Back to Migration Guide Enterprise Cloud Network & Landing Zone Network Architecture v1.0 Β· Network Planning

Enterprise Cloud Network & Landing Zone Network Architecture

A unified blueprint for building secure, scalable, and governable cloud networks β€” from VPC 1.0 basic connectivity to VPC 3.0 Landing Zone governance, covering CCN, Direct Connect, public ingress/egress, defense-in-depth, and end-to-end traffic observability.

12
Architecture Topics
5
Network Pillars
4
Traffic Flow Patterns
3
Defense Layers
1

Evolution of Cloud Networking

Three generations of VPC architecture and the shift toward Landing Zone governance

Cloud networking has evolved through three distinct generations, each addressing the limitations of its predecessor. Understanding this evolution is critical when designing an enterprise-grade network that balances agility, scalability, and governance.

VPC 1.0 Β· Basic Connectivity Era
Agile and Connected
Single-account, single-VPC topology focused on getting workloads online quickly. Addresses basic connectivity needs: internet access, subnet isolation, simple security groups. Suitable for proof-of-concept and small teams.
Outcomes: Fast provisioning Β· Single VPC Β· Limited governance
VPC 2.0 Β· Hybrid Cloud Era
Stable and Scalable β€” Cross-Region / Cross-Cloud
Multi-VPC, multi-region, cross-cloud connectivity via CCN and Direct Connect. Supports hybrid cloud (on-premise + cloud) and disaster recovery across regions. Network grows organically but governance remains decentralized.
Outcomes: CCN peering Β· Direct Connect Β· Hybrid cloud Β· DR across regions
VPC 3.0 Β· Enterprise Governance Era
Landing Zone Era β€” Security / Compliance / Governance
Hub-and-spoke multi-account topology with centralized network administration. Decouples network, shared services, and business workloads. Enforces unified security boundaries, traffic governance, and auditability. This is the target architecture for enterprise migration.
Outcomes: Hub-Spoke Β· Centralized network admin Β· Unified security & compliance
Key Insight

The jump from VPC 2.0 to VPC 3.0 is not merely technical β€” it is organizational. It introduces a Network Admin Account owned by IT/Network team, fully decoupling network ownership from business workload ownership. This is the foundation of Landing Zone governance.

2

Landing Zone Network Overview

Five pillars of unified network governance and the hub-and-spoke reference architecture

2.1 Β· Five Core Capability Pillars

1

Unified Network Planning

Hierarchical IP allocation, CIDR reservation, VPC naming convention

2

Unified Connectivity

CCN-based hub-and-spoke, cross-account, cross-region, cross-cloud

3

Unified Traffic Governance

Centralized ingress/egress, route tables, traffic steering policies

4

Unified Security Boundary

Defense in depth, CFW, NACL, security groups, zero-trust

5

Unified Operability

Flow logs, network probes, traffic mirroring, one-click diagnostics

2.2 Β· Hub-and-Spoke Reference Architecture

Hub-and-Spoke Topology (Network Admin Account as the Hub)
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ NETWORK ADMIN ACCOUNT (HUB) β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Ingress VPC β”‚ β”‚ Egress VPC β”‚ β”‚ CFW VPC β”‚ β”‚ CCN β”‚ β”‚ β”‚ β”‚ Public CLB β”‚ β”‚ NAT Gateway β”‚ β”‚ NGFW / GWLB β”‚ β”‚ (center) β”‚ β”‚ β”‚ β”‚ WAF + CDN β”‚ β”‚ SNAT only β”‚ β”‚ East-West β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β”‚ β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”΄β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ Hybrid Cloud Gateway β”‚ β”‚ β”‚ β”‚ DC Gateway / VPN Gatewayβ”‚ β”‚ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β”‚ (CCN routes traffic) β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ β”‚ β”‚ β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β” β”‚ Workload Acctβ”‚ β”‚ Workload Acctβ”‚ β”‚ Workload Acctβ”‚ β”‚ (Spoke) β”‚ β”‚ (Spoke) β”‚ β”‚ (Spoke) β”‚ β”‚ App VPC #1 β”‚ β”‚ App VPC #2 β”‚ β”‚ App VPC #3 β”‚ β”‚ Production β”‚ β”‚ Staging β”‚ β”‚ Dev β”‚ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜ On-Premise DC ◄──── Direct Connect / IPSec VPN ────► Hub

