Reading20 min read·Module 1

Network Segmentation Strategies

Key concepts

  • Tier-based segmentation

  • Environment isolation

  • Micro-segmentation

  • Transit Gateway for hub-and-spoke

  • PrivateLink for service access

Overview

Network segmentation is the practice of dividing a network into smaller, isolated segments to limit the blast radius of security incidents, improve performance, and simplify compliance. In AWS, segmentation is achieved through VPCs, subnets, route tables, security groups, and network ACLs working together.

Proper segmentation ensures that a compromise in one part of your infrastructure doesn't automatically grant access to everything else. This is a core principle of defense in depth and is heavily tested on the SAA-C03 exam, particularly in scenarios involving multi-tier applications, compliance requirements, and hybrid architectures.

Segmentation Principle

Segment by function, sensitivity, and trust level. Production should be isolated from development. Databases should be isolated from web servers. Internet-facing resources should be isolated from internal systems.

Exam Tip

When a question mentions 'limiting the blast radius,' 'isolating workloads,' or 'compliance requirements for network separation,' think network segmentation using VPCs, subnets, and security controls.


Architecture Diagram

Network Segmentation Overview
Figure 1: Multi-layer network segmentation with VPCs, subnets, and security controls

Key Concepts

Segmentation Layers

Network Segmentation Layers

AWS provides multiple layers for implementing network segmentation:

Layer 1: Account-Level Isolation

  • Separate AWS accounts for different environments
  • Strongest isolation boundary
  • Managed via AWS Organizations

Layer 2: VPC-Level Isolation

  • Separate VPCs for different applications or tiers
  • Logically isolated networks
  • Connected via VPC Peering or Transit Gateway when needed

Layer 3: Subnet-Level Isolation

  • Public, private, and isolated subnets
  • Controlled by route tables
  • NACLs provide stateless filtering

Layer 4: Resource-Level Isolation

  • Security groups on individual resources
  • Stateful, instance-level firewall
  • Most granular control

Micro-Segmentation

Micro-Segmentation

Micro-segmentation applies security controls at the workload level, rather than the network perimeter.

AWS Implementation:

  • Security groups per application tier
  • Security group references (SG-to-SG rules)
  • No reliance on IP addresses
  • Zero-trust networking principles

Benefits:

  • Limits lateral movement
  • Workload-specific policies
  • Dynamic scaling support
  • Simplified compliance auditing

VPC Design Patterns

Single VPC Multi-Tier

Pattern: One VPC with multiple subnet tiers

Structure:

  • Public subnets (DMZ)
  • Private app subnets
  • Private data subnets
  • Isolated subnets (no internet)

Use When:

  • Simple applications
  • Single team ownership
  • Lower complexity requirements
  • Cost-sensitive environments

Multi-VPC Architecture

Pattern: Separate VPCs for different purposes

Common Separation:

  • Production VPC
  • Development VPC
  • Shared Services VPC
  • Security/Inspection VPC

Use When:

  • Multiple teams with ownership boundaries
  • Compliance requires hard separation
  • Different security postures needed
  • Large enterprise environments

Segmentation Approaches

ApproachIsolation LevelComplexityUse Case
Subnets in same VPCLogical (route tables)LowSmall-medium applications
Multiple VPCsNetwork boundaryMediumTeam/environment isolation
Separate AccountsIAM + NetworkHighStrongest isolation, compliance
Transit GatewayControlled hub-spokeMedium-HighCentralized networking

How It Works

Subnet Segmentation Strategy

Subnet Segmentation
Figure 2: Subnet tiers with different security postures
TEXTMulti-Tier Subnet Design
VPC: 10.0.0.0/16

Tier 1 - Public (Internet-Facing)
├── 10.0.1.0/24 - Public-1a (ALB, NAT Gateway)
├── 10.0.2.0/24 - Public-1b
└── 10.0.3.0/24 - Public-1c
    Route: 0.0.0.0/0 → IGW

Tier 2 - Private App (Application Servers)
├── 10.0.10.0/24 - App-1a
├── 10.0.11.0/24 - App-1b
└── 10.0.12.0/24 - App-1c
    Route: 0.0.0.0/0 → NAT Gateway

Tier 3 - Private Data (Databases)
├── 10.0.20.0/24 - Data-1a (RDS, ElastiCache)
├── 10.0.21.0/24 - Data-1b
└── 10.0.22.0/24 - Data-1c
    Route: Local only (no internet route)

Tier 4 - Isolated (Sensitive Processing)
├── 10.0.30.0/24 - Isolated-1a
├── 10.0.31.0/24 - Isolated-1b
└── 10.0.32.0/24 - Isolated-1c
    Route: Local only + VPC Endpoints

Security Group Micro-Segmentation

TEXTSecurity Group Chaining
ALB-SG:
  Inbound:  443 from 0.0.0.0/0
  Outbound: All traffic

App-SG:
  Inbound:  8080 from ALB-SG (reference, not CIDR!)
  Outbound: All traffic

DB-SG:
  Inbound:  3306 from App-SG (reference, not CIDR!)
  Outbound: None required (stateful)

Cache-SG:
  Inbound:  6379 from App-SG
  Outbound: None required

Key Point: Traffic can ONLY flow through the chain.
Even if an attacker compromises a web server, they
cannot directly access the database without going
through an app server.

