Cloud Network Security: Segmentation and Controls

Cloud network security — specifically the segmentation of workloads and enforcement of access controls — sits at the operational core of cloud defense architecture. This page covers the definition and scope of cloud network segmentation, the mechanisms through which controls are applied, common deployment scenarios, and the boundaries that determine when segmentation strategies differ in practice. Regulatory frameworks from NIST, FedRAMP, and CISA shape minimum control requirements across public and private sector environments.

Definition and scope

Cloud network segmentation is the practice of dividing a cloud environment into discrete network zones — each governed by explicit access policies — to limit lateral movement, contain breach impact, and enforce least-privilege communication between workloads. Unlike physical data center segmentation, which relies on hardware switches and firewalls, cloud segmentation operates through software-defined constructs: Virtual Private Clouds (VPCs), subnets, security groups, network access control lists (NACLs), and software-defined perimeters (SDPs).

The scope of cloud network security extends across all three major service models. Under Infrastructure as a Service (IaaS), the customer holds direct responsibility for configuring virtual network topology, routing, and access controls. Under Platform as a Service (PaaS), that responsibility shifts partially to the provider, but customers retain control over application-layer and identity-based policies. Software as a Service (SaaS) environments expose the narrowest customer control surface, limited largely to authentication configuration and data-sharing permissions.

NIST SP 800-125B, Secure Virtual Network Configuration for Virtual Machine (VM) Protection, provides foundational guidance on network-level isolation within virtualized environments and establishes that segmentation must account for both east-west (workload-to-workload) and north-south (external ingress/egress) traffic flows. The cloud defense providers on this site cover service providers operating within these control frameworks.

Regulatory mandates that require network segmentation explicitly include the Payment Card Industry Data Security Standard (PCI DSS), which under Requirement 1 mandates isolation of the cardholder data environment, and the HIPAA Security Rule (45 CFR §164.312), which requires technical safeguards controlling access to electronic protected health information transmitted over electronic communications networks.

How it works

Cloud network segmentation is implemented through a layered stack of controls, each operating at a distinct level of the network model:

1. Virtual Private Cloud (VPC) isolation — The primary boundary unit in public cloud environments. A VPC creates a logically isolated network within the provider's infrastructure. Traffic between VPCs does not flow unless peering, transit gateway, or VPN connections are explicitly configured.
2. Subnet division — Within a VPC, subnets partition workloads by function or sensitivity tier (e.g., public-facing web tier, application tier, database tier). Public subnets have routes to an internet gateway; private subnets do not.
3. Security groups — Stateful, instance-level firewalls that control inbound and outbound traffic based on protocol, port, and source/destination IP or security group reference. Changes take effect immediately without requiring traffic interruption.
4. Network Access Control Lists (NACLs) — Stateless, subnet-level filters evaluated in numbered rule order. Because NACLs are stateless, return traffic must be explicitly permitted, which distinguishes them operationally from security groups.
5. Micro-segmentation — Granular policy enforcement at the individual workload or container level, typically implemented through service mesh technologies (e.g., Istio) or host-based firewalling. CISA's Zero Trust Maturity Model identifies micro-segmentation as a required capability at the "Advanced" maturity level.
6. Software-Defined Perimeter (SDP) — A framework that authenticates both user and device identity before establishing encrypted, point-to-point network tunnels, rendering internal services invisible to unauthenticated parties.

FedRAMP requires cloud service providers seeking federal authorization to implement controls mapped to NIST SP 800-53, including controls SC-7 (Boundary Protection), SC-32 (Network Segmentation), and AC-4 (Information Flow Enforcement). These controls collectively mandate that data flows be explicitly authorized and that untrusted networks be isolated from trusted enclaves.

Common scenarios

Multi-tier web application segmentation — A three-tier architecture places a load balancer in a public subnet, application servers in a private subnet reachable only from the load balancer security group, and database instances in a dedicated data subnet reachable only from the application tier. No direct internet route exists to either the application or database subnets.

Regulated data isolation (HIPAA/PCI) — Healthcare and payment environments use dedicated VPCs or accounts to house regulated workloads. Security groups enforce protocol-level restrictions — for example, allowing only TCP port 443 inbound from a defined application security group — while NACLs provide a secondary, subnet-wide deny rule for all other traffic. The purpose and scope of cloud defense resources details how service categories map to these regulated use cases.

Hybrid cloud extension — On-premises networks connected to cloud VPCs via AWS Direct Connect, Azure ExpressRoute, or Google Cloud Interconnect require explicit route table configuration to prevent routing cloud-internal traffic back through on-premises infrastructure. Segment policies must be mirrored on both sides of the connection.

Container and Kubernetes environments — Kubernetes NetworkPolicy objects implement pod-level segmentation within a cluster, specifying which pods can communicate on which ports. Without explicit NetworkPolicy rules, Kubernetes defaults to allowing all pod-to-pod traffic within a namespace — a posture that violates least-privilege segmentation requirements under NIST SP 800-190, which addresses security for application container technologies.

Decision boundaries

The choice of segmentation mechanism depends on four primary factors: the service model in use, the sensitivity classification of the workload, the regulatory framework that governs the data, and the required granularity of enforcement.

VPC-level vs. subnet-level isolation — VPC separation is appropriate when workloads carry different regulatory classifications or belong to distinct organizational boundaries (e.g., production vs. development). Subnet segmentation within a single VPC is sufficient when workloads share the same compliance regime but require tiered access control.

Security groups vs. NACLs — Security groups are stateful and instance-specific; NACLs are stateless and subnet-wide. Security groups are the primary enforcement mechanism for workload-to-workload control. NACLs function as a coarse backstop — blocking known-bad IP ranges or enforcing blanket denies at the subnet boundary. The two are not interchangeable; operating only one leaves a control gap.

Micro-segmentation vs. network-layer segmentation — Micro-segmentation operates at Layer 7 and can enforce policy based on application identity, service account, or cryptographic workload identity rather than IP address. It is required where workloads share subnets (common in container environments) and where IP-based controls cannot provide sufficient granularity. The operational cost is higher: policy management complexity increases proportionally with the number of enforced segments.

Zero trust architecture requirements — CISA's Zero Trust Maturity Model and NIST SP 800-207 (Zero Trust Architecture) both specify that network segmentation alone is insufficient. Identity verification, device posture validation, and continuous authorization must accompany network controls to meet zero trust standards. Organizations subject to OMB Memorandum M-22-09 — which directs federal agencies toward zero trust architecture — must treat segmentation as one layer within a broader control stack, not a standalone defense. Detailed guidance on engaging qualified service providers for these implementations is available through the cloud defense providers.

References

• NIST SP 800-125B — Secure Virtual Network Configuration for Virtual Machine (VM) Protection — National Institute of Standards and Technology
• NIST SP 800-190 — Application Container Security Guide — National Institute of Standards and Technology
• NIST SP 800-207 — Zero Trust Architecture — National Institute of Standards and Technology
• NIST SP 800-53 Rev. 5 — Security and Privacy Controls for Information Systems and Organizations — National Institute of Standards and Technology
• FedRAMP Program — General Services Administration
• CISA Zero Trust Maturity Model — Cybersecurity and Infrastructure Security Agency
• HIPAA Security Rule — 45 CFR Part 164 — U.S. Department of Health and Human Services
• OMB Memorandum M-22-09 — Moving the U.S. Government Toward Zero Trust Cybersecurity Principles — Office of Management and Budget
• NIST Cloud Computing Program — National Institute of Standards and Technology