Hub Components (Network Admin Account)

  • CCN β€” central route exchange fabric; all VPCs, gateways attach here
  • Ingress VPC β€” Public CLB, WAF, CDN entry point for north-south traffic
  • Egress VPC β€” NAT Gateway (SNAT only) for outbound internet traffic
  • CFW VPC β€” Cloud Firewall / NGFW / GWLB for east-west inspection
  • Hybrid Cloud Gateway β€” Direct Connect Gateway & VPN Gateway to on-premise

Spoke Components (Workload Accounts)

  • App VPCs β€” business workloads (compute, storage, databases)
  • Spoke VPCs attach to CCN; no direct internet ingress/egress
  • Network permissions are restricted β€” business team owns compute only
  • Production / Non-production live in separate accounts and separate CCNs
  • Shared Services Account (AD, DNS, Bastion) sits as a special spoke

2.3 Β· Six Challenges Solved by Landing Zone Network

01 Fragmented Architecture

Point-to-point VPC peering creates an unmaintainable mesh. Landing Zone consolidates into a single hub.

02 IP Conflicts

Without hierarchical IP planning, CIDR ranges overlap during interconnection. Centralized IP pool prevents collision.

03 Legacy Model Limitations

Single-account / single-VPC cannot scale beyond a few hundred resources. Multi-account strategy is mandatory for enterprise.

04 Inconsistent Connectivity

Ad-hoc peering + gateway placement causes asymmetric routing. CCN provides symmetric, deterministic routing.

05 Unclear Traffic Boundaries

Without centralized ingress/egress, audit and compliance are impossible. Hub VPC enforces clear traffic boundaries.

06 Lack of Unified Control & High Re-design Cost

Decentralized ownership means every new business line re-designs network. Landing Zone enables plug-and-play onboarding.

3

Multi-Account / Multi-VPC Partitioning

Separation of concerns between network, shared services, and business workloads
Key Principle

A multi-account strategy fully decouples network, shared services, and business. Each domain has its own owner, blast radius, and permission boundary. This is the cornerstone of Landing Zone governance.

Account Type Owner Core Components Network Permissions Primary Responsibility
Network Account (Hub)
Hub
IT / Network Team Hub VPC, DC Gateway, CCN, VPN Gateway, NAT Gateway, Public CLB, CFW Full network ownership β€” routing, firewall, gateway management Provide centralized connectivity, security inspection, and traffic governance for all spoke accounts
Shared Services Account
Shared
IT / Platform Team AD (Active Directory), DNS, Bastion Host, Security Scanning appliances, central logging Limited β€” consumes network services from Hub; cannot modify routing Provide shared infrastructure services consumed by all workload accounts
Workload Accounts (Spokes)
Spoke
Business / Application Teams App VPCs β€” compute (CVM, TKE), storage (COS, CBS), databases (CDB, Redis) Restricted β€” can only operate compute/storage resources inside their own VPC; no route/firewall modification Deliver business applications; consume network and shared services via CCN

Why Decouple?

  • Blast radius isolation β€” a misconfigured route in a workload account cannot impact other accounts
  • Audit clarity β€” network actions are attributable to the Network team
  • Permission minimization β€” business teams get least-privilege compute-only roles

Production / Non-Production Split

  • Production and Non-production use separate CCN instances
  • Separate route domains β€” no accidental cross-environment traffic
  • Independent Direct Connect gateways where required
  • Environments may share the Hub account but with isolated CCNs

Onboarding New Business

  • New workload account β†’ attach VPC to existing CCN
  • No re-design of network β€” plug-and-play
  • IP allocation from the hierarchical pool prevents conflicts
  • Default security policies inherited from Hub
4

