# Network Segmentation Strategies & Traffic Control

Network segmentation is a key security principle that **isolates workloads** to protect sensitive data, reduce the attack surface, and **control traffic flow** within an AWS environment.

SecureCart implements **network segmentation** to:\
✔ **Prevent lateral movement of threats**\
✔ **Restrict communication between services** based on least privilege\
✔ **Optimize network performance** by reducing unnecessary traffic\
✔ **Enhance compliance and security visibility**

This guide covers:\
✔ **Core network segmentation strategies**\
✔ **Best practices for workload isolation**\
✔ **Use cases for SecureCart’s e-commerce platform**

***

### **Core Network Segmentation Strategies**

Network segmentation in AWS is achieved using **subnet isolation, VPC peering, Transit Gateway, and private networking**.

<table data-header-hidden><thead><tr><th></th><th width="154"></th><th></th></tr></thead><tbody><tr><td><strong>Segmentation Strategy</strong></td><td><strong>Description</strong></td><td><strong>Use Case in SecureCart</strong></td></tr><tr><td><strong>Public vs. Private Subnets</strong></td><td>Divides workloads into <strong>public (internet-facing)</strong> and <strong>private (internal-only)</strong> subnets.</td><td>ALB in <strong>public subnets</strong>, ECS and RDS in <strong>private subnets</strong>.</td></tr><tr><td><strong>Multi-Tier Segmentation</strong></td><td>Separates <strong>web, application, and database layers</strong> into different subnets for security and performance.</td><td>SecureCart’s frontend (ALB), backend (ECS), and database (RDS) exist in <strong>isolated tiers</strong>.</td></tr><tr><td><strong>VPC Peering</strong></td><td>Connects two VPCs <strong>privately</strong> without using the internet.</td><td>SecureCart’s <strong>payment processing service is in a separate VPC</strong> but securely peered with the application VPC.</td></tr><tr><td><strong>AWS Transit Gateway</strong></td><td>Acts as a <strong>centralized router for multi-VPC environments</strong>, avoiding multiple peering connections.</td><td>SecureCart uses <strong>Transit Gateway to connect Dev, Staging, and Production VPCs</strong> in different AWS accounts.</td></tr><tr><td><strong>AWS PrivateLink</strong></td><td>Enables <strong>private connectivity</strong> to AWS services and third-party APIs without using the internet.</td><td>SecureCart <strong>connects its payment gateway provider using PrivateLink</strong> to avoid public exposure.</td></tr></tbody></table>

**Best Practices**\
✔ **Minimize public-facing resources** – Only expose what is necessary.\
✔ **Segment workloads by function** – Use **separate subnets** for web, application, and database layers.\
✔ **Use private networking whenever possible** – Prefer **PrivateLink, VPC Peering, and VPC Endpoints**.

***

### **Designing Secure Subnet Segmentation**

SecureCart **divides its network into multiple subnets** based on workload function.

#### **A. Public vs. Private Subnets**

✔ **Public Subnet:** Used for **internet-facing resources** (e.g., ALB).\
✔ **Private Subnet:** Used for **internal-only workloads** (e.g., ECS, RDS).

| **Component**                       | **Subnet Placement** | **Access Control**                                          |
| ----------------------------------- | -------------------- | ----------------------------------------------------------- |
| **Application Load Balancer (ALB)** | Public Subnet        | Exposes SecureCart’s frontend to the internet.              |
| **ECS Services (Backend API)**      | Private Subnet       | Only accessible by ALB.                                     |
| **RDS Database**                    | Private Subnet       | Only accessible by ECS backend (no direct internet access). |

**Best Practices:**\
✔ **Never place databases in public subnets**.\
✔ Restrict **ALB access to only necessary ports (443, 80)**.\
✔ Use **Security Groups** to control internal communication.

## **Multi-VPC Network Segmentation Strategies**

### **Using VPC Peering for Secure Inter-VPC Communication**

✔ Connects two VPCs **privately** without the internet.\
✔ **Low-latency, direct network connection** between VPCs.

🔹 **Use Case:** SecureCart **peers its main application VPC with a separate payment processing VPC** for added isolation.

✅ **Best Practices:**\
✔ Peering **only when required** – Avoid unnecessary complexity.\
✔ Use **private DNS resolution** for inter-VPC communication.

***

### **Using AWS Transit Gateway for Centralized Multi-VPC Routing**

✔ Acts as a **centralized router** to simplify multi-VPC networking.\
✔ **More scalable than VPC Peering** (avoids complex many-to-many peering).

🔹 **Use Case:**

* SecureCart **connects multiple accounts (Dev, Staging, Production) using AWS Transit Gateway**.

✅ **Best Practices:**\
✔ Use **Transit Gateway over VPC Peering for large-scale architectures**.\
✔ **Apply route table segmentation** to prevent unwanted cross-VPC traffic.

***

## **Securing External Connectivity**

SecureCart ensures **private, secure access to AWS services and third-party providers**.

