Network Architecture
Network Architecture Overview
A well-designed network architecture is the foundation of secure, scalable, and resilient infrastructure. This guide covers enterprise network design patterns, security considerations, and implementation best practices for modern cloud and hybrid environments.
Prerequisites: Understanding of TCP/IP, subnetting, routing protocols, and basic security concepts. Familiarity with cloud networking services (AWS VPC, Azure VNet, GCP VPC) is recommended.
Core Network Design Principles
1. Defense in Depth
Implement multiple layers of security controls throughout your network:
- Perimeter Security: Firewalls, IDS/IPS, DDoS protection
- Network Segmentation: VLANs, subnets, security groups
- Access Control: NACLs, security groups, microsegmentation
- Encryption: TLS/SSL, IPSec VPNs, encrypted tunnels
- Monitoring: Flow logs, packet capture, anomaly detection
2. Zero Trust Architecture
# Zero Trust Network Principles: 1. Never trust, always verify 2. Assume breach - design for compromise 3. Verify explicitly - authenticate and authorize every transaction 4. Use least privilege access 5. Inspect and log all traffic
3. Scalability and Performance
- Horizontal Scaling: Design for distributed load across multiple paths
- Redundancy: No single points of failure
- Caching: Strategic placement of caching layers
- CDN Integration: Global content distribution
- Traffic Engineering: QoS, traffic shaping, load balancing
Virtual Private Cloud (VPC) Architecture
Multi-Tier VPC Design
# Example: AWS VPC with public/private/database tiers VPC CIDR: 10.0.0.0/16 Public Subnets (Internet-facing): - us-east-1a: 10.0.1.0/24 - us-east-1b: 10.0.2.0/24 - us-east-1c: 10.0.3.0/24 Private Subnets (Application tier): - us-east-1a: 10.0.11.0/24 - us-east-1b: 10.0.12.0/24 - us-east-1c: 10.0.13.0/24 Database Subnets (Data tier): - us-east-1a: 10.0.21.0/24 - us-east-1b: 10.0.22.0/24 - us-east-1c: 10.0.23.0/24 Management Subnets (Bastion/VPN): - us-east-1a: 10.0.31.0/24
Network Access Control Lists (NACLs)
Implement stateless subnet-level security:
# Public Subnet NACL Rule | Type | Protocol | Port Range | Source | Allow/Deny 100 | Inbound | TCP | 80 | 0.0.0.0/0 | ALLOW 110 | Inbound | TCP | 443 | 0.0.0.0/0 | ALLOW 120 | Inbound | TCP | 22 | 10.0.31.0/24| ALLOW 200 | Inbound | TCP | 1024-65535 | 0.0.0.0/0 | ALLOW * | Inbound | ALL | ALL | 0.0.0.0/0 | DENY # Private Subnet NACL Rule | Type | Protocol | Port Range | Source | Allow/Deny 100 | Inbound | TCP | 3000-3100 | 10.0.1.0/23 | ALLOW 110 | Inbound | TCP | 22 | 10.0.31.0/24| ALLOW * | Inbound | ALL | ALL | 0.0.0.0/0 | DENY
Security Groups
Stateful instance-level firewalls with explicit allow rules:
# Web Server Security Group
resource "aws_security_group" "web_sg" {
name_prefix = "web-servers-"
vpc_id = aws_vpc.main.id
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTPS from anywhere"
}
ingress {
from_port = 22
to_port = 22
protocol = "tcp"
security_groups = [aws_security_group.bastion_sg.id]
description = "SSH from bastion only"
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow all outbound"
}
lifecycle {
create_before_destroy = true
}
}
Hybrid Cloud Networking
Site-to-Site VPN Configuration
Connect on-premises networks to cloud VPCs:
# IPSec VPN Configuration Example
Customer Gateway:
- IP Address: 203.0.113.10
- BGP ASN: 65000
- Routing: Dynamic (BGP) or Static
Virtual Private Gateway:
- Amazon Side ASN: 64512
- Attached to VPC: vpc-12345678
VPN Connection:
- Tunnel 1: 169.254.10.0/30 (Inside IP CIDR)
- Tunnel 2: 169.254.11.0/30 (Inside IP CIDR)
- Pre-shared Keys: Generate unique 64-character keys
- DPD Timeout: 30 seconds
- IKE Version: IKEv2
# strongSwan Configuration (Customer Side)
conn AWS-VPC-TUNNEL-1
type=tunnel
auto=start
keyexchange=ikev2
ike=aes256-sha256-modp2048
esp=aes256-sha256