Multi-VPC with Transit Gateway

Transit Gateway Segmentation
Figure 3: Centralized routing with Transit Gateway for VPC isolation
TEXTTransit Gateway Route Tables
Transit Gateway with Segmented Route Tables:

Production Route Table:
  - Production VPC attachment
  - Shared Services VPC attachment
  - NO route to Development VPC

Development Route Table:
  - Development VPC attachment
  - Shared Services VPC attachment
  - NO route to Production VPC

Shared Services Route Table:
  - Shared Services VPC attachment
  - Production VPC attachment
  - Development VPC attachment

Result: Prod and Dev cannot communicate directly,
but both can access shared services (DNS, logging, etc.)

Network Firewall Inspection

TEXTAWS Network Firewall Deployment
Inspection VPC Pattern:

Internet
    ↓
Internet Gateway
    ↓
Firewall Subnet (AWS Network Firewall)
    ↓ (inspected traffic)
Transit Gateway
    ↓
Workload VPCs

All ingress/egress traffic passes through
the Network Firewall for deep packet inspection,
IDS/IPS, and domain filtering.

Use Cases

Use Case 1: PCI-DSS Compliance

Scenario: E-commerce application must isolate cardholder data environment (CDE).

PCI-DSS Segmentation
Figure 4: PCI-DSS compliant network segmentation with isolated CDE

Architecture:

  • Separate VPC for CDE (Cardholder Data Environment)
  • Dedicated subnets for payment processing
  • AWS Network Firewall between CDE and other VPCs
  • No direct internet access to CDE
  • All access through hardened jump boxes with logging

Use Case 2: Multi-Tenant SaaS Application

Scenario: SaaS provider needs to isolate customer workloads.

Architecture:

  • Option A: VPC per customer (strongest isolation)
  • Option B: Subnet per customer (medium isolation)
  • Option C: Security groups per customer (logical isolation)
  • Transit Gateway for centralized management
  • Separate encryption keys per tenant

Use Case 3: Development/Production Isolation

Scenario: Prevent development environment from affecting production.

Architecture:

  • Separate AWS accounts (strongest)
  • Or separate VPCs in same account
  • No VPC peering between dev and prod
  • Shared services accessed via Transit Gateway with segmented route tables
  • Different IAM roles and policies per environment

Use Case 4: Zero-Trust Network Architecture

Scenario: Implement zero-trust principles where no traffic is inherently trusted.

Architecture:

  • Micro-segmentation with security groups
  • Every resource has explicit allow rules
  • No "allow all" rules between tiers
  • VPC endpoints for AWS service access
  • Private DNS for service discovery
  • mTLS between services where possible

Best Practices

Network Segmentation Best Practices
  1. Segment by Trust Level - Internet-facing, internal, and sensitive data should be in different segments
  2. Use Security Group References - Reference SGs instead of CIDR blocks for dynamic scaling
  3. Apply Least Privilege - Only allow necessary traffic between segments
  4. Document Traffic Flows - Maintain network diagrams showing allowed paths
  5. Use VPC Flow Logs - Monitor all traffic for compliance and security
  6. Consider Account Separation - For highest isolation, use separate AWS accounts
  7. Centralize Egress - Route all internet-bound traffic through inspection points
  8. Plan CIDR Carefully - Non-overlapping ranges for VPC peering/Transit Gateway
Common Segmentation Patterns

By Environment:

  • Production, Staging, Development, Sandbox

By Function:

  • Web tier, App tier, Data tier, Management tier

By Compliance:

  • PCI scope, HIPAA scope, General workloads

By Team:

  • Team A VPC, Team B VPC, Shared Services VPC

Common Exam Scenarios

Exam Scenarios

ScenarioSolutionWhy
Limit blast radius if web server compromisedSecurity group chaining (SG references)Attacker cannot reach DB directly
PCI compliance requires isolated CDESeparate VPC with Network Firewall inspectionHard network boundary, inspected traffic
Dev team should not access production dataSeparate accounts or VPCs, segmented TGW routesNo network path between environments
Need to inspect all egress trafficCentralized inspection VPC with Network FirewallSingle chokepoint for all outbound traffic
Workloads scale dynamically, need isolationSecurity groups with SG references (not CIDRs)SG references work regardless of IP changes
Multiple teams share infrastructureMulti-VPC with Transit Gateway, route table isolationControlled connectivity, team boundaries
Sensitive data processing must be air-gappedIsolated subnets with no internet route, VPC endpoints onlyNo path to/from internet
Third-party vendor needs limited accessDedicated subnet with restrictive NACLs and SGsExplicit allow-list for vendor IPs

Common Pitfalls

Pitfall 1: Flat Network Architecture

Mistake: Putting all resources in the same subnet or using wide-open security groups.