### **AWS PrivateLink (Secure API Access)**

✔ Allows SecureCart to **connect to third-party services privately** without using the internet.

🔹 **Use Case:**

* SecureCart **connects its payment gateway via PrivateLink** to ensure transactions occur over a **private connection**.

✅ **Best Practices:**\
✔ **Use PrivateLink over public API endpoints**.\
✔ Restrict PrivateLink access using **Security Groups & IAM policies**.

***

### **B. AWS Direct Connect (On-Premises Integration)**

✔ Provides a **dedicated private network** to on-premises environments.

🔹 **Use Case:**

* SecureCart **uses Direct Connect to securely transfer bulk order data** to a third-party logistics provider.

✅ **Best Practices:**\
✔ Encrypt Direct Connect traffic using **VPN for additional security**.\
✔ Monitor **Direct Connect link utilization** to optimize bandwidth.

#### **Scenario:**

SecureCart’s AWS environment must be **segmented into public and private subnets** to protect backend services from direct internet access.

#### **Key Learning Objectives:**

✅ Implement **public and private subnet architectures**\
✅ Configure **NAT Gateways & Internet Gateways** for controlled access\
✅ Set up **VPC Peering & Transit Gateway** for secure multi-VPC communication\
✅ Implement **network segmentation for microservices security**

#### **Hands-on Labs:**

1️⃣ **Create Public & Private Subnets in a Multi-AZ VPC**\
2️⃣ **Configure NAT Gateway for Private Subnet Internet Access**\
3️⃣ **Establish VPC Peering Between SecureCart’s Workloads**

🔹 **Outcome:** SecureCart **prevents direct access to sensitive workloads** while **ensuring controlled traffic flows**.

Network segmentation is a **fundamental security practice** that isolates workloads, restricts unauthorized access, and improves performance by managing how traffic flows within an AWS environment.

✔ **Why does SecureCart use network segmentation?**

* **Minimizes attack surface** – Prevents lateral movement of threats.
* **Enhances security** – Ensures workloads only communicate where necessary.
* **Optimizes performance** – Reduces congestion by segmenting traffic.
* **Ensures compliance** – Helps meet regulatory and security requirements.

***

### **Key Network Segmentation Strategies in AWS**

| **Segmentation Strategy**      | **Description**                                                                                  | **Use Case in SecureCart**                                                                                              |
| ------------------------------ | ------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------- |
| **Public vs. Private Subnets** | Segregates workloads into **public** (internet-facing) and **private** (internal-only) subnets.  | ALB in **public subnets**, ECS services and RDS database in **private subnets**.                                        |
| **Multi-Tier Architecture**    | Separates web, application, and database layers into **different subnets**.                      | SecureCart’s **frontend (ALB), backend (ECS), and database (RDS)** are in **isolated network tiers**.                   |
| **VPC Peering**                | Allows **secure communication between two VPCs** without using the internet.                     | SecureCart’s **payment processing service** is in a **separate VPC** but securely peered with the main application VPC. |
| **AWS Transit Gateway**        | Centralized routing for **multi-VPC environments**.                                              | SecureCart **connects multiple AWS accounts securely** with **a single routing hub**.                                   |
| **VPC Endpoints**              | Enables **private access to AWS services** (S3, DynamoDB) **without using an internet gateway**. | SecureCart **accesses S3 securely via VPC Endpoints**, preventing public exposure.                                      |

✅ **Best Practice:** **Reduce public exposure** and use **private networking whenever possible**.

***

### **🔹 Step 2: Designing a Secure VPC Architecture**

SecureCart’s **network is divided into logical zones** based on security needs.

#### **🔹 Public vs. Private Subnet Design**

✔ **Public Subnets** – Only contains ALB (internet-facing).\
✔ **Private Subnets** – ECS tasks, databases, and sensitive services **cannot be accessed directly from the internet**.

| **Component**                       | **Location**   | **Access Control**                           |
| ----------------------------------- | -------------- | -------------------------------------------- |
| **Application Load Balancer (ALB)** | Public Subnet  | Accepts public traffic, forwards to ECS.     |
| **ECS Services**                    | Private Subnet | Only ALB can communicate with ECS tasks.     |
| **RDS Database**                    | Private Subnet | Only accessible by ECS (via Security Group). |

✅ **Best Practice:** Use **private subnets for backend services and databases**.

***

### **🔹 Step 3: Controlling Traffic Flow Between Segments**

#### **A. Route Tables & Traffic Flow**

✔ SecureCart uses **custom route tables** to control communication between public/private subnets and external networks.

| **Destination** | **Target**       | **Purpose**                        |
| --------------- | ---------------- | ---------------------------------- |
| `0.0.0.0/0`     | Internet Gateway | Public internet access (ALB only). |
| `10.0.0.0/16`   | Local VPC        | Internal communication within VPC. |
| `S3 CIDR`       | VPC Endpoint     | Private access to AWS S3.          |

✅ **Best Practice:** Avoid **unrestricted routes** to the internet.