Virtual Private Clouds implement network isolation through software-defined networking. This article examines VPC design, the difference between Security Groups and NACLs, microsegmentation, and DDoS protection — with AWS as the reference implementation.
Sign in to mark this article as read and track your progress.
On-premises networking relied on physical hardware — routers, firewalls, switches with specific port configurations. Cloud networking is entirely software-defined: every subnet, route table, firewall rule, and gateway is an API call recorded in a configuration management system. This brings immense flexibility and also creates new risks: a misconfigured route table is an API call away, and misconfiguration at scale is far easier than deliberate attack.
A VPC is a logically isolated section of a cloud provider's network. Within a VPC, you divide the address space into subnets:
| Subnet Type | Characteristics | Typical Workloads |
|---|---|---|
| Public subnet | Has a route to an Internet Gateway (IGW) | Load balancers, NAT Gateways, bastion hosts |
| Private subnet | No direct route to IGW | Application servers, databases, internal services |
| Isolated subnet | No route to internet or NAT | Highly sensitive data stores, HSMs |
Design principle: The database layer should never be in a public subnet. Web application attacks commonly pivot from the web tier to the database because a public RDS endpoint was left exposed. In AWS, enable "Block Public Access" at the account level and enforce via Service Control Policy.
Internet
│
▼
[Public Subnet] ← Load Balancer only
│
▼
[Private Subnet] ← Application servers (EC2, ECS, Lambda in VPC)
│
▼
[Isolated Subnet] ← RDS, ElastiCache, OpenSearch
Each tier permits inbound traffic only from the tier immediately above it on the specific port required (443 from LB to app; 5432 from app to DB).
AWS provides two overlapping network control mechanisms. Understanding the difference is essential for designing layered network security.
| Feature | Security Group | Network ACL |
|---|---|---|
| Applies to | ENI (Elastic Network Interface) — per instance | Subnet — all instances in subnet |
| Statefulness | Stateful: return traffic automatically allowed | Stateless: explicit allow required in both directions |
| Rule evaluation | All rules evaluated; most permissive wins | Rules evaluated in number order; first match wins |
| Default inbound | Deny all | Allow all (default NACL) |
| Use for | Fine-grained per-instance control | Subnet-level defence-in-depth |
Layered defence: Security Groups are the primary control; NACLs add a subnet-level backstop. A Security Group misconfiguration that opens port 22 to 0.0.0.0/0 can be caught by a NACL deny rule on port 22.
Traditional networking baked intelligence into the hardware. SDN separates the control plane (what routes exist, what policies apply) from the data plane (actual packet forwarding), making both programmable.
Cloud networking is inherently SDN. The AWS VPC control plane runs on managed software; the data plane runs on hypervisor-level virtual switch (Nitro). The security implications:
| Layer | Attack Type | AWS Protection |
|---|---|---|
| Layer 3/4 | UDP flood, SYN flood, reflection attacks | AWS Shield Standard (automatic, free) |
| Layer 7 | HTTP flood, slowloris, SQL injection via HTTP | AWS Shield Advanced + AWS WAF |
| Application | API abuse, credential stuffing | AWS WAF rate-based rules + CAPTCHA |
AWS Shield Standard protects all AWS customers automatically at no cost. Shield Advanced (USD 3,000/month) provides advanced DDoS response support and cost protection against scaling charges incurred during an attack.
For Indian deployments, Cloudflare operates a PoP in Mumbai (and Hyderabad as of 2024), meaning DDoS mitigation happens at the network edge within the country, reducing latency and keeping traffic data within a known jurisdiction.
Enable VPC Flow Logs on all production VPCs. Flow Logs capture source IP, destination IP, port, protocol, packet count, byte count, and accept/reject status for every network flow. They are essential for:
Store Flow Logs in an S3 bucket in a separate logging account with S3 Object Lock enabled. Attackers who compromise your production account should not be able to delete their trail.