Best practices for designing secure VPCs – Infrastructure Security – Keeping Your VPC secure

Best practices for designing secure VPCs

This section will guide you through a series of best practices that can guide you in designing a skeleton for your VPCs that is not only functional but also secure. These practices are not exhaustive, but they provide a solid foundation for building secure VPCs.

Use subnet segregation heavily

One of the most effective ways to enhance security within a VPC is through heavy subnet segregation. The flexibility offered by VPCs, with virtually no limitation in the number of subnets, allows for granular micro-segmentation. This is a significant advantage over traditional networking, where the number of subnets is limited by physical constraints.

Micro-segmentation involves dividing a VPC into many small, isolated subnets, each hosting a limited number of resources. This approach can significantly improve resources segregation and reduce the attack surface. If a resource in one subnet is compromised, the impact is contained within that subnet and does not affect resources in other subnets. This is a fundamental principle of the zero-trust approach, where each micro-segment of the network is considered a separate trust zone and is secured accordingly. It is a stark contrast to traditional flat network designs where attackers can easily move laterally and jeopardize other systems once they have infiltrated the network.

When designing your VPCs, consider creating separate subnets for different types of resources based on their function and sensitivity. For example, web servers, application servers, and databases should each be placed in separate subnets. Furthermore, you can apply different security controls to each subnet based on the sensitivity and function of the resources within it.

The following figure (Figure 2.2) compares traditional segmentation using a limited number of subnets (on the left) with micro-segmentation using a large number of isolated subnets (on the right):

Figure 2.2 – Traditional segmentation and micro-segmentation comparison