What Is Network Segmentation and Why Does It Matter?
Learn what network segmentation is, how VPCs and Kubernetes NetworkPolicy enforce it, and why it limits lateral movement after a breach.
Expected Interview Answer
Network segmentation is the practice of dividing a network into smaller, isolated zones with controlled traffic between them, so that a compromise in one zone cannot freely spread to reach every other system.
Instead of one flat network where any server can reach any other server, segmentation groups resources by trust level and function โ for example, a public-facing web tier, an internal application tier, and a restricted database tier โ and enforces explicit allow rules for traffic crossing between zones, denying everything else by default. In cloud and Kubernetes environments this is implemented through VPC subnets and security groups, or NetworkPolicy objects that restrict which pods can send traffic to which other pods based on labels, rather than relying on a single perimeter firewall. This limits lateral movement: if an attacker compromises a public web server, segmentation prevents them from directly reaching the database tier unless that specific narrow path was explicitly permitted. Segmentation also supports compliance requirements like PCI-DSS, which mandate that cardholder data environments be isolated from the general network, and it makes breach containment and forensic investigation far more tractable since traffic crossing zone boundaries is logged and limited.
- Limits lateral movement after a single system is compromised
- Shrinks the blast radius of any individual breach
- Supports compliance requirements for isolating sensitive data
- Makes traffic monitoring and forensic investigation more tractable
AI Mentor Explanation
Network segmentation is like a stadium separating the public stands, the players' dressing room, and the pitch curator's restricted storage into different zones, each requiring a different pass to enter. A ticket that lets someone into the public stands does not automatically let them into the dressing room or the curator's equipment shed. If a troublemaker gets into the public stands, that access alone does not grant them a path into the restricted areas, because each boundary is separately guarded. Segmenting the stadium this way means one breached zone does not automatically compromise the whole ground.
Step-by-Step Explanation
Step 1
Classify resources by trust and function
Group systems into tiers such as public-facing, internal application, and restricted data zones.
Step 2
Define zone boundaries
Use VPC subnets, security groups, or Kubernetes NetworkPolicy objects to separate zones.
Step 3
Enforce default-deny with explicit allows
Block all cross-zone traffic by default, then permit only the specific narrow paths that are required.
Step 4
Monitor boundary traffic
Log and alert on traffic crossing zone boundaries to detect lateral movement attempts early.
What Interviewer Expects
- Understanding of default-deny with explicit allow rules between zones
- Knowledge of implementation mechanisms: VPC subnets/security groups, Kubernetes NetworkPolicy
- Awareness that segmentation limits lateral movement, not initial compromise
- Connection to compliance requirements like isolating sensitive data environments
Common Mistakes
- Relying on a single perimeter firewall with a flat internal network
- Allowing unrestricted pod-to-pod traffic in a Kubernetes cluster by default
- Believing segmentation prevents the initial breach rather than limiting its spread
- Not logging or monitoring traffic that crosses segment boundaries
Best Answer (HR Friendly)
โNetwork segmentation means we do not let every system on our network talk to every other system freely. We split things into zones based on sensitivity โ public-facing, internal, and restricted โ so that if an attacker breaks into one zone, they still cannot freely reach our most sensitive systems, like the database holding customer data.โ
Code Example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db-restrict
namespace: production
spec:
podSelector:
matchLabels:
tier: database
policyTypes:
- Ingress
ingress:
- from:
- podSelector:
matchLabels:
tier: application
ports:
- protocol: TCP
port: 5432Follow-up Questions
- How does Kubernetes NetworkPolicy differ from a traditional VPC security group?
- What is micro-segmentation and how does it differ from perimeter segmentation?
- How would you validate that a NetworkPolicy is actually enforced?
- What compliance standards explicitly require network segmentation?
MCQ Practice
1. What is the primary goal of network segmentation?
Segmentation isolates systems into zones with controlled traffic so a compromise in one zone cannot freely spread to others.
2. In Kubernetes, what object restricts which pods can communicate with each other?
NetworkPolicy objects define allowed ingress/egress traffic between pods based on label selectors.
3. What default posture should segmented zones enforce for cross-zone traffic?
Proper segmentation uses default-deny with narrowly scoped explicit allow rules between zones.
Flash Cards
What is network segmentation? โ Dividing a network into isolated zones with controlled traffic between them.
What Kubernetes object enforces pod-level segmentation? โ NetworkPolicy, based on pod label selectors.
What default rule should zone boundaries use? โ Default-deny, with explicit narrow allow rules for required paths.
What does segmentation limit after a breach? โ Lateral movement โ the attacker's ability to reach other zones.