Network Topology#
Network topology is how the infrastructure’s address space is carved up and wired together. VPCs and subnets set the segments, route tables and peering set what can reach what, and the ingress and egress points set where traffic crosses the boundary. The topology is the map of trust, two systems that cannot route to each other cannot attack each other.
Hub-and-spoke centralizes shared services and egress in a transit hub so the spokes stay simple and the inspection point stays single. Flat peering meshes trade that control for fewer hops. The operator designs the topology to keep lateral movement expensive; a flat segment is the first thing an attacker finds.
flowchart TB
subgraph Hub["Network hub"]
TGW[Transit gateway]
Egress[Central egress + inspection]
DNS[Central DNS]
end
Prod[Prod VPC] --> TGW
NonProd[Non-prod VPC] --> TGW
Shared[Shared services VPC] --> TGW
OnPrem[On-prem / other clouds] --> TGW
TGW --> Egress
Egress --> Internet((Internet))
Subnets#
The subnet is the smallest routable segment, and its route table decides what the workloads inside it can reach. The operator tiers them by exposure so a public-facing box never shares a segment with a database.
Tier |
Reaches |
Holds |
|---|---|---|
Public |
Inbound and outbound to the internet |
Load balancers and NAT gateways only |
Private |
Outbound via NAT, no inbound from the internet |
Application and service workloads |
Isolated |
No internet route at all |
Databases, secrets, and sensitive data stores |
Hub#
A hub-and-spoke layout attaches every workload network to one transit hub that owns cross-network routing, central egress, and DNS. The spokes never peer directly, so adding a network is one attachment rather than a new mesh edge, and every cross-segment packet passes a single inspection point. A full peering mesh drops the extra hop but multiplies the connections to reason about and scatters the controls.
Layout |
Trade |
|---|---|
Hub and spoke |
One inspection and egress point, simple growth, an extra hop |
Full mesh |
Lowest latency, but controls and routes scattered across pairs |
Isolated islands |
Strongest separation, but shared services get duplicated |
Segmentation#
Routing decides what is reachable; segmentation decides what is allowed once reachable. The operator layers a stateful instance firewall, a stateless subnet filter, and (where workloads carry identity) microsegmentation that keys on the service rather than the address.
Control |
Scope |
Note |
|---|---|---|
Security group |
Instance or interface |
Stateful, default-deny inbound |
Subnet ACL |
Subnet |
Stateless, ordered rules, a coarse backstop |
Microsegmentation |
Workload identity |
L7-aware, via service mesh or network policy |
Edges#
The edge is where the infrastructure meets everything it does not control. Inbound is funneled through a load balancer and a WAF; outbound is funneled through NAT and an inspected proxy so a compromised workload cannot beacon out to an arbitrary host.
Ingress, a load balancer terminates the connection, a WAF screens L7.
Egress, NAT plus an allowlisting proxy decides which destinations are reachable.
Inspection, the central egress point logs and filters every outbound flow.
Boundary, on-prem and partner links land on the hub, never on a workload spoke.
Private#
Traffic to provider services should skip the public internet entirely. A private endpoint projects the managed service into the infrastructure’s own address space, so object storage or a database API is reachable over private routing and never needs an egress path to a public endpoint. See Landing Zones for where the network account that owns these endpoints sits.
Providers#
The topology is identical across providers; only the product names change.
Concept |
AWS |
GCP |
Azure |
|---|---|---|---|
Network boundary |
VPC |
VPC |
Virtual network |
Transit hub |
Transit Gateway |
Network Connectivity Center |
Virtual WAN |
Peering |
VPC Peering |
VPC Peering |
VNet Peering |
Private service access |
PrivateLink |
Private Service Connect |
Private Link |
L4 firewall |
Security group |
Firewall rule |
Network security group |
Egress NAT |
NAT Gateway |
Cloud NAT |
NAT Gateway |
Pitfalls#
Overlapping CIDRs, ranges chosen per network that block later peering.
Flat network, one segment where any workload can reach any other.
Public by default, workloads given public addresses they never needed.
Asymmetric routing, return traffic taking a path the stateful firewall never saw.
Security-group sprawl, rules that accrete until default-deny is meaningless.
References#
Landing Zones for the network account the hub lives in.
Tenancy for the isolation the segments enforce between tenants.
Networking for the networking primitives this arranges.
Security for the control layers at each edge.