![[Security Architecture] Network Security - From Perimeter to Zero Trust](/uploads/2026/04/arch-intro-cat-security.png)
About this article
As the fifth installment of the “Security Architecture” category in the series “Architecture Crash Course for the Generative-AI Era,” this article explains network security.
A design that detects and blocks unauthorized external access, suspicious traffic, and internal info leaks at the network layer. This article covers the main elements - FW/VPC/WAF/IDS/IPS/DDoS defense - the migration from perimeter defense to zero trust, and the importance of Egress control in the AI era - presenting guidelines to escape the myth that “safety with just a perimeter”.
What is network security in the first place
In a nutshell, network security is “the set of defenses that detect and block unauthorized access and data leaks on the communication path.”
Picture airport security. Immigration (firewall) screens out suspicious travelers, baggage inspection (IDS/IPS) catches dangerous items, and the boarding gate (security groups) runs a final check. Even if one layer is breached, the next layer stops the threat — this multi-layer structure is the foundation of network security.
Starting only after the myth of “the inside is safe” collapses
Once the perimeter-based idea of “the corporate network is safe, external is dangerous” was mainstream, but in the cloud and remote-work era, perimeters became fuzzy, and the shift to trust nothing, always verify - zero trust - is happening.
The thinking “safe because it’s the corporate LAN” ended in 2015. Perimeter defense alone can’t protect.
Why it’s needed
1. Reduce attack entry points
No matter how robust the app, leaving unnecessary ports open creates breach risk. The most certain is making things “invisible/unreachable” at the network layer.
2. Foundation of multi-layer defense
In preparation for “if the app is vulnerable” or “if a key leaks,” a mechanism that can stop damage at the network layer is needed. The Defense in Depth idea of one breach not breaking the whole.
3. Compliance requirements
PCI DSS, ISO 27001, Personal Information Protection Act - all require network-layer control. Environments without firewalls instantly fail audits.
Firewalls
Filters that allow/deny traffic, the most basic feature of network security. Modern times have evolved from simple port control to next-generation firewalls (NGFW) that look at the application layer.
| Type | Functionality |
|---|---|
| Stateful | Decide by connection state |
| Packet filter | Decide by header (classic) |
| Next-gen (NGFW) | App recognition, IDS/IPS integration |
| WAF | Web-app-specialized (SQL injection etc.) |
| Cloud FW | Security Group, NSG (Network Security Group, Azure network-layer access control), etc. |
In cloud, Security Groups (AWS), NSGs (Azure), and firewall rules (GCP) are standard, with fine-grained control per instance.
VPC and network separation
A VPC (Virtual Private Cloud) creates a logically isolated network space. You can build your own dedicated network in cloud, with multi-layering via subnet separation (Public/Private/Intranet).
flowchart TB
NET([Internet<br/>= includes attackers])
subgraph VPC["VPC (your dedicated network)"]
PUB["Public Subnet<br/>Load Balancer / NAT"]
PRIV["Private Subnet<br/>app servers"]
ISO["Isolated Subnet<br/>DB / sensitive data"]
PUB --> PRIV --> ISO
end
NET --> PUB
BAD[Putting DB in Public<br/>= instant leak accident]
BAD -.|antipattern| ISO
classDef threat fill:#fee2e2,stroke:#dc2626;
classDef pub fill:#fef3c7,stroke:#d97706;
classDef priv fill:#dbeafe,stroke:#2563eb;
classDef iso fill:#dcfce7,stroke:#16a34a,stroke-width:2px;
class NET,BAD threat;
class PUB pub;
class PRIV priv;
class ISO iso;The rule is to always place DBs in Private subnets so they can’t be reached directly from the internet. Accidents of breaking this basic and putting DBs in Public still happen today.
WAF (Web Application Firewall)
A dedicated firewall preventing web-app-specific attacks. SQL injection, XSS, CSRF, bot attacks - detected and blocked by signature- and behavior-based rules. Cloud WAFs are easy to set up, deployable in hours.
| Service | Characteristics |
|---|---|
| AWS WAF | CloudFront/ALB-integrated |
| Azure WAF | Application Gateway-integrated |
| Cloudflare | Integrated with CDN, popular |
| Akamai | Enterprise |
| Imperva | Veteran, high-feature |
Cloudflare offers basic WAF features even on the free plan, easily deployable on small sites.
