In the cloud era, network boundaries are no longer defined by physical cables and switches. As organizations scale, the complexity of connecting—and isolating—workloads grows exponentially. Network segmentation remains a critical strategy for security and compliance, yet many struggle with how to implement it effectively without creating an unmanageable web of complexity.
We sat down with Tom Adamski, a Principal Solutions Architect at AWS specializing in networking. With a background ranging from economics to building networks for ISPs and Telcos, Tom brings a unique perspective on modeling complex systems. In this conversation, he breaks down the art of network segmentation, the transition to Zero Trust, and why simplicity is the ultimate sophistication in network design.
You can read the complete transcript of the epiosde here >
What is Network Segmentation (and why do we need it)?
Tom explains network segmentation using a building analogy: think of it like the plumbing for hot and cold water. Both pipes carry water, but they serve different purposes and should never mix until they reach a specific control point, like a tap . Similarly, you wouldn’t mix a sewage line with a water pipe unless it went through a treatment facility (a security solution) first.
Segmentation creates isolated units within your environment. While it is possible to run a flat network successfully, segmentation serves as a critical defense-in-depth layer . The primary drivers for implementing it include:
- Risk Assessment: Aligning with data classification needs.
- Compliance: Meeting requirements like PCI, which mandate keeping payment networks isolated.
- Security Domains: Separating production from non-production environments to limit blast radius and apply different security policies .
Tom emphasizes that segmentation isn’t just about the data plane (traffic flow); it also applies to the management/control plane. Separating the management of production and non-production networks prevents human errors in a test environment from impacting live services.
What are the best practices for designing a segmented network?
The most important rule for network design is the “3 AM Test”.
“Any design that I’m reviewing… needs to pass the 3AM test, where someone can wake up at 3 AM… look at the network diagram and immediately understand what’s going on.” — Tom Adamski
Cloud environments offer immense flexibility, allowing for highly complex configurations, but complexity often leads to unmanageability . To maintain simplicity:
- Avoid Over-Granularity: Don’t use the network for extremely granular controls if simpler methods exist. For example, AWS Transit Gateway limits route tables to 20 by default to discourage customers from creating a unique route table for every single VPC, which becomes unmanageable .
- Map Requirements to Tools: Don’t start with the tool; start with the risk assessment and map it to technical capabilities.
- Validate: Use tools like AWS Reachability Analyzer in your CI/CD pipelines to authoritatively verify that paths (e.g., Prod to Dev) do not exist after a change .
Which tools should be used for segmentation: Security Groups, NACLs, or Firewalls?
These tools should be viewed as an “AND” rather than an “OR”—they provide defense in depth
1. Security Groups
- Characteristics: Stateful, default deny, scales to ~1000 entries.
- Best Use Case: The default starting point. Applied to network interfaces/VMs. Good for granular allow rules.
2. NACLs (Network Access Control Lists)
- Characteristics: Stateless, limit of 40 entries, default allow.
- Best Use Case: Optional/Broad use cases. best for broad denies, such as blocking specific ports (e.g., Telnet) or IP ranges across a subnet.
3. Firewalls / DPI
- Characteristics: Deep Packet Inspection, looks at Layer 7 (URI, Hostnames).
- Best Use Case: Advanced Security. Required when decisions need to be based on packet contents, URIs, or for scale beyond Security Group limits.
Crucial Insight: In the cloud, the VPC (Virtual Private Cloud) is the effective segmentation boundary, not the subnet . Unlike on-premise networks where subnets are separated by routers, all subnets within a VPC can talk to each other implicitly.
How does Kubernetes impact network visibility and segmentation?
When using Kubernetes (EKS) in AWS, containers act as “first-class citizens” and receive IPs directly from the VPC. However, there is a visibility gap.
The VPC networking layer (Flow Logs, Security Groups) cannot see traffic between two containers on the same worker node because that traffic never leaves the node .
- To secure intra-node traffic: You must use Kubernetes-native constructs like Network Policies.
- To secure traffic leaving the node: You can use VPC security groups (now available for pods) to control access to other VPC resources .
How is “Zero Trust” changing network architecture?
Zero Trust moves security controls beyond simple IP addresses and ports to include identity and context . It builds on top of traditional networking rather than replacing it.
Two key AWS services illustrate this shift:
- AWS Verified Access: Replaces traditional remote access VPNs. It allows users to connect to applications over the web, authenticated by an identity provider (e.g., Okta), with access decisions based on user groups and device health (e.g., CrowdStrike/Jamf status).
- VPC Lattice: An Application Layer 7 proxy for app-to-app communication. It abstracts the underlying network complexity (IPs, load balancers, transit gateways) and allows access policies based on IAM roles and logical boundaries . This simplifies authentication, replacing complex Mutual TLS (mTLS) setups with IAM credentials.
What is the role of Security Appliances (Firewalls) in the cloud?
Firewalls remain the most common security appliance. Conversations about connecting regions or VPCs almost always lead to “how do I firewall this?”.
- Third-Party vs. Native: Customers often stick with vendors they know (Palo Alto, Fortinet) to leverage existing skills and tooling . Others choose managed services (AWS Network Firewall) to avoid managing infrastructure/patching.
- Gateway Load Balancer (GWLB): This service solved a major availability challenge. Previously, routing traffic to a firewall appliance was fragile; if the appliance died, the route blackholed. GWLB allows routing to a scalable fleet of firewalls, handling failover and health checks automatically.
Conclusion
Network security in the cloud is not about replicating on-premise constraints but about understanding new boundaries. As Tom Adamski highlights, simplicity is the ultimate sophistication in network design—if you can’t understand it at 3 AM, it’s too complex. By leveraging the VPC as the primary boundary, using Security Groups for granular control, and layering Zero Trust principles for identity-aware access, organizations can build robust, scalable, and manageable networks.