IP Planning & VPC Design

Hierarchical allocation, capacity planning, and the three-tier subnet model

4.1 Β· Hierarchical IP Allocation

IP addresses must be planned top-down from a global pool to avoid conflicts during future interconnection, M&A, or hybrid cloud extensions. The hierarchy below is the recommended allocation model:

🌐 Global IP Pool (Enterprise CIDR Master Plan)
β–Ό allocate by region
🌍 Region (e.g., Beijing, Shanghai, Singapore, Silicon Valley)
β–Ό allocate by AZ
🏒 Availability Zone (AZ-1, AZ-2, AZ-3)
β–Ό allocate by business line
πŸ“Š Business Line (e.g., e-commerce, finance, gaming)
β–Ό allocate by workload
⚑ Workload VPC (production / staging / dev)
CIDR Range Conventions

Private RFC1918 ranges are used for VPCs and subnets. Plan at least 2x headroom for future growth.

  • 10.0.0.0/8 β€” large enterprises; sufficient for thousands of VPCs
  • 172.16.0.0/12 through 172.31.0.0/16 β€” mid-size; common for regional split
  • 192.168.0.0/16 β€” small footprint; single-VPC deployments
  • Mask range: /12 (largest VPC) to /28 (smallest subnet, 11 usable IPs)

4.2 Β· VPC Planning Rules

Deployment Scenario VPC Count Subnet Requirement Rationale
Single Region, Single AZ 1 VPC per region β‰₯1 subnet per tier (web/app/db) Simplest topology; suitable for non-critical workloads
Single Region, Cross-AZ DR 1 VPC per region β‰₯2 subnets in different AZs per tier Provides AZ-level fault tolerance; instances distribute across AZs
Multi-Region DR β‰₯1 VPC per region β‰₯2 subnets per tier per region Region-level disaster recovery; active-active or active-standby across regions
Multi-Region Active-Active β‰₯2 VPCs (one per region) Full subnet stack per region Geo-redundant; traffic routed via Global Service Accelerator or DNS

4.3 Β· Subnet Capacity Reference

253
/24 IPs
1,021
/22 IPs
4,093
/20 IPs
65,534
/16 IPs
1,048,574
/12 IPs

Usable IPs exclude network address, broadcast address, and 3 cloud-reserved addresses per subnet. Right-size subnets to avoid waste β€” a /28 is enough for a small admin tier.

4.4 Β· Three-Tier Subnet Model

Every VPC should implement a three-tier subnet classification that encodes internet accessibility. Security groups and NACLs enforce the boundary at each tier.

Public Subnet Internet In/Out
  • Direct internet ingress and egress
  • Hosts public-facing resources: Public CLB, NAT Gateway, Bastion
  • Assigned a public IP / EIP
  • Internal communication allowed within VPC
  • Highest exposure β€” strictest security group
Protected Subnet No Internet
  • No internet access β€” neither inbound nor outbound
  • Internal communication restricted to defined peers only
  • Hosts sensitive databases, internal APIs, compliance-bound systems
  • Used for air-gapped or PCI-DSS / HIPAA workloads
  • Egress, if any, requires explicit proxy
Private Subnet NAT Outbound
  • No direct internet inbound
  • Outbound via NAT Gateway (SNAT) in the Egress VPC
  • Internal communication allowed within VPC
  • Hosts application servers, microservices, internal APIs
  • Most common tier β€” default for compute workloads
Design Tip

In Landing Zone topology, workload VPCs typically contain only Private and Protected subnets. Public subnets live in the Hub account's Ingress/Egress VPCs, centralizing internet exposure to a controlled boundary.

5

Cloud Connect Network (CCN)

The central interconnection fabric enabling cross-account, cross-region, cross-cloud routing

5.1 Β· Three Core Values

01 Cross-Account Interconnection

VPCs from different accounts attach to a single CCN instance. Traffic flows through CCN without exposing VPC peering to each account β€” eliminating the NΓ—(N-1)/2 peering explosion.

