Network Segmentation

We design segments based on trust levels and data sensitivity: public-facing services, application tier, data tier, management plane, and CI/CD infrastructure each get isolated segments. Cross-segment traffic flows through defined chokepoints with explicit allow rules. The architecture maps to your cloud provider's constructs — VPCs, subnets, and security groups in AWS/GCP; NSGs and VNets in Azure. On-prem, VLANs and firewall zones provide equivalent isolation.

Segmentation policies start with application communication mapping — we discover what talks to what using flow logs and traffic analysis. Policies get defined as code: 'web servers can reach app servers on port 8080; app servers can reach databases on port 5432; nothing else is allowed.' Enforcement uses security groups, NACLs, Kubernetes NetworkPolicies, and host firewalls in layers.

Kubernetes namespaces get default-deny NetworkPolicies. Explicit allow rules permit only documented service-to-service paths. Cilium provides L7-aware policies (allow HTTP GET but not POST to specific paths). Labels-based policies survive pod restarts and scaling events. We test policies with network policy simulators before enforcement — no 'we segmented the network and everything broke' moments.

After implementation, we validate segmentation by attempting cross-segment access — confirming that blocked paths are actually blocked. Automated compliance checks run continuously, alerting on new security group rules or network policies that violate segmentation intent. Flow log analysis confirms that actual traffic patterns match the segmentation design. Quarterly reviews assess whether segmentation still matches the application architecture.