AgentSkillsCN

Network Segmentation for Multi-Tenant

通过与IPAM集成实现VPC分段,支持IPv4/IPv6双栈架构,并采用多租户隔离模式

SKILL.md
--- frontmatter
name: Network Segmentation for Multi-Tenant
description: Implement VPC segmentation with IPAM integration, dual-stack IPv4/IPv6, and multi-tenant isolation patterns

Network Segmentation for Multi-Tenant

Overview

Network segmentation is critical for isolating workloads, limiting blast radius, and meeting compliance requirements. This skill covers multi-tier VPC design with IPAM integration and dual-stack IPv4/IPv6 support.

mermaid
graph TB
    subgraph "VPC Architecture"
        subgraph "Public Tier"
            ALB[Application Load Balancer]
            NAT[NAT Gateway]
        end
        
        subgraph "Private Tier"
            EKS[EKS Nodes]
            Lambda[Lambda Functions]
        end
        
        subgraph "Isolated Tier"
            RDS[(RDS Database)]
            ElastiCache[(ElastiCache)]
        end
    end
    
    Internet((Internet)) --> ALB
    ALB --> EKS
    EKS --> RDS
    EKS --> ElastiCache
    Private --> NAT --> Internet

Key Concepts

Three-Tier Subnet Design

TierInternet AccessUse Case
PublicDirect (IGW)Load balancers, bastion hosts
PrivateOutbound only (NAT)Application workloads, EKS nodes
IsolatedNoneDatabases, caches, sensitive data

IPAM (IP Address Manager)

AWS IPAM provides centralized IP address management across accounts and regions:

  • Prevent IP conflicts in multi-account environments
  • Automated CIDR allocation from pools
  • Compliance tracking for IP usage

Dual-Stack IPv4/IPv6

Enable IPv6 for:

  • Future-proofing as IPv4 addresses become scarce
  • Performance - direct connectivity without NAT
  • Cost reduction - no NAT gateway charges for IPv6

Best Practices

  1. Use IPAM for enterprise/multi-account deployments
  2. Enable IPv6 on new VPCs for future compatibility
  3. Isolate databases - no direct internet access
  4. Use VPC endpoints for AWS services
  5. Implement security groups with least privilege
  6. Enable VPC Flow Logs for troubleshooting and security
  7. Use Transit Gateway for multi-VPC architectures
  8. Plan CIDR ranges to avoid conflicts and allow growth

Anti-Patterns to Avoid

❌ Single subnet for all resources
❌ Overly permissive security groups (0.0.0.0/0)
❌ Database in public subnet
❌ Hardcoded IP addresses
❌ Not planning for growth (too small CIDR)


Example 1: Terraform - VPC with IPAM, Dual-Stack, Transit Gateway

This example creates:

  • VPC with IPAM-allocated CIDRs
  • Dual-stack IPv4/IPv6 subnets
  • Three-tier subnet architecture
  • Transit Gateway attachment for multi-VPC

📁 Location: terraform/examples/network-segmentation/

Key Features

hcl
# IPAM integration for centralized IP management
resource "aws_vpc_ipam_pool_cidr_allocation" "main" {
  ipam_pool_id = var.ipam_pool_id
  cidr         = var.vpc_cidr  # Or let IPAM auto-allocate
}

# Dual-stack VPC
resource "aws_vpc" "main" {
  cidr_block                       = var.vpc_cidr
  enable_dns_hostnames             = true
  enable_dns_support               = true
  assign_generated_ipv6_cidr_block = true  # Enable IPv6
}

# Private subnet with IPv6
resource "aws_subnet" "private" {
  vpc_id                          = aws_vpc.main.id
  cidr_block                      = cidrsubnet(var.vpc_cidr, 4, count.index)
  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index)
  assign_ipv6_address_on_creation = true
}

Example 2: CDK - Multi-Account Network with IPv6 and Endpoints

This example creates:

  • VPC with automatic IPv6 CIDR
  • Public/Private/Isolated subnets per AZ
  • VPC endpoints for AWS services
  • Security group patterns for micro-segmentation

📁 Location: cdk/examples/network-segmentation/

Key Features

typescript
// Dual-stack VPC with 3 tiers
const vpc = new ec2.Vpc(this, 'Vpc', {
  ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
  enableDnsHostnames: true,
  enableDnsSupport: true,
  
  subnetConfiguration: [
    { name: 'Public', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24 },
    { name: 'Private', subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, cidrMask: 24 },
    { name: 'Isolated', subnetType: ec2.SubnetType.PRIVATE_ISOLATED, cidrMask: 24 },
  ],
});

// Add IPv6 CIDR
const cfnVpc = vpc.node.defaultChild as ec2.CfnVPC;
cfnVpc.addPropertyOverride('AmazonProvidedIpv6CidrBlock', true);

// VPC Endpoints for AWS services (avoid NAT costs)
vpc.addGatewayEndpoint('S3Endpoint', { service: ec2.GatewayVpcEndpointAwsService.S3 });
vpc.addInterfaceEndpoint('SecretsManager', { service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER });

IPAM Best Practices

Pool Hierarchy

mermaid
graph TB
    Root[Root Pool: 10.0.0.0/8]
    Region1[us-east-1: 10.0.0.0/12]
    Region2[us-west-2: 10.16.0.0/12]
    Prod[Production: 10.0.0.0/14]
    Dev[Development: 10.4.0.0/14]
    
    Root --> Region1
    Root --> Region2
    Region1 --> Prod
    Region1 --> Dev

Recommended CIDR Planning

EnvironmentCIDR RangeNotes
Production/16 per VPCRoom for growth
Staging/18 per VPCSmaller but flexible
Development/20 per VPCCost-effective

IPv6 Considerations

When to Enable IPv6

✅ New greenfield deployments
✅ Public-facing workloads
✅ IoT/edge computing
✅ Kubernetes with IPv6

IPv6-Only Subnets (Cost Savings)

hcl
# IPv6-only subnet - no NAT gateway costs
resource "aws_subnet" "ipv6_only" {
  vpc_id                                         = aws_vpc.main.id
  ipv6_cidr_block                                = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 100)
  assign_ipv6_address_on_creation                = true
  enable_dns64                                   = true
  enable_resource_name_dns_aaaa_record_on_launch = true
  ipv6_native                                    = true  # IPv6-only
}

Validation Checklist

  • VPC has at least 3 subnet tiers
  • Databases in isolated subnets only
  • VPC Flow Logs enabled
  • Security groups follow least privilege
  • VPC endpoints for frequently used AWS services
  • IPv6 enabled for future compatibility
  • CIDR ranges don't overlap with other VPCs
  • NAT Gateway in each AZ for HA

Related Skills