DDoS countermeasures
Attacks that stop services with massive traffic (DDoS) - botnet-driven attacks of hundreds of Gbps are now standard. Single servers can’t absorb them, so CDN/DDoS-countermeasure services distribute and absorb.
| Countermeasure | Content |
|---|---|
| CDN (Cloudflare, CloudFront) | Absorb attack traffic |
| AWS Shield / Cloud Armor | Cloud-native |
| Rate limit | Per-IP request limit |
| Captcha | Bot identification |
| Geographic blocking | Block from unneeded countries |
Cloudflare provides basic DDoS countermeasures free, deployable even at small scale. Larger scales need Cloudflare Enterprise or AWS Shield Advanced.
The 2016 Dyn DNS incident (1.2 Tbps DDoS via Mirai botnet stopping Twitter/GitHub/Netflix for hours) drove home to the world that single-server absorption is impossible (details in appendix “Critical Incident Cases”).
IDS / IPS
Mechanisms to detect and prevent intrusions. IDS (Intrusion Detection System) detects only, IPS (Intrusion Prevention System) auto-blocks. Recently, AI/ML enables detecting not just known patterns but also anomalous behavior.
| Type | Content |
|---|---|
| NIDS / NIPS | Network type |
| HIDS / HIPS | Host type (deployed per server) |
| XDR (Extended Detection and Response, threat detection across multiple layers) | Multi-layer integrated (Endpoint + Network + Cloud) |
| SIEM (Security Information and Event Management) | Log aggregation, correlation analysis |
Representative OSS are Snort, Suricata, Zeek, with major commercial players being CrowdStrike, Palo Alto, SentinelOne.
VPN and private connections
Mechanisms to safely connect from outside to inside. Importance grew with remote-work spread, but in an era where the VPN itself becomes an attack target (the 2021 Pulse Secure / Ivanti vulnerability incidents), migration to zero trust is progressing.
| Connection method | Content |
|---|---|
| IPsec VPN | Site-to-site traditional |
| SSL/TLS VPN | User connection, OpenVPN etc. |
| WireGuard | Modern, fast, simple |
| ZTNA (Zero Trust Network Access) | VPN replacement, per-app connection |
| Direct Connect / ExpressRoute | Cloud dedicated lines |
WireGuard is 10x faster than legacy VPNs, the top candidate for new builds. In zero-trust environments, ZTNA (Cloudflare Access, Tailscale, Twingate, etc.) is replacing VPN.
CDN (Content Delivery Network)
A mechanism for delivering static content from edge servers worldwide, providing both performance gains and security features simultaneously. DDoS absorption, WAF integration, and bot countermeasures are standard - required infrastructure for modern web services.
| CDN | Characteristics |
|---|---|
| Cloudflare | Free tier available, most adopted |
| AWS CloudFront | AWS-integrated |
| Fastly | Developer-oriented, flexible |
| Akamai | Veteran, enterprise |
| Vercel / Netlify Edge | For JAMstack (JavaScript + API + Markup, static site + API composition) |
The crucial security effect of CDN is being able to hide the origin IP, so attackers can no longer target the server directly.
Network segmentation and microsegmentation
A design that splits a large network into small segments and narrows inter-segment communication to the minimum necessary. The aim is to prevent lateral movement on breach, so even one server falling doesn’t spread damage company-wide.
| Level | Example |
|---|---|
| VPC separation | Separate VPCs for prod/dev/staging |
| Subnet separation | Public/Private/Isolated |
| Security Group | Per instance |
| Service Mesh | Inter-microservice |
| mTLS | Encryption auth between services |
In zero-trust thinking, the goal is encrypting and authenticating all inter-service communication. Service meshes like Istio and Linkerd realize this.
