Network Segmentation

๐Ÿ”ฅ Vibe Prompt

"Design a segmented network: DMZ, application, database, management zones with firewall rules."

Network Zones

Internet
   โ†“
[Firewall] โ†’ DMZ (Web servers, load balancers)
                 โ†“
              [Firewall] โ†’ App Zone (API servers)
                              โ†“
                           [Firewall] โ†’ DB Zone (databases)
                                              โ†“
                                        [Firewall] โ†’ Management (bastion, monitoring)

Firewall Rules

# Internet โ†’ DMZ
- Allow: 80 (HTTP), 443 (HTTPS) from 0.0.0.0/0
- Deny: all else

# DMZ โ†’ App Zone
- Allow: 8000-8100 (API) from DMZ subnet
- Deny: all else

# App Zone โ†’ DB Zone
- Allow: 5432 (Postgres), 6379 (Redis) from App subnet
- Deny: all else

# Management โ†’ All
- Allow: 22 (SSH) from Jump subnet (your IP only)
- Allow: 9090 (Prometheus) from Jump subnet

Zero Trust Network

- No implicit trust based on network location
- Every request must authenticate
- Micro-segmentation (per-service firewall)
- Encrypt all traffic (even internal)
- Continuous verification

AWS Security Groups (Micro-segmentation)

resource "aws_security_group" "api" {
  name = "api-sg"
  vpc_id = aws_vpc.main.id
}

resource "aws_security_group_rule" "api_from_alb" {
  type = "ingress"
  from_port = 8000
  to_port = 8000
  protocol = "tcp"
  source_security_group_id = aws_security_group.alb.id
  security_group_id = aws_security_group.api.id
}

resource "aws_security_group_rule" "db_from_api" {
  type = "ingress"
  from_port = 5432
  to_port = 5432
  protocol = "tcp"
  source_security_group_id = aws_security_group.api.id
  security_group_id = aws_security_group.db.id
}

Network Security Best Practices

| Practice | Purpose | |----------|---------| | Default deny | Minimize attack surface | | Least privilege | Only necessary ports | | Micro-segmentation | Limit blast radius | | Encrypt in transit | Prevent sniffing | | Flow logs | Detect anomalies | | IDS/IPS | Block known attacks |

Key Points

  • Understand the core concepts thoroughly
  • Practice with hands-on code examples
  • Apply knowledge to real-world problems
  • Review and reinforce through exercises

Further Learning

  • Official documentation
  • Open source projects on GitHub
  • Community forums and discussions
  • Related courses and tutorials

Member Exclusive Free Tutorial

This chapter is free exclusive content for registered members! Please login or register to unlock immediately.

Login / Register Now