Cloud networks behave differently from on-prem networks. The defaults are usually open within an account and closed to the public internet — the opposite of where most on-prem networks land. That cuts both ways.
The three layers to segment
- Account / project boundaries. The strongest separation in the cloud. Production should sit in its own account, not its own VPC inside a shared account.
- Subnet and security-group rules. Inside an account, restrict who can talk to whom. Default-deny, then open specific paths.
- Service-to-service authentication. Even inside a subnet, services should authenticate each other. A flat trust zone is a single compromised host away from a full breach.
Patterns that work
- One account per environment (production, staging, development)
- A central security account that holds logs, audit trails, and the break-glass credentials
- Private subnets for anything stateful, public subnets only for ingress proxies
- Mutual TLS or signed tokens between services, not "we trust 10.0.0.0/8"
Patterns that fail
- "Production VPC" and "dev VPC" inside the same account with shared roles
- Open security groups on services that "are only reached internally"
- Bastion hosts with long-lived SSH keys
- Peering connections that effectively merge two networks back into one flat zone
Takeaway
Segment first by account, then by network, then by service identity. Each layer compensates for failures in the others.
HS Academy
All HS Academy lessons are free to read. Create a free HorizonShield account to explore the platform itself.
Sign up free →