Decision criteria
1. System scale
| Scale | Recommended |
|---|---|
| Small / SaaS-centric | Cloudflare + cloud SG |
| Mid / dedicated servers | VPC separation + WAF + DDoS countermeasures |
| Large enterprise / multi-cloud | Zero trust + SIEM + XDR |
| Finance / government | Dedicated lines + HSM + 24/7 SOC |
2. Threat level
| Threat level | Countermeasure |
|---|---|
| Low (internal use only) | SG + VPN |
| Mid (general public B2C) | CDN + WAF + DDoS countermeasures |
| High (finance, medical) | Above + IPS + SIEM + dedicated SOC |
| Highest (critical infra) | All layers + physical isolation + human monitoring |
How to choose by case
Small public web service (personal, startup)
Cloudflare free tier + cloud SG + Private Subnet. Cloudflare offers DNS/CDN/WAF/DDoS-countermeasure free, letting personal sites set up commercial-grade defense. Open only minimal ports with AWS/GCP security groups.
B2C service (EC, SNS)
Cloudflare or CloudFront + WAF + Shield + rate limit. Bot attacks and credential stuffing come daily, so combine WAF rules with bot countermeasures (CAPTCHA, challenges). Fully isolate DBs with Private/Public subnets.
B2B SaaS / business systems
ZTNA (Cloudflare Access, Tailscale) + WAF + SIEM. Per-app authorization fits remote-work era better than legacy VPN. Integrate with SSO, aggregate access logs in SIEM.
Finance / medical / government
Dedicated lines (Direct Connect / ExpressRoute) + IPS + 24/7 SOC + microsegmentation. To fully suppress lateral movement, mTLS-ize all communication via service mesh (Istio). Save full packet logs for audit response.
Practical scale x threat matrix
Note: Industry baseline values as of April 2026. Will become outdated as technology and the talent market shift, so requires periodic updates.
Network defense is realistically not “all-in-one” but phased adoption matched to scale and threat level.
| Scale/threat | Minimum composition | Monthly target | Implementation guideline |
|---|---|---|---|
| Personal/public site | Cloudflare free tier + Private Subnet | $0 | 1 hour |
| Small SaaS | CloudFront + WAF + Security Group | tens of thousands of yen | 1 week |
| Mid B2C | CloudFront + WAF + Shield Standard + Rate Limit | hundreds of thousands | 2 weeks |
| Large B2B | ZTNA + CDN + IPS + SIEM | millions | months |
| Finance/medical | Above + dedicated lines + 24/7 SOC + UEBA | tens of millions+ | 1 year+ |
“The substantive lower bound for DDoS countermeasures is delivery via CDN.” Direct origin exposure ends instantly when hit by 1.2 Tbps-class attacks (the 2016 Mirai/Dyn incident). Even Cloudflare’s free tier alone gets DDoS absorption, WAF, and bot countermeasures, freeing you in one go from the state of having no defense at all.
Public IPs are scanned by bots 24/7. CDN front-placement is the minimum defense.
Network-operation pitfalls and forbidden moves
Here are the typical accidents in network security. All of them maximize damage range on breach.
| Forbidden move | Why it’s bad |
|---|---|
| Place DB / Redis / Elasticsearch in Public Subnet | Same landmine as the 2017 MongoDB / Redis ransomware. Isolated required |
0.0.0.0/0:22 in Security Group (SSH wide open) | Thousands of SSH brute-force + miner-injection attempts in hours |
| Run prod and dev in same VPC | Dev mistakes propagate to prod. Separate per VPC |
| Trust VPN as the final defense line | The 2021 Pulse Secure incident made the VPN itself the entry. Migrate to ZTNA |
| Direct origin exposure without CDN | Take a 2016 Dyn DDoS (1.2 Tbps) and you’re done. Cloudflare free is enough |
| Satisfied just with WAF installed | Skipping SQL-injection countermeasures app-side is out of the question |
| Run internal communication plaintext | Lateral movement makes everything visible. Encrypt all communication with mTLS |
| Manage firewall rules by hand in GUI | No change history, audit response impossible. Code-ize with Terraform |
| Run AI agents without Egress control | AI leaks info to external APIs, data exfiltration risk |
| Leave unneeded ports/services | Attack surface widens. Minimum-Ingress-rules only |
| No CDN-failure fallback designed | The 2021 Fastly and 2019 Cloudflare outages turn a single CDN into SPOF |
| ”No encryption needed because it’s the corporate LAN” — complacency | Internal breaches do more damage; mTLS is the standard |
| ”Safe with VPN” — full trust | VPN itself is an attack target; migration to ZTNA is required |
The October 2016 Dyn DNS attack (1.2 Tbps DDoS via IoT-stepped Mirai botnet, stopping Twitter/GitHub/Netflix/Spotify for hours), the 2021 Pulse Secure VPN vulnerability (VPN itself the entry, US government breach) - the reality that perimeter defense alone can’t protect is repeatedly shown.
