← Back to Articles

Network Security in the Cloud: Beyond the Virtual Perimeter

December 23, 2023Core Security Domains4 min read

"The moment you migrated to the cloud, your network perimeter didn't just shift—it dissolved. Firewalls that once guarded a data center entrance are now abstractions spread across hundreds of software-defined constructs, and a single overly permissive security group rule can expose more than a physical firewall misconfiguration ever could. Understanding how to architect, enforce, and monitor network security in this new reality isn't optional—it's the foundation everything else sits on.".

The Perimeter Is Dead. Long Live the Micro-Perimeter.

In traditional infrastructure, network security meant controlling traffic at well-defined chokepoints. In the cloud, every workload, container, and serverless function is a potential ingress point. The mental model must shift from castle-and-moat to zero-trust microsegmentation: assume breach, verify everything, and grant least-privilege access at every layer.

This means your security strategy needs to operate at three distinct tiers: VPC/network architecture, workload-level controls, and identity-aware access policies.

Tier 1: Architect Your VPC for Isolation

Your Virtual Private Cloud design is your first line of defense. A well-segmented VPC separates public-facing resources from internal services and databases, limiting blast radius by design.

Here's a Terraform example that establishes a three-tier network architecture on AWS:

resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_hostnames = true
}

resource "aws_subnet" "public" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "us-east-1a"
  tags              = { Name = "public-web-tier" }
}

resource "aws_subnet" "private_app" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.2.0/24"
  availability_zone = "us-east-1a"
  tags              = { Name = "private-app-tier" }
}

resource "aws_subnet" "private_data" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.3.0/24"
  availability_zone = "us-east-1a"
  tags              = { Name = "private-data-tier" }
}

Key principle: Your database subnet should have no route to an internet gateway—ever. Use VPC endpoints for AWS service access and NAT gateways only where outbound access is strictly required.

Tier 2: Security Groups as Microsegmentation

Security groups are stateful firewalls attached to individual resources. The most common mistake I see in production environments is 0.0.0.0/0 on ingress rules that should be scoped to specific CIDR ranges or, better yet, to other security groups.

resource "aws_security_group" "app_tier" {
  vpc_id = aws_vpc.main.id

  ingress {
    from_port       = 443
    to_port         = 443
    protocol        = "tcp"
    security_groups = [aws_security_group.alb.id]  # Only ALB can talk to app tier
  }

  egress {
    from_port       = 5432
    to_port         = 5432
    protocol        = "tcp"
    security_groups = [aws_security_group.database.id]  # App talks only to DB
  }
}

Reference security groups instead of IP ranges. This way, as instances scale dynamically, your rules remain valid without manual updates.

Tier 3: Identity-Aware Network Policies

Modern cloud security extends beyond IP-based rules. Tools like AWS Verified Access, GCP BeyondCorp Enterprise, and Azure Private Link let you enforce access based on user identity, device posture, and context—not just source IP.

Combine this with VPC Flow Logs piped into a SIEM to detect anomalies:

aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-0abc123def456 \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name "/vpc/flow-logs/main"

Monitor for unexpected cross-subnet traffic, connections to known-bad IPs, and data exfiltration patterns like sustained high-volume egress from your data tier.

Actionable Takeaways

  1. Audit your security groups weekly. Use tools like prowler or AWS Config rules to flag overly permissive rules automatically.
  2. Enforce infrastructure-as-code. Never allow console-based security group modifications in production. Gate all changes through reviewed pull requests.
  3. Enable flow logs on every VPC. You cannot defend what you cannot see.
  4. Adopt zero-trust incrementally. Start by restricting lateral movement between tiers, then layer identity-aware policies on top.

Cloud network security isn't a single tool or service—it's an architecture discipline. Get the foundation right, and every subsequent security control becomes dramatically more effective.

Have questions about cloud network security? I'm always happy to talk shop — reach out or connect with me on LinkedIn.

← Back to Articles