Skip to content
CloudPresto CloudPresto
Back to Knowledge Base
Network

Network Security Architecture

Defense-in-depth with VPC segmentation, WAF, DDoS protection, and zero-trust policies.

Defense in Depth

No single security control is sufficient. CloudPresto implements defense-in-depth: multiple layers of network security so that if one layer is bypassed, others continue to protect.

Network Layers

Layer 04 — Zero TrustmTLS, service-to-service auth, no implicit trustLayer 03 — Security Groups & NACLsLeast-privilege rules, default-deny policiesLayer 02 — VPC SegmentationPrivate subnets, NAT gateways, isolationLayer 01 — Edge ProtectionWAF, DDoS mitigation, rate limiting
01

Edge Protection

WAF rules filter malicious traffic before it reaches your application. DDoS mitigation at the CDN/edge layer absorbs volumetric attacks. Rate limiting prevents API abuse.

02

VPC Segmentation

Workloads isolated in private subnets. Public-facing components separated from data layers. NAT gateways for outbound traffic. No direct internet access to backend services.

03

Security Groups & NACLs

Least-privilege network rules. Only required ports and protocols allowed. Default-deny policies. Rules reviewed as part of change governance.

04

Zero-Trust Policies

Service-to-service authentication required even within the VPC. No implicit trust based on network location. mTLS for inter-service communication.

Traffic Analysis

All network traffic is logged and analyzed. VPC flow logs capture every connection attempt. Traffic patterns are baselined, and deviations trigger investigation. Outbound connections to unknown destinations are flagged for review.