Network Segmentation For Multi Tenant

IPAM (IP Address Manager)

AWS IPAM provides centralized IP address management across accounts and regions:

• Prevent IP conflicts in multi-account environments
• Automated CIDR allocation from pools
• Compliance tracking for IP usage

Dual-Stack IPv4/IPv6

Enable IPv6 for:

• Future-proofing as IPv4 addresses become scarce
• Performance - direct connectivity without NAT
• Cost reduction - no NAT gateway charges for IPv6

Best Practices

1. Use IPAM for enterprise/multi-account