Network Segmentation Policy
Guidelines for network segmentation across cloud, office, and remote access infrastructure.
Network Segmentation
| Field | Value |
|---|---|
| Document ID | POL-016 |
| Classification | Internal |
| Owner | CTO (interim CISO) |
| Effective Date | April 2026 |
| Review Cycle | Annual |
How we segment our networks to prevent unauthorized access, limit lateral movement, and protect sensitive systems.
Scope
This policy covers all network environments:
- GCP cloud infrastructure (Kubernetes, Cloud SQL, VMs)
- AWS cloud infrastructure (CloudFront, insurance services)
- Cloudflare-managed services (DNS, proxy, WAF)
- Corporate office network and Wi-Fi
- VPN and remote access (Pritunl)
- Development, staging, and production environments
Cloud Segmentation
Environment Isolation
Production, staging, and development environments are separated:
| Environment | Network | Access |
|---|---|---|
| Production | Isolated VPC/network | Restricted β DevOps + authorized personnel via VPN |
| Staging | Separate network from prod | Dev team via VPN |
| Development | Separate network | Dev team via VPN |
- No direct connectivity between production and non-production environments
- Each environment has its own set of credentials and secrets
Service-Level Segmentation (GCP)
Internet β Cloudflare β GCP Load Balancer β API Gateway β Backend Services β Databases
- Public-facing layer: Only the load balancer accepts external traffic (via Cloudflare)
- API Gateway layer: Services route through either Kong (external API gateway) or StarkNet (internal gateway) depending on the service β both enforce authentication and rate limiting
- Application layer: Backend services run in GKE (Kubernetes) with internal networking
- Data layer: Cloud SQL and Redis are in private subnets β no public IPs, accessible only from application layer
- Service-to-service: Communication restricted using Kubernetes network policies and Istio service mesh
Insurance Infrastructure (AWS)
Internet β Cloudflare β AWS CloudFront (WAF) β Backend Services β Databases
- CloudFront WAF enforces bot control and geo-blocking before traffic reaches the backend
- Origin servers accept traffic only from CloudFront β no direct internet access
- Databases in private subnets with no public endpoints
Cloudflare Layer
- All public traffic passes through Cloudflare (proxy mode)
- Origin server IPs are not exposed β traffic only accepted from Cloudflare IP ranges
- WAF rules and DDoS protection applied at the edge
- Admin panels and internal endpoints are not exposed through Cloudflare β accessed only via VPN
Office Network Segmentation
Office Wi-Fi is MAC address restricted β only devices with pre-configured IPs/MACs from the admin team can connect. No open or guest access.
Remote Access
- All remote access to internal systems goes through Pritunl VPN
- VPN authenticates via Google OAuth β no separate VPN credentials
- Direct access to servers from the public internet is not allowed
- Internal tools (Grafana, Kubernetes dashboard, Airflow, etc.) are accessible only through VPN
Access Control Rules
- Deny by default β all traffic between segments is blocked unless explicitly allowed
- Only required ports and services are opened
- Production databases accept connections only from application services β no direct developer access
Monitoring
- Network traffic between segments is logged where feasible
- Network and security group rules are reviewed periodically
- Unauthorized access attempts are monitored and investigated
- VPN connection logs maintained in Pritunl
Responsibilities
| Role | Responsibility |
|---|---|
| DevOps Team | Implement and maintain segmentation in GCP, AWS, and Cloudflare |
| IT Team | Maintain office network and Wi-Fi segmentation |
| DevOps/CTO | Review and approve network rule changes, periodic access reviews |