Decide on VPC Network Traffic Isolation Policy
Context and Problem Statementβ
Describe why we are making this decision or what problem we are solving.
Considered Optionsβ
Both options support principles of least privilege.
Option 1 - Use a Flat Network with two Subnets per AZ (Public, Private) (Recommended)β
network architecture
Prosβ
-
Use Security Group ACLs to easily restrict service-to-service communication using Security Group IDs.
-
Elastic network that doesnβt require advanced insights into the size and growth of the workloads
Consβ
-
Security Groups have limited flexibility across regions: e.g. Security Group ACLs only work with CIDRs across regions (and not by Security Group ID)
-
Harder to monitor traffic between workloads
Option 2 - Use a Custom Subnet Strategy Based on Workloadβ
Prosβ
-
More easily restrict network traffic across regions and data centers
-
Follows principles of Least-privilege
-
Also compatible with using Security Group ACLs for an additional layer of security
-
Easier to monitor traffic between workloads
Consβ
-
Requires advanced planning to identify and allocate all workloads and IP space
-
Harder to scale elastically
-
Puts a large burden on network administrators
-
Large route tables, complicated transit gateway rules
-
Requires active monitoring to ensure subnets are not at capacity
Referencesβ
-
Also relates to Decide on AWS Account VPC Subnet CIDR Strategy
-
Also relates to Decide on VPC NAT Strategy