Cloud networks are software. That gives you precision controls but also more surface to misconfigure. Done well, the network becomes a quiet enforcement layer behind IAM. Done poorly, you have an internet-facing database.
VPC / VNet / VPC Architecture
Every cloud has the same basic primitive: a private virtual network in which you place your resources.
| Concept | AWS | Azure | GCP |
|---|---|---|---|
| Private network | VPC | VNet | VPC (global) |
| Subnet | Subnet (per AZ) | Subnet (per region) | Subnet (per region) |
| Connecting two networks | VPC peering / Transit Gateway | VNet peering / vWAN | VPC peering / Network Connectivity Center |
| To on-prem | Direct Connect / Site-to-Site VPN | ExpressRoute / VPN Gateway | Cloud Interconnect / Cloud VPN |
The standard pattern: public subnet (load balancer / NAT only), private subnet (apps), database subnet (no internet egress at all).
Internet
│
┌─────▼─────┐ Public subnet (LB only)
│ ALB │
└─────┬─────┘
│
┌─────────▼──────────┐ Private subnet (apps)
│ app-1 app-2 │
└─────────┬──────────┘
│ no IGW route, only private endpoints + NAT
┌─────────▼──────────┐ DB subnet
│ RDS / SQL │
└────────────────────┘Security Groups vs NACLs (and Equivalents)
| Security Group | Network ACL (NACL) | |
|---|---|---|
| Scope | ENI / instance | Subnet |
| Stateful? | Yes — return traffic auto-allowed | No — must allow both directions |
| Default | Deny in, allow out | Allow in / out (or deny if you tighten) |
| Best for | App-to-app micro-segmentation | Subnet-level guardrails (e.g. block known-bad CIDRs) |
Azure and GCP both use stateful "firewall rules" / "Network Security Groups" similar in spirit to AWS Security Groups. Use them as the primary control.
Reference SGs by ID, not CIDR — "the app SG can reach the DB SG" is more durable than IP ranges that change.
Egress Filtering: The Hidden Battle
Most teams obsess over ingress and leave egress wide open. After an attacker is inside, egress is how they exfiltrate data and reach C2 servers. Lock it down:
- Default-deny egress on critical workloads.
- Allow-list known destinations (your registry, your APIs, OS update servers).
- Use a NAT instance / NAT Gateway / Cloud NAT with allow-list controls.
- AWS Network Firewall / Azure Firewall / GCP Cloud NGFW for layer-7 egress filtering with FQDN allow-lists.
- Private endpoints to AWS / Azure / GCP services so traffic never leaves the cloud network.
Private Endpoints / PrivateLink
By default, a call from your VPC to S3 or Azure Storage goes over the public internet (even though it stays within the cloud's network). Private endpoints route it through your VPC.
| Cloud | Mechanism |
|---|---|
| AWS | VPC Endpoints (Gateway for S3/DynamoDB; Interface / PrivateLink for everything else) |
| Azure | Private Endpoints + Private DNS Zones |
| GCP | Private Service Connect / Private Google Access |
Combine with bucket / resource policies that require traffic to come from your VPC endpoint. That alone shuts down the "open S3 bucket" failure mode for internal data.
Zero Trust Networking
Traditional networks trusted "inside the firewall." Zero trust treats every request as untrusted regardless of network location. Key practices:
- Every service-to-service call is authenticated (mTLS, signed JWT, IAM-based).
- Every user request to internal apps goes through an identity-aware proxy:
- AWS Verified Access
- Azure App Proxy / Entra Private Access
- Google Cloud IAP (Identity-Aware Proxy)
- Cloudflare Access, Tailscale, Twingate
- Network segmentation still exists but is no longer your only line of defence.
Zero trust does not mean "no network controls." It means "do not rely on them alone."
DDoS and WAF
- DDoS protection — AWS Shield Standard (free, on every account), Shield Advanced (paid). Azure DDoS Protection. GCP Cloud Armor.
- WAF — layer-7 filtering for SQL injection, XSS, OWASP Top 10. AWS WAF, Azure Web Application Firewall, Cloud Armor.
- Use managed rule sets (OWASP Core, bot protection) before custom rules.
- Test in count mode first; flipping a WAF straight to block can take prod down.
Bastion / Admin Access
Direct SSH/RDP to instances over the internet is obsolete. Modern alternatives:
- AWS Systems Manager Session Manager — SSH-equivalent through IAM, no inbound port, full session logging.
- Azure Bastion — fully managed bastion in a dedicated subnet.
- GCP IAP TCP forwarding — tunnel through the IAP, IAM-controlled.
If you still have port 22 open to 0.0.0.0/0 anywhere, that is your highest-priority fix.
DNS Security
- Use the cloud's resolver (Route 53 Resolver, Azure DNS, Cloud DNS) so DNS queries are logged.
- Block known-malicious domains at the resolver (Route 53 Resolver DNS Firewall, Cloud Armor egress, Azure Firewall threat intelligence).
- Use DNSSEC where possible for public zones.
Common Misconfigurations
- Security group with
0.0.0.0/0on 22, 3389, 5432, 3306, 27017 — admin or DB ports exposed. - Public subnet hosting databases or app instances directly.
- NAT Gateway as default egress with no controls.
- Cross-region peering exposing prod to dev.
- Resource accidentally given a public IP.
Run an automated audit (AWS Trusted Advisor, Azure Defender for Cloud recommendations, GCP Security Command Center, third-party CSPM) to catch these continuously, not just once.
Mental Model
Treat the network as the second line of defence behind IAM. Identity decides "should this principal be able to do this." Network decides "where can this principal be calling from, and is that path safe." Done together, the blast radius of a compromised credential shrinks dramatically — and that is the whole point of cloud security architecture.