Network Security Architecture
Defense-in-depth with VPC segmentation, WAF, DDoS protection, and zero-trust policies.
Defense in Depth
No single security control is sufficient. CloudPresto implements defense-in-depth: multiple layers of network security so that if one layer is bypassed, others continue to protect.
Network Layers
Edge Protection
WAF rules filter malicious traffic before it reaches your application. DDoS mitigation at the CDN/edge layer absorbs volumetric attacks. Rate limiting prevents API abuse.
VPC Segmentation
Workloads isolated in private subnets. Public-facing components separated from data layers. NAT gateways for outbound traffic. No direct internet access to backend services.
Security Groups & NACLs
Least-privilege network rules. Only required ports and protocols allowed. Default-deny policies. Rules reviewed as part of change governance.
Zero-Trust Policies
Service-to-service authentication required even within the VPC. No implicit trust based on network location. mTLS for inter-service communication.