Why it's dangerous:

  • Single compromise exposes everything
  • Lateral movement is easy
  • Compliance violations
  • No defense in depth

Correct Approach:

  • Tier subnets by function and sensitivity
  • Use security group chaining
  • Apply least privilege networking
Pitfall 2: Using CIDR Instead of SG References

Mistake: Writing security group rules with IP ranges instead of security group references.

Why it's problematic:

  • Rules break when instances change IPs
  • Auto Scaling adds instances with new IPs
  • Maintenance burden keeping CIDRs updated

Correct Approach:

  • Reference source/destination security groups
  • Dynamic, scales automatically
  • Only use CIDR for external sources
Pitfall 3: VPC Peering Everything

Mistake: Creating full-mesh VPC peering between all VPCs.

Why it's problematic:

  • N² connections as VPCs grow
  • No centralized control
  • Hard to implement security policies
  • Management nightmare

Correct Approach:

  • Use Transit Gateway for hub-spoke
  • Segment with route tables
  • Centralize inspection and logging
Pitfall 4: Overlooking Egress Filtering

Mistake: Focusing only on ingress security, ignoring outbound traffic.

Why it's dangerous:

  • Compromised instances can exfiltrate data
  • Command-and-control traffic goes unchecked
  • DNS tunneling possible

Correct Approach:

  • Centralized NAT with monitoring
  • AWS Network Firewall for egress
  • DNS firewall for domain filtering
  • VPC endpoints to avoid internet for AWS services

Test Your Knowledge

Q

What is the PRIMARY benefit of using security group references instead of CIDR blocks?

ABetter performance
BRules work automatically as instances scale
CLower cost
DEasier to read
Q

A company needs to ensure their development environment can NEVER communicate with production. What is the STRONGEST isolation approach?

ADifferent subnets in the same VPC
BDifferent VPCs with no peering
CDifferent AWS accounts
DDifferent security groups
Q

How can you allow Production and Development VPCs to both access Shared Services VPC, but prevent Prod-Dev communication?

AVPC Peering with three connections
BTransit Gateway with segmented route tables
CAWS PrivateLink
DSecurity groups only
Q

What AWS service provides deep packet inspection and IDS/IPS capabilities for VPC traffic?

ASecurity Groups
BNetwork ACLs
CAWS Network Firewall
DAWS WAF


Quick Reference

Segmentation Decision Matrix

When to Use Each Approach

RequirementRecommended Approach
Team autonomy with shared infrastructureMulti-VPC + Transit Gateway
Strongest possible isolationSeparate AWS accounts
Simple application, cost-sensitiveSingle VPC, multiple subnets
Compliance (PCI, HIPAA, etc.)Dedicated VPC + Network Firewall
Dynamic scaling workloadsSecurity group references
Inspect all trafficCentralized inspection VPC
Hybrid cloud connectivityTransit Gateway + VPN/DX

Key Limits

Relevant Service Limits

ResourceDefault LimitNotes
VPCs per Region5Easily increased
Subnets per VPC200Plan CIDR carefully
Security groups per VPC2,500Usually sufficient
Rules per security group60 in + 60 outCan request increase
Transit Gateway attachments5,000Per Transit Gateway
Route tables per TGW20For segmentation

CLI Commands Reference

SHSegmentation CLI Commands
# Create VPC with CIDR
aws ec2 create-vpc --cidr-block 10.0.0.0/16

# Create Transit Gateway
aws ec2 create-transit-gateway \
  --description "Segmented TGW" \
  --options DefaultRouteTableAssociation=disable,DefaultRouteTablePropagation=disable

# Create TGW Route Table (for segmentation)
aws ec2 create-transit-gateway-route-table \
  --transit-gateway-id tgw-xxx

# Associate VPC attachment with route table
aws ec2 associate-transit-gateway-route-table \
  --transit-gateway-route-table-id tgw-rtb-xxx \
  --transit-gateway-attachment-id tgw-attach-xxx

# Create security group rule with SG reference
aws ec2 authorize-security-group-ingress \
  --group-id sg-database \
  --protocol tcp \
  --port 3306 \
  --source-group sg-app-servers

# Enable VPC Flow Logs
aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-xxx \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name /vpc/flow-logs

Further Reading

Related services

VPCTransit GatewayPrivateLink