EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
cloud-securityVPCsecurity-groupsNACL

Cloud Network Security: VPC Architecture, Security Groups & SDN

Virtual Private Clouds implement network isolation through software-defined networking. This article examines VPC design, the difference between Security Groups and NACLs, microsegmentation, and DDoS protection — with AWS as the reference implementation.

Ashish Revar3 July 202618 min read1 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Tech Talk EP 07 — The Hypervisor Is Your True Security Perimeter

Audio deep-dive covering NIST SP 800-145, the SPI stack, shared responsibility, deployment models, Type-1/2 hypervisors, and Spectre/Meltdown side-channel attacks. ~30 min.

Reference material

eBook
Cloud Security — eBook
v2026
Open resource
Cheatsheet
Cloud Security — Cheatsheet
v2026
Open resource
MCQ Bank
Cloud Security — MCQ Bank
v2026
Open resource
Question Bank
Cloud Security — Question Bank
v2026
Open resource

External references

AWS VPC Security Best Practices

Official AWS guidance on VPC design, Security Groups, NACLs, and flow logs.

AWS VPC Security Best Practices

Official AWS guidance on VPC design, Security Groups, NACLs, and flow logs.

CIS AWS Foundations Benchmark

CIS benchmark with detailed controls for VPC, network, and account configuration.

CIS AWS Foundations Benchmark

CIS benchmark with detailed controls for VPC, network, and account configuration.

NSA Cloud Security Best Practices

NSA/CISA guidance on cloud network security, microsegmentation, and logging.

NSA Cloud Security Best Practices

NSA/CISA guidance on cloud network security, microsegmentation, and logging.

AWS Shield: DDoS Protection

AWS Shield Standard and Advanced capabilities for DDoS mitigation at Layers 3, 4, and 7.

AWS Shield: DDoS Protection

AWS Shield Standard and Advanced capabilities for DDoS mitigation at Layers 3, 4, and 7.

More articlesTest your knowledge

Networking in the Cloud Is Different

On-premises networking relied on physical hardware — routers, firewalls, switches with specific port configurations. Cloud networking is entirely software-defined: every subnet, route table, firewall rule, and gateway is an API call recorded in a configuration management system. This brings immense flexibility and also creates new risks: a misconfigured route table is an API call away, and misconfiguration at scale is far easier than deliberate attack.

Virtual Private Cloud (VPC) Architecture

A VPC is a logically isolated section of a cloud provider's network. Within a VPC, you divide the address space into subnets:

Subnet TypeCharacteristicsTypical Workloads
Public subnetHas a route to an Internet Gateway (IGW)Load balancers, NAT Gateways, bastion hosts
Private subnetNo direct route to IGWApplication servers, databases, internal services
Isolated subnetNo route to internet or NATHighly sensitive data stores, HSMs

Design principle: The database layer should never be in a public subnet. Web application attacks commonly pivot from the web tier to the database because a public RDS endpoint was left exposed. In AWS, enable "Block Public Access" at the account level and enforce via Service Control Policy.

Recommended Three-Tier Architecture

Internet
   │
   ▼
[Public Subnet]  ← Load Balancer only
   │
   ▼
[Private Subnet] ← Application servers (EC2, ECS, Lambda in VPC)
   │
   ▼
[Isolated Subnet] ← RDS, ElastiCache, OpenSearch

Each tier permits inbound traffic only from the tier immediately above it on the specific port required (443 from LB to app; 5432 from app to DB).

Security Groups vs Network ACLs

AWS provides two overlapping network control mechanisms. Understanding the difference is essential for designing layered network security.

FeatureSecurity GroupNetwork ACL
Applies toENI (Elastic Network Interface) — per instanceSubnet — all instances in subnet
StatefulnessStateful: return traffic automatically allowedStateless: explicit allow required in both directions
Rule evaluationAll rules evaluated; most permissive winsRules evaluated in number order; first match wins
Default inboundDeny allAllow all (default NACL)
Use forFine-grained per-instance controlSubnet-level defence-in-depth

Layered defence: Security Groups are the primary control; NACLs add a subnet-level backstop. A Security Group misconfiguration that opens port 22 to 0.0.0.0/0 can be caught by a NACL deny rule on port 22.

Software-Defined Networking (SDN)

Traditional networking baked intelligence into the hardware. SDN separates the control plane (what routes exist, what policies apply) from the data plane (actual packet forwarding), making both programmable.

Cloud networking is inherently SDN. The AWS VPC control plane runs on managed software; the data plane runs on hypervisor-level virtual switch (Nitro). The security implications:

  • Configuration-as-infrastructure: Network topology is in code (Terraform, CloudFormation). Changes are auditable via git history and CloudTrail.
  • Microsegmentation: Because networking is software, you can apply Security Group rules at the individual workload level — not just at the subnet perimeter. Each Lambda, each pod, each RDS instance has its own network identity.
  • East-west traffic control: Without SDN, internal traffic between servers in the same VLAN flows freely. With Security Groups, you can ensure the payment service can only talk to the fraud-scoring service on port 8443, and nothing else.

DDoS Protection

LayerAttack TypeAWS Protection
Layer 3/4UDP flood, SYN flood, reflection attacksAWS Shield Standard (automatic, free)
Layer 7HTTP flood, slowloris, SQL injection via HTTPAWS Shield Advanced + AWS WAF
ApplicationAPI abuse, credential stuffingAWS WAF rate-based rules + CAPTCHA

AWS Shield Standard protects all AWS customers automatically at no cost. Shield Advanced (USD 3,000/month) provides advanced DDoS response support and cost protection against scaling charges incurred during an attack.

For Indian deployments, Cloudflare operates a PoP in Mumbai (and Hyderabad as of 2024), meaning DDoS mitigation happens at the network edge within the country, reducing latency and keeping traffic data within a known jurisdiction.

VPC Flow Logs: The Network Evidence Trail

Enable VPC Flow Logs on all production VPCs. Flow Logs capture source IP, destination IP, port, protocol, packet count, byte count, and accept/reject status for every network flow. They are essential for:

  • Detecting port scanning (sequential port attempts from one source IP)
  • Identifying data exfiltration (unusually large outbound transfers to unexpected destinations)
  • Network forensics after an incident

Store Flow Logs in an S3 bucket in a separate logging account with S3 Object Lock enabled. Attackers who compromise your production account should not be able to delete their trail.