_id = aws_vpc.main.id
}
resource "aws_security_group_rule" "api_from_alb" {
type = "ingress"
from_port = 8000
to_port = 8000
protocol = "tcp"
source_security_group_id = aws_security_group.alb.id
security_group_id = aws_security_group.api.id
}
resource "aws_security_group_rule" "db_from_api" {
type = "ingress"
from_port = 5432
to_port = 5432
protocol = "tcp"
source_security_group_id = aws_security_group.api.id
security_group_id = aws_security_group.db.id
}
Network Security Best Practices
| Practice | Purpose | |----------|---------| | Default deny | Minimize attack surface | | Least privilege | Only necessary ports | | Micro-segmentation | Limit blast radius | | Encrypt in transit | Prevent sniffing | | Flow logs | Detect anomalies | | IDS/IPS | Block known attacks |
Key Points
- Understand the core concepts thoroughly
- Practice with hands-on code examples
- Apply knowledge to real-world problems
- Review and reinforce through exercises
Further Learning
- Official documentation
- Open source projects on GitHub
- Community forums and discussions
- Related courses and tutorials