02 Route Isolation

Multiple route tables can be defined within one CCN. Different VPC groups (production / non-production / shared services) use isolated route tables, preventing unwanted cross-domain traffic.

03 Fine-Grained Route Control

Per-VPC route tables allow/deny specific CIDRs. Enables service insertion patterns β€” e.g., steering traffic through a firewall VPC before reaching its destination.

5.2 Β· CCN Service Stats

20+
Regions covered
100 Gbps
Max bandwidth
99.99%
Availability SLA
5 Gbps
Free inter-region tier

5.3 Β· CCN Route Table Design β€” Service Insertion Pattern

The most important pattern in Landing Zone networking is service insertion via CFW VPC. Traffic between two workload VPCs is steered through the firewall VPC for inspection, rather than flowing directly.

Scenario: VPC A (10.0.10.0/24) ↔ VPC B (10.0.20.0/24), inspected by CFW VPC

Step 1 β€” Route Tables Inside Each VPC

# VPC A route table β€” send B's traffic to CCN Destination: 10.0.20.0/24 NextHop: CCN # VPC B route table β€” send A's traffic to CCN Destination: 10.0.10.0/24 NextHop: CCN

Step 2 β€” CCN Route Tables (Per-VPC, Applied at CCN Edge)

# CCN route table applied to VPC A's attachment Destination: 10.0.20.0/24 NextHop: FW VPC # steer to firewall # CCN route table applied to VPC B's attachment Destination: 10.0.10.0/24 NextHop: FW VPC # steer to firewall # CCN route table applied to FW VPC's attachment Destination: 10.0.10.0/24 NextHop: VPC A Destination: 10.0.20.0/24 NextHop: VPC B
Critical Note

You cannot define route tables directly inside CCN. Define them inside the CFW VPC and publish to CCN. The CCN controller then enforces these routes at the edge of each VPC attachment, achieving per-VPC route isolation and service insertion.

5.4 Β· Six Route Tables per CCN

A well-governed CCN maintains six route tables to separate traffic domains:

Route TablePurposeApplies To
DefaultCatch-all for unmapped trafficAll attachments
InboundPublic ingress traffic from CLB / WAFIngress VPC attachment
OutboundEgress traffic toward NAT GatewayWorkload VPCs needing internet
AppEast-west inter-VPC trafficWorkload VPCs (inspected by CFW)
VPNSite-to-site / remote VPN trafficVPN Gateway attachment
OperationsBastion, monitoring, flow log trafficShared Services / Ops VPCs
6

Direct Connect

Dedicated private-line connectivity to on-premise data centers

Hub-Model Direct Connect (CCN-type DC Gateway)

The Landing Zone uses the CCN-type Direct Connect Gateway deployed in the Network Admin Account. On-premise traffic ingresses through the Hub, gets inspected by CFW, then distributes to spoke VPCs via CCN β€” providing a single, governed hybrid-cloud entry point.

  • BGP enabled for dynamic route exchange β€” routes auto-converge on link failure
  • Centralized in Network Account β€” full visibility, audit, and governance
  • Production / Non-production use independent CCN and route domains
  • Supports 1+1 redundant physical links for high availability
  • BGP ECMP across redundant links maximizes bandwidth utilization

6.1 Β· Bandwidth vs. Migration Time

Approximate time to transfer 100 TB of data over a dedicated link at sustained utilization (~95% efficiency after protocol overhead).

Bandwidth Theoretical Throughput Time for 100 TB Recommended Use Case
1 Gbps ~115 MB/s β‰ˆ 9.5 days Small workload migration, ongoing sync after initial bulk transfer
2 Gbps ~230 MB/s β‰ˆ 4.7 days Mid-size workload, daily delta sync
5 Gbps ~575 MB/s β‰ˆ 1.9 days Large enterprise initial migration, database cutover
10 Gbps ~1.15 GB/s β‰ˆ 1 day Bulk data migration, time-critical cutover windows
Best Practice

For large migrations, provision 10 Gbps for the initial bulk transfer, then downgrade to 1–2 Gbps for ongoing hybrid-cloud traffic. This optimizes cost while meeting the cutover deadline.

