Network Security: VPCs, Firewalls and Security Groups
Network security controls restrict which traffic can reach your systems — acting as the outermost layer of defence. Cloud-hosted systems require careful network architecture to prevent unnecessary exposure.
Virtual Private Clouds (VPCs)
A VPC is an isolated network environment within a cloud provider. All production systems should be hosted within a VPC — not on public networks. VPCs allow you to control routing, IP addressing, and network boundaries.
Subnets and Tiers
- Public subnets: Accessible from the internet — only load balancers and other public-facing components should be here
- Private subnets: Application servers, databases, and internal services — accessible only from within the VPC or through the load balancer
- Database subnets: Further restricted — accessible only from the application tier
Security Groups
Security groups act as stateful firewalls for cloud resources. Best practices:
- Apply least-privilege rules — only allow specific ports from specific sources
- Never allow inbound access from 0.0.0.0/0 to management ports (SSH, RDP, database ports)
- Use security group references rather than IP ranges where possible
- Regularly audit and remove unused rules
Network Access Control Lists (NACLs)
NACLs provide stateless subnet-level filtering — a secondary layer complementing security groups. Use NACLs to block known malicious IP ranges and implement broad-brush traffic policies.
VPN and Private Connectivity
For admin access to private infrastructure, we use VPN or AWS PrivateLink rather than opening management ports to the internet. All developer access to production systems goes through an access-controlled bastion or zero-trust network access solution.