Overview
Network segmentation is a fundamental security practice that divides your cloud network into isolated segments, limiting the blast radius of potential security incidents and enforcing the principle of least privilege for network access. Aviatrix provides comprehensive segmentation capabilities that enable you to create logical boundaries between different parts of your multi-cloud infrastructure, controlling which resources can communicate with each other.Key Concepts
Network Domains
Network Domains are logical containers that group VPCs/VNets together based on security requirements, business function, or compliance needs. Resources within the same Network Domain can communicate freely, while communication between domains is controlled by connection policies. Common Network Domain examples include:- Production - Production workloads and databases
- Development - Development and testing environments
- Shared Services - Common services like DNS, Active Directory, monitoring
- DMZ - Internet-facing applications and services
Connection Policies
Connection Policies define which Network Domains can communicate with each other. By default, Network Domains are isolated and cannot communicate. You must explicitly create connection policies to allow traffic between domains.Security Domains
Security Domains provide an additional layer of segmentation within the Aviatrix transit network, enabling fine-grained control over east-west traffic between spokes.Segmentation Architecture
Aviatrix segmentation works at the transit layer, providing centralized policy enforcement for all traffic flowing through the transit gateways. This architecture ensures:- Consistent Policy Enforcement - All inter-VPC traffic is subject to segmentation rules
- Centralized Management - Policies are managed from a single control plane
- Scalability - Segmentation scales with your network without additional complexity
- Visibility - Full visibility into traffic flows between segments
Benefits
| Benefit | Description |
|---|---|
| Reduced Attack Surface | Limit lateral movement by isolating network segments |
| Compliance | Meet regulatory requirements for network isolation |
| Simplified Management | Centralized policy management across multi-cloud |
| Microsegmentation | Fine-grained control over workload communication |
| Zero Trust | Implement zero trust principles at the network layer |
Implementation Approaches
Transit Gateway Segmentation
Use Aviatrix Transit Gateways to enforce segmentation at the network layer. Traffic between spokes must traverse the transit gateway, where segmentation policies are applied.Distributed Cloud Firewall
For more granular control, combine network segmentation with the Distributed Cloud Firewall to enforce application-layer policies in addition to network-level segmentation.VLAN Segmentation at the Edge
For edge deployments, Aviatrix supports VLAN segmentation to extend segmentation to on-premises and branch locations.Best Practices
- Start with a segmentation strategy - Define your Network Domains based on business requirements before implementation
- Apply least privilege - Only create connection policies that are necessary
- Use meaningful names - Name your Network Domains clearly to reflect their purpose
- Document policies - Maintain documentation of why each connection policy exists
- Regular review - Periodically review and audit your segmentation policies
- Combine with firewall - Use Distributed Cloud Firewall for additional layer 7 controls