7

Public Ingress & Egress

Centralized internet entry and exit points in the Hub account

7.1 Β· Public Ingress Architecture

Public CLB in Ingress VPC (Hub)

The Public CLB (Cloud Load Balancer) is deployed in the Ingress VPC of the Network Admin Account and is attached to CCN. Backend services from workload accounts register with this CLB, achieving centralized internet exposure.

Traffic Path β€” North-South Inbound

1
Internet β†’ request arrives at the public CLB (optionally via CDN for static content caching and WAF for L7 protection)
2
Public CLB β†’ forwards to CFW (Cloud Firewall) for security inspection
3
CFW β†’ returns clean traffic back to CLB
4
CLB β†’ forwards to CCN
5
CCN β†’ routes to Service VPC CLB in the workload account
6
Service VPC CLB β†’ distributes to backend service instances
Cross-VPC CLB Binding

Services from multiple workload accounts can register as backends of a single CLB in the Network account. This is achieved via CCN β€” the CLB sees backend IPs across all spoke VPCs as if they were local. Benefits: single public IP, unified WAF policy, simplified DNS.

7.2 Β· Public Egress Architecture

NAT Gateway in Egress VPC (Hub)

Outbound internet traffic from workload VPCs is centralized through a NAT Gateway in the Egress VPC. SNAT-only mode ensures all outbound traffic appears from a single, auditable public IP.

  • SNAT only β€” outbound source IP translation; no inbound DNAT
  • ECMP for scalable bandwidth β€” multiple NAT Gateways can be ECMP-grouped to exceed single-instance bandwidth limits
  • Centralized egress enables IP whitelisting with third-party APIs and unified egress logging
Cross-VPC NAT Binding

Multiple workload accounts can route their outbound traffic via the same NAT Gateway in the Network account. CCN routes the traffic to the Egress VPC; NAT Gateway performs SNAT; egress IP is consistent across all spoke accounts β€” simplifying partner API whitelisting and audit.

8

Firewall & Security Architecture

Defense in depth for east-west traffic β€” from macro segmentation to instance-level zero-trust

8.1 Β· Three-Layer Defense in Depth (East-West Traffic)

1
Macro-Segmentation β€” Network Segmentation

Strict production / test isolation via separate CCN instances, separate VPCs, and separate route tables. Production workloads cannot route to staging or dev environments by default. The blast radius of any compromise is limited to a single environment.

2
Service Insertion β€” Security Inspection

High-risk east-west traffic is steered through NGFW (Next-Generation Firewall) in the Hub VPC. Implemented via CCN per-VPC route tables that direct inter-VPC traffic to the FW VPC for inspection before reaching the destination. Supports IDS/IPS, threat intel, and deep packet inspection.

3
Micro-Segmentation β€” Instance-Level Zero-Trust

Security Groups + NACLs enforce least-privilege at the resource and subnet levels. Security groups are stateful, attached per ENI; NACLs are stateless, attached per subnet. Together they implement zero-trust: no implicit trust based on network location, only explicit allow rules.

8.2 Β· Firewall Products Matrix

Product Traffic Direction Scope Primary Capability
CLB WAF North-South Inbound L7 HTTP/HTTPS Web attack protection (SQL injection, XSS) + CC attack defense
VPC Firewall East-West Attached to CCN Inter-VPC traffic inspection; enables service insertion pattern
Internet Edge Firewall In/Out Boundary VPC egress to internet Boundary inspection; outbound threat detection & DLP
NACL Subnet-Level Stateless, per subnet Coarse-grained allow/deny; fast first-line filtering
Security Groups Resource-Level Stateful, per ENI Fine-grained instance-level allow rules; zero-trust enforcement

8.3 Β· GWLB (Gateway Load Balancer)

Transparent Security Service Insertion

GWLB provides transparent traffic steering to third-party security appliances (e.g., Palo Alto, Fortinet) without changing source or destination IPs β€” preserving audit trails and simplifying firewall rules.

