This Guidance helps you design and implement security policies and controls across different levels of the networking stack to protect your resources from external or internal threats. Protecting your resources in this way helps you ensure their confidentiality, availability, integrity, and usability. This Guidance also demonstrates how to prevent, detect, and block anomalous network traffic based on monitoring of ingress or egress and lateral data movement.

Please note: [Disclaimer]

Architecture Diagram


Download the architecture diagram PDF 

Additional Considerations

  • Building secure networks in the cloud is fundamentally different from building them in a private, on-premises environment. With secure networks in the cloud, the cloud provider handles certain tasks on your behalf, such as the management and governance of physical devices, their environment, or the security controls that surround them. You build and secure your network within a virtual environment and use identity and access controls that may span multiple workload boundaries to administer and secure access to your network. 

    As such, it is important that organizational stakeholders who hold responsibility for your network security are familiar with the shared responsibility model between you and your cloud provider for securing your cloud environment. These stakeholders should know best practices for providing identity and access in addition to granting least privilege permissions across relevant workloads that your networks span. 

  • There are many cloud-native and third-party tools available to help you secure your network. Every organization's security requirements and level of compliance will differ. It is important to establish your security requirements and implement a baseline of controls across your networks as you consider which security tools to implement in your cloud environment. Requirements and compliance will also differ per application, so you must be able to add enhanced security controls on a case-by-case basis. 

  • You should account for traffic flow between your applications and clients and how your requirements will change based on locations between the clients. Consider how traffic should flow into the network, either through the internet, a virtual private network (VPN), or a dedicated connection. You must also determine how application layers will communicate with each other and other external dependencies, how traffic will egress from your network externally, and most importantly, how all these traffic flows need to be inspected and secured. Understanding your security responsibilities and requirements is critical for establishing your network security best practices and workflows in the cloud.


The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.

References to third-party services or organizations in this Guidance do not imply an endorsement, sponsorship, or affiliation between Amazon or AWS and the third party. Guidance from AWS is a technical starting point, and you can customize your integration with third-party services when you deploy the architecture.

Was this page helpful?