AWS VPC Security: Network Segmentation and Traffic Control
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
VPC is the network foundation for everything you run in AWS. Security groups, NACLs, flow logs, endpoints, and transit gateways — these are the controls that determine what can talk to what, and whether you will know when something unexpected happens. Getting VPC architecture right from the start is far easier than retrofitting it later.
Network ACLs vs. Security Groups
Security groups are stateful and operate at the ENI level. NACLs are stateless and operate at the subnet level. Use both.
Security groups handle most of your access control. They are easier to manage because return traffic is automatically allowed. Reference other security groups by ID to create logical access rules (the web tier security group allows traffic from the load balancer security group on port 443).
NACLs are your second line of defense. Use them to block entire CIDR ranges (known malicious IPs, countries you do not serve), enforce subnet-level segmentation, and provide defense in depth. Remember that NACLs require explicit rules for both inbound and outbound traffic, including ephemeral port ranges for return traffic.
Subnet Design
Separate resources into public, private, and isolated subnets:
- Public subnets: ALBs, NAT gateways. Nothing else belongs here.
- Private subnets: Application servers, containers, Lambda functions. Route outbound traffic through NAT gateways.
- Isolated subnets: Databases, caches, internal services. No route to the internet at all.
Span each subnet type across multiple Availability Zones for redundancy. Size subnets appropriately — a /24 gives you 251 usable IPs, which is enough for most workloads but can run tight with EKS or Fargate due to ENI consumption.
VPC Flow Logs
Enable VPC Flow Logs on every VPC, capturing both accepted and rejected traffic. Send logs to S3 for long-term storage and analysis. Use Athena or CloudWatch Logs Insights to query flow logs during investigations.
Flow log fields to watch:
- Rejected traffic from internal sources (misconfigured security groups or lateral movement attempts)
- Outbound connections to unusual ports (C2 channels often use non-standard ports)
- Large data transfers to external IPs (exfiltration)
- Traffic between subnets that should not communicate
Use the enriched flow log format (version 5+) that includes VPC ID, subnet ID, instance ID, and TCP flags. The TCP flags field helps distinguish connection attempts (SYN) from established connections.
VPC Endpoints
VPC endpoints keep traffic between your VPC and AWS services on the AWS network instead of routing through the internet. There are two types:
- Gateway endpoints: S3 and DynamoDB. Free. No reason not to use them.
- Interface endpoints: Most other AWS services. Cost per hour and per GB. Worth it for security-sensitive services like KMS, Secrets Manager, and SSM.
Apply endpoint policies to restrict which actions and resources can be accessed through the endpoint. A VPC endpoint for S3 does not need to allow access to every bucket in the world — scope it to your organization’s buckets.
Transit Gateway
For multi-VPC architectures, Transit Gateway provides centralized routing and segmentation. Use route tables to control which VPCs can communicate. Segment production from development, and shared services from application workloads.
Enable Transit Gateway Flow Logs for visibility into inter-VPC traffic. This is where you detect unauthorized cross-environment communication.
Next Steps
- Benchmark your network security skills with the assessment tool
- Explore network and VPC topics in the skills library
- Search for cloud network security roles in the job search tool
Related Guides in This Series
- Active Directory Security: Attack Paths and Hardening — HADESS | 2026
- AWS ALB Security: TLS, Authentication, and Access Controls — HADESS | 2026
- AWS CloudTrail: Log Analysis and Security Monitoring — HADESS | 2026
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