  • Transparent protection β€” source/dest IP unchanged; appliances see real client/server IPs
  • IP-based load balancing β€” distributes flows across multiple appliance instances
  • ECMP support β€” scales horizontally by adding appliance instances; no single-instance bottleneck
  • Integrated ecosystem β€” pre-validated with Palo Alto VM-Series, Fortinet FortiGate, Check Point, F5
  • Typically deployed in the CFW VPC of the Hub account, paired with CCN service insertion
9

Traffic Flow Paths

Four canonical traffic patterns and their step-by-step paths through the Landing Zone

North-South Inbound (6 steps)

Public internet request reaching a backend service in a workload VPC.

1
Public CLB receives the request (optionally via CDN/WAF)
2
CFW performs security check on the request
3
Traffic returns to CLB after inspection
4
CLB forwards to CCN
5
CCN routes to the Service VPC CLB in the workload account
6
Service VPC CLB distributes to the backend service

North-South Outbound (5 steps)

Workload VPC accessing the public internet (e.g., calling a third-party API).

1
App VPC generates outbound traffic to a public IP
2
Traffic enters CCN
3
CFW performs outbound security check
4
Clean traffic re-enters CCN, routes to Egress VPC
5
NAT Gateway performs SNAT β†’ reaches Internet

East-West Inter-VPC (4 steps)

Two workload VPCs communicating (e.g., web tier β†’ database tier).

1
Service VPC initiates traffic to target VPC
2
Traffic enters CCN, routed to FW VPC
3
CFW inspects east-west traffic
4
Clean traffic via CCN reaches the target App VPC

East-West Hybrid Cloud (5 steps)

Cloud workload reaching an on-premise data center.

1
App VPC initiates traffic to on-premise CIDR
2
Traffic enters CCN, routed to FW VPC
3
CFW inspects hybrid-cloud traffic
4
Clean traffic via CCN reaches DC/VPN Gateway
5
Gateway forwards to on-premise data center
Observation

Every traffic pattern traverses CCN + CFW. This is by design β€” the Hub account is the single chokepoint for all inter-VPC, internet, and hybrid-cloud traffic, enabling unified audit, policy enforcement, and threat detection.

10

VPN Comparison

Choosing between SSL VPN and IPSec VPN for remote access and site-to-site connectivity

SSL VPN Remote Access

Browser-based or thin-client VPN for individual users accessing cloud resources.

  • Cost: Pay-per-user; lower fixed cost; suitable for occasional users
  • Security: TLS-based; user-level authentication (password + MFA); certificate-based device trust supported
  • Scalability: Hundreds to low thousands of concurrent users per instance; horizontally scalable
  • Granularity: Per-user, per-application access control; can restrict to specific CIDRs or services
  • Best for: Remote employees, contractors, mobile workforce, admin bastion access

IPSec VPN Site-to-Site

Tunnel-based VPN connecting entire networks (on-premise DC ↔ cloud VPC).

  • Cost: Fixed per-tunnel cost; cost-effective for high-bandwidth, always-on links
  • Security: IKEv1/IKEv2 negotiation; pre-shared key or certificate authentication; strong encryption (AES-256, SHA-256)
  • Scalability: Scales by adding tunnels; supports BGP over IPSec for dynamic routing; multi-tunnel ECMP
  • Granularity: Network-level β€” entire CIDR ranges routed over the tunnel; not user-aware
  • Best for: Branch office connectivity, hybrid cloud backup, DC-to-cloud migration, DR replication
DimensionSSL VPNIPSec VPN
CostPer-user; low fixed costPer-tunnel; cost-effective for high bandwidth
SecurityTLS + MFA + device certificateIKEv2 + PSK/cert + AES-256
ScalabilityUp to ~thousands of users per instanceMulti-tunnel + BGP + ECMP
GranularityPer-user, per-appPer-network CIDR
Typical UseRemote workforce accessSite-to-site / hybrid cloud connectivity
11

Network Observability

Three capabilities forming a 360Β° network visibility system
Guiding Principle

Build a 360Β° network observability system. Visibility is the prerequisite for governance β€” without it, security policies are blind and troubleshooting is reactive. Three complementary capabilities cover traffic analysis, troubleshooting, and deep inspection.