The perimeter myth ended in 2015. CDN + ZTNA + Egress control are the three modern pillars.
AI decision axes
| AI-era favorable | AI-era unfavorable |
|---|---|
| Egress control (outbound communication restriction) | Outbound free |
| Zero trust, microsegmentation | Flat corporate LAN |
| Cloud-native WAF | On-prem heavy appliances |
| Centralized audit logs (SIEM) | Siloed logs |
- Zero trust as starting point — don’t trust corporate LAN either, authenticate and encrypt all communication
- CDN + WAF + DDoS countermeasures — reduce attack surface and hide origin IP with Cloudflare/CloudFront
- VPC + Private subnets — always isolate DBs, ban direct Public placement
- Narrow AI’s destinations with Egress control — limit external API connections via allow-list
Author’s note - cases of being sunk by complacency that “large-scale attacks won’t reach us”
Cases where social-infrastructure-class systems went down due to DDoS or VPN vulnerabilities have become a perennial industry talking point.
The 2016 Dyn DNS incident (1.2 Tbps DDoS via IoT-stepped Mirai, stopping Twitter/GitHub/Netflix for hours) became the trigger that made delegation to CDN/DDoS-countermeasure services the standard rule (details in appendix “Critical Incident Cases”).
Another, the April 2021 Pulse Secure VPN vulnerability (CVE-2021-22893), where the VPN itself became the entry and US government agencies and major defense industries were breached. A case told as the event that broke the “safe with VPN” premise and rapidly accelerated migration to ZTNA (Zero Trust Network Access).
I myself once left a test EC2’s Security Group at 0.0.0.0/0 for a few hours, and the next morning found auth logs lined with thousands of SSH brute-force entries and Bitcoin-miner-injection attempts. Both are cases where the premise of “safe with just a perimeter” was the lethal blow, and ones that decided the migration to multi-layer defense and zero trust.
Brace yourself thinking public IPs get attacked the moment they open. Test environments at production-grade.
What to decide - what is your project’s answer?
For each of the following, try to articulate your project’s answer in 1-2 sentences. Starting work with these vague always invites later questions like “why did we decide this again?”
- Network separation (VPC, subnet design)
- Firewall rules (Security Group, NSG)
- WAF adoption (Cloudflare, AWS WAF, etc.)
- DDoS countermeasures (CDN, Shield, etc.)
- Remote-connection method (VPN / ZTNA)
- IDS/IPS / SIEM adoption (depends on scale)
- Egress control (allow-list for outbound communication)
Summary
This article covered network security, including main elements like firewalls, VPC, WAF, DDoS countermeasures, IDS/IPS, VPN/ZTNA, and CDN, the scale-x-threat matrix, and AI-era Egress control.
Zero trust as starting point, reduce attack surface with CDN+WAF+DDoS countermeasures, isolate DBs in Private, narrow AI’s destinations with Egress control. That is the practical answer for network security in 2026.
Next time we’ll cover zero trust (BeyondCorp, ZTNA, continuous verification).
Back to series TOC -> ‘Architecture Crash Course for the Generative-AI Era’: How to Read This Book
I hope you’ll read the next article as well.
📚 Series: Architecture Crash Course for the Generative-AI Era (50/89)