Network Topology#

Network topology is how the infrastructure’s address space is carved up and wired together. VPCs and subnets set the segments, route tables and peering set what can reach what, and the ingress and egress points set where traffic crosses the boundary. The topology is the map of trust, two systems that cannot route to each other cannot attack each other.

Hub-and-spoke centralizes shared services and egress in a transit hub so the spokes stay simple and the inspection point stays single. Flat peering meshes trade that control for fewer hops. The operator designs the topology to keep lateral movement expensive; a flat segment is the first thing an attacker finds.

        flowchart TB
  subgraph Hub["Network hub"]
    TGW[Transit gateway]
    Egress[Central egress + inspection]
    DNS[Central DNS]
  end
  Prod[Prod VPC] --> TGW
  NonProd[Non-prod VPC] --> TGW
  Shared[Shared services VPC] --> TGW
  OnPrem[On-prem / other clouds] --> TGW
  TGW --> Egress
  Egress --> Internet((Internet))
    

Subnets#

The subnet is the smallest routable segment, and its route table decides what the workloads inside it can reach. The operator tiers them by exposure so a public-facing box never shares a segment with a database.

Tier

Reaches

Holds

Public

Inbound and outbound to the internet

Load balancers and NAT gateways only

Private

Outbound via NAT, no inbound from the internet

Application and service workloads

Isolated

No internet route at all

Databases, secrets, and sensitive data stores

Hub#

A hub-and-spoke layout attaches every workload network to one transit hub that owns cross-network routing, central egress, and DNS. The spokes never peer directly, so adding a network is one attachment rather than a new mesh edge, and every cross-segment packet passes a single inspection point. A full peering mesh drops the extra hop but multiplies the connections to reason about and scatters the controls.

Layout

Trade

Hub and spoke

One inspection and egress point, simple growth, an extra hop

Full mesh

Lowest latency, but controls and routes scattered across pairs

Isolated islands

Strongest separation, but shared services get duplicated

Segmentation#

Routing decides what is reachable; segmentation decides what is allowed once reachable. The operator layers a stateful instance firewall, a stateless subnet filter, and (where workloads carry identity) microsegmentation that keys on the service rather than the address.

Control

Scope

Note

Security group

Instance or interface

Stateful, default-deny inbound

Subnet ACL

Subnet

Stateless, ordered rules, a coarse backstop

Microsegmentation

Workload identity

L7-aware, via service mesh or network policy

Edges#

The edge is where the infrastructure meets everything it does not control. Inbound is funneled through a load balancer and a WAF; outbound is funneled through NAT and an inspected proxy so a compromised workload cannot beacon out to an arbitrary host.

  • Ingress, a load balancer terminates the connection, a WAF screens L7.

  • Egress, NAT plus an allowlisting proxy decides which destinations are reachable.

  • Inspection, the central egress point logs and filters every outbound flow.

  • Boundary, on-prem and partner links land on the hub, never on a workload spoke.

Private#

Traffic to provider services should skip the public internet entirely. A private endpoint projects the managed service into the infrastructure’s own address space, so object storage or a database API is reachable over private routing and never needs an egress path to a public endpoint. See Landing Zones for where the network account that owns these endpoints sits.

Providers#

The topology is identical across providers; only the product names change.

Concept

AWS

GCP

Azure

Network boundary

VPC

VPC

Virtual network

Transit hub

Transit Gateway

Network Connectivity Center

Virtual WAN

Peering

VPC Peering

VPC Peering

VNet Peering

Private service access

PrivateLink

Private Service Connect

Private Link

L4 firewall

Security group

Firewall rule

Network security group

Egress NAT

NAT Gateway

Cloud NAT

NAT Gateway

Pitfalls#

  • Overlapping CIDRs, ranges chosen per network that block later peering.

  • Flat network, one segment where any workload can reach any other.

  • Public by default, workloads given public addresses they never needed.

  • Asymmetric routing, return traffic taking a path the stateful firewall never saw.

  • Security-group sprawl, rules that accrete until default-deny is meaningless.

References#