01 Traffic Analysis

VPC Flow Logs capture metadata of every network flow β€” source/dest IP, port, protocol, bytes, packets, accept/reject action.

  • Aggregated to CLS (Cloud Log Service) for search & query
  • Feeds into anomaly detection and threat analytics
  • Supports compliance audit (e.g., "who accessed the database subnet?")
  • Retained per regulatory requirements (typically 6–12 months)

02 Troubleshooting

Cloud-native network probes and one-click diagnostic tools validate connectivity before and after changes.

  • Path analysis: trace route from any instance to any destination
  • Security group / NACL simulation β€” predict accept/reject before applying
  • Route table visualization β€” see effective routes per ENI
  • One-click connectivity test between two ENIs

03 Traffic Mirroring

Lossless traffic mirroring to NDR (Network Detection & Response) appliances for deep packet inspection.

  • Mirrors full packets β€” not just metadata
  • Filters by 5-tuple, VPC, subnet, or ENI
  • Targets: IDS/IPS, NDR, network recorders
  • Used for forensic investigation and advanced threat hunting
Outcome

Together these three capabilities deliver full visibility: "who talked to whom, what was inspected, what was the outcome" β€” at flow, packet, and policy levels. This is the foundation of evidence-based network governance.

12

Security Products Matrix

Tencent Cloud security products spanning DDoS, host, web, data, and access protection
Product Category Protection Scope Key Capability Typical Use Case
Dayu BGP Anti-DDoS Network L3/L4 DDoS BGP-anycast scrubbing centers; Tbps-level mitigation Protect public-facing IPs (CLB, EIP) from volumetric attacks
YunJing (CWP) Host Host intrusion detection File integrity, ransomware detection, baseline check Agent-based protection on every CVM / TKE node
WAF (Web Application Firewall) Web L7 HTTP/HTTPS OWASP Top 10, CC attack, bot management Protect public CLB frontends and APIs
Shu Dun (Data Security) Data Sensitive data discovery Data classification, masking, DLP Discover and protect PII / PCI data in COS, CDB, CBS
Bastion Host Access Admin access control Session recording, command audit, MFA Centralized admin jump server for SSH/RDP/VNC
AnTu (Security Operations Center) SOC Security operations Threat aggregation, incident response, SOAR playbooks Central SOC for correlating alerts across all products
Yu Jie (Cloud Security Center) Posture Cloud security posture CSPM, compliance check, risk scoring Continuous compliance monitoring (CIS, ISO27001, GDPR)
Integration Note

These products feed alerts into AnTu SOC, providing a single pane of glass for security operations. Dayu + WAF form the perimeter defense; YunJing + Bastion protect the inside; Shu Dun secures data at rest; Yu Jie continuously validates posture. Together with the network defense-in-depth architecture in Section 8, this forms end-to-end cloud security.

βœ“

Architecture Summary

Key takeaways for implementing a Landing Zone network
  • Adopt VPC 3.0 Landing Zone model β€” hub-and-spoke with Network Admin Account as the hub
  • Centralize all internet exposure in Hub Ingress/Egress VPCs; workload VPCs remain private
  • Use CCN as the single interconnection fabric β€” cross-account, cross-region, cross-cloud
  • Implement service insertion via CFW VPC for east-west traffic inspection
  • Apply hierarchical IP planning β€” global pool β†’ region β†’ AZ β†’ business line β†’ workload
  • Separate production / non-production into independent CCNs and route domains
  • Deploy defense in depth β€” macro segmentation β†’ service insertion β†’ micro segmentation
  • Centralize Direct Connect in the Hub account with BGP for dynamic route exchange
  • Build 360Β° observability β€” flow logs + troubleshooting probes + traffic mirroring
  • Layer security products β€” Dayu (DDoS) + WAF (web) + YunJing (host) + AnTu (SOC) + Yu Jie (posture)