Network

To secure connectivity Network should be segregated or subnetted with respect to incoming and outgoing access.

As in the house design example above, you have your living room accessible to all incoming people, bedroom is private to you, kitchen is visible to your guests however operated by you. Likewise identify the privacy layers in your network -

• Is it Public , allowing ingress traffic from outside, or Private that is no incoming and outgoing internet access or is it Protected by allowing only outgoing access to internet.

• Network privacy can be achieved via VPCs and subnets if you are hosted on cloud or through VLAN and DMZs if you are on premise and on legacy systems. You should have VPCs over classic or dynamic network.

• Configurations must be logically segregated or tiered with respect to usage (e.g. per product or customer).

• Firewall rules must be adapted per tier/subnet.

• If necessary segregate virtual machines and appliances to dedicated hardware.

• Always keep separate networks for production and non-production.

Now going back to my house construction example, now we are the fencing mode. So we need to build a boundary wall with a gateway trusted access. So to secure our Perimeter first up we need

• Network Policies based on whitelisting.

• Deny All by default.

• Apply ports/protocol level filters.

• Do not allow any to any.

• System to system access policy with firewall rules or network policies.

• Sometimes some cloud providers tend to add external Ip sources on the network policies or security groups of the services managed by them for monitoring, management or security scanning.

• Make sure you validate the whitelisted sources as trusted ones. For example: cloud managed database service or managed kubernetes service or vulnerability scanners. Make sure to confirm these sources with your cloud provider.

• Make sure the device where requests land first is secure. It must be a single trusted Point endpoint exposed with IP Segregation, DNS based backend mapping, WAF features that implements OWASP policies, DDoS Protection.

• You can use services like Cloudflare, Akamai. These also come with CDN that helps keeping your app endpoint flexible to point to wherever you backend it, helps in static asset migrations.

• Configure certificate management for SSL certificate generation, renewal and offloading.

• Mutual TLS to establish zero trust policy with any third party application endpoint.

If you running your services in a hybrid cloud model or if you are in a DC and DR setup you need to have direct links between your clouds or sites. These help ensure -

• Minimum latency, better performance If you have third party connections.

• Privacy of data in transit between the sites to avoid man in the middle attacks. Be the owner of your entry points.

• Fault tolerance with dual ISP links so that if one path fails, another is available.

• For data replication you need to have a latency < 1 ms between both sites. This can only be achieved through a direct dedicated connection. For example, MPLS, GCP Direct Connect, Alicloud Express Connect etc.

• Some people think a site to site vpn is sufficient to connect two locations, thats not enough. Remember VPN over internet can give you secure connectivity but not the latency