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
left=%defaultroute
leftid=203.0.113.10
leftsubnet=192.168.0.0/16
right=52.84.123.45
rightsubnet=10.0.0.0/16
authby=secret
AWS Direct Connect / Azure ExpressRoute
Dedicated network connections for predictable performance:
- Bandwidth Options: 50 Mbps to 100 Gbps
- VLAN Support: 802.1Q VLAN tagging
- BGP Routing: Dynamic route advertisement
- Redundancy: Multiple connections across different locations
- Virtual Interfaces: Multiple VIFs per physical connection
Transit Gateway Architecture
# Hub-and-Spoke Network Topology Transit Gateway (TGW): - Region: us-east-1 - ASN: 64512 - Default Route Table: Enabled - DNS Support: Enabled - Multicast Support: Disabled Attachments: 1. Production VPC (10.1.0.0/16) 2. Development VPC (10.2.0.0/16) 3. Shared Services VPC (10.3.0.0/16) 4. VPN Connection (On-premises) 5. Direct Connect Gateway Route Tables: - Production Routes: 0.0.0.0/0 → NAT Gateway - Dev Routes: 10.0.0.0/8 → Local - On-Prem Routes: 192.168.0.0/16 → VPN
Load Balancing Architecture
Application Load Balancer (Layer 7)
# ALB Configuration with SSL/TLS
resource "aws_lb" "application" {
name = "app-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.alb_sg.id]
subnets = aws_subnet.public[*].id
enable_deletion_protection = true
enable_http2 = true
enable_cross_zone_load_balancing = true
access_logs {
bucket = aws_s3_bucket.alb_logs.bucket
prefix = "alb"
enabled = true
}
}
# HTTPS Listener with SSL Policy
resource "aws_lb_listener" "https" {
load_balancer_arn = aws_lb.application.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01"
certificate_arn = aws_acm_certificate.cert.arn
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.app.arn
}
}
# Path-based routing
resource "aws_lb_listener_rule" "api" {
listener_arn = aws_lb_listener.https.arn
priority = 100
action {
type = "forward"
target_group_arn = aws_lb_target_group.api.arn
}
condition {
path_pattern {
values = ["/api/*"]
}
}
}
Network Load Balancer (Layer 4)
For high-performance, low-latency requirements:
- Ultra-low latency: Single-digit millisecond latency
- Static IP addresses: Elastic IPs per AZ
- Preserve source IP: No proxy protocol needed
- Million+ requests/second: Extreme performance
- TLS termination: Optional TLS offload
Global Load Balancing
# Route 53 Geolocation Routing
resource "aws_route53_record" "www" {
zone_id = aws_route53_zone.primary.zone_id
name = "www.example.com"
type = "A"
set_identifier = "US"
geolocation_routing_policy {
continent = "NA"
}
alias {
name = aws_lb.us_east_1.dns_name
zone_id = aws_lb.us_east_1.zone_id
evaluate_target_health = true
}
}
# Health checks
resource "aws_route53_health_check" "primary" {
fqdn = aws_lb.us_east_1.dns_name
port = 443
type = "HTTPS"
resource_path = "/health"
failure_threshold = "3"
request_interval = "30"
}
Network Security Best Practices
WAF Implementation
# AWS WAF Rules
{
"Name": "RateLimitRule",
"Priority": 1,
"Statement": {
"RateBasedStatement": {
"Limit": 2000,
"AggregateKeyType": "IP",
"ScopeDownStatement": {
"ByteMatchStatement": {
"SearchString": "/api/",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [{
"Priority": 0,
"Type": "NONE"
}],
"PositionalConstraint": "STARTS_WITH"
}
}
}
},
"Action": {
"Block": {
"CustomResponse": {
"ResponseCode": 429,
"CustomResponseBodyKey": "rate-limit-exceeded"
}
}
}
}
DDoS Protection
- AWS Shield Standard: Automatic protection against common attacks
- AWS Shield Advanced: Enhanced DDoS protection with 24x7 DRT support
- CloudFlare: Global anycast network with DDoS mitigation
- Rate Limiting: API Gateway throttling, WAF rate rules
- Auto Scaling: Absorb traffic spikes automatically
Network Monitoring and Logging
# VPC Flow Logs Configuration
resource "aws_flow_log" "vpc_flow_log" {
iam_role_arn = aws_iam_role.flow_log.arn
log_destination = aws_cloudwatch_log_group.flow_log.arn
