Isolate network domains by deploying workloads in separate VPCs, such as office, testing, and production networks or service and O&M planes.
Security risks
Different network domains have different security levels and access control requirements. Without proper isolation, attacks can move laterally and unauthorized access can occur.
For example, an office network accesses the Internet and is more susceptible to viruses. A production network must expose services in a controlled manner, and its machines should only be modified through authorized O&M systems. Without isolation, a virus on an office computer can spread to production machines, and office computers can bypass authorized systems to access production directly.
Security groups are not suitable for isolating network domains. VPCs are naturally isolated with independent address spaces, eliminating complex address planning. Use services such as PrivateLink for limited cross-VPC access. In contrast, dividing a single VPC into network domains requires careful address planning — resources within the same VPC can communicate freely by default, and misconfigured security group rules can easily create unintended permissions.
Best practices
Isolate VPCs and use PrivateLink for cross-VPC access
PrivateLink enables cross-VPC service access through a service VIP. The following figure shows PrivateLink connecting a service in VPC1 to a service in VPC2. See Access a CLB instance in another VPC using PrivateLink.
Use PrivateLink endpoint policies to control which entities, such as RAM users or roles, can access services through an endpoint. See Endpoint policies.
Attach a security group to a PrivateLink endpoint to restrict access to the endpoint's private IP address by specific IP addresses or security groups. See Add and manage security groups.
This method suits scenarios with untrusted parties — for example, VPC1 and VPC2 can belong to different companies.
Isolate VPCs with CEN and a VPC firewall
Cloud Enterprise Network (CEN) connects VPCs across regions and accounts in a hub-spoke topology, as shown in the following figure. See Connect VPCs across regions with scenario-based networking.
CEN routing policies provide coarse-grained access control between VPCs. In the preceding figure, you can allow communication between VPC1 and VPC3, and between VPC1 and VPC2, but block communication between VPC2 and VPC3.
For business-layer access control, configure a VPC firewall for a Basic Edition transit router. As shown in the following figure, the VPC firewall diverts traffic at the VPC border and applies DPI, IPS rules, threat intelligence, virtual patching, and access control policies to filter inter-VPC traffic and block unauthorized access.