traffic_type = "ALL"
vpc_id = aws_vpc.main.id
tags = {
Name = "vpc-flow-logs"
}
}
# Sample Flow Log Entry
2 123456789010 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
# Fields: version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
Content Delivery Network (CDN) Architecture
CloudFront Distribution
# CloudFront with S3 Origin
resource "aws_cloudfront_distribution" "cdn" {
enabled = true
is_ipv6_enabled = true
default_root_object = "index.html"
price_class = "PriceClass_All"
origin {
domain_name = aws_s3_bucket.static_assets.bucket_regional_domain_name
origin_id = "S3-${aws_s3_bucket.static_assets.id}"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.oai.cloudfront_access_identity_path
}
}
origin {
domain_name = aws_lb.application.dns_name
origin_id = "ALB-${aws_lb.application.id}"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "ALB-${aws_lb.application.id}"
forwarded_values {
query_string = true
cookies {
forward = "none"
}
headers = ["Host", "Accept", "Accept-Language", "CloudFront-Viewer-Country"]
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
}
# Static assets behavior
ordered_cache_behavior {
path_pattern = "/static/*"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3-${aws_s3_bucket.static_assets.id}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 86400
default_ttl = 604800
max_ttl = 31536000
compress = true
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate_validation.cert.certificate_arn
ssl_support_method = "sni-only"
}
}
Network Troubleshooting Guide
Common Network Issues
| Issue | Symptoms | Diagnosis | Resolution |
|---|---|---|---|
| Connectivity Failure | Cannot reach instances | Check Security Groups, NACLs, Route Tables | Update rules, verify routes |
| High Latency | Slow response times | Traceroute, MTR, Flow Logs | Optimize routing, use CDN |
| Packet Loss | Intermittent failures | Ping tests, packet capture | Check bandwidth, QoS settings |
| DNS Resolution | Name resolution fails | nslookup, dig commands | Verify DNS settings, TTLs |
Diagnostic Commands
# Network connectivity test
$ nc -zv hostname 443
Connection to hostname 443 port [tcp/https] succeeded!
# DNS troubleshooting
$ dig +trace example.com
# Path MTU discovery
$ ping -M do -s 1472 hostname
# TCP connection analysis
$ ss -tan | grep ESTABLISHED
# Packet capture for deep analysis
$ tcpdump -i eth0 -w capture.pcap port 443
# AWS VPC Reachability Analyzer
$ aws ec2 create-network-insights-path \
--source i-0123456789abcdef0 \
--destination i-0fedcba9876543210 \
--protocol tcp \
--destination-port 443
Network Architecture Best Practices
Design Guidelines
- Plan IP addressing carefully: Use RFC 1918 private ranges, avoid overlaps
- Implement least privilege: Default deny, explicit allow rules
- Use automation: Infrastructure as Code for consistency
- Monitor everything: Logs, metrics, traces, alerts
- Document thoroughly: Network diagrams, runbooks, contact info
- Test disaster recovery: Regular failover drills
- Keep it simple: Avoid unnecessary complexity
Security Checklist
- ☐ Enable VPC Flow Logs for all VPCs
- ☐ Implement Network ACLs for defense in depth
- ☐ Use Security Groups with least privilege
- ☐ Enable GuardDuty for threat detection
- ☐ Implement WAF for web applications
- ☐ Use PrivateLink for service endpoints
- ☐ Enable DDoS protection (Shield)
- ☐ Encrypt data in transit (TLS 1.2+)
- ☐ Regular security assessments
- ☐ Incident response plan in place
Next Steps: After implementing your network architecture, proceed to:
Security Hardening Guide and
Advanced Monitoring Setup
Note: This documentation is provided for reference purposes only. It reflects general best practices and industry-aligned guidelines, and any examples, claims, or recommendations are intended as illustrative—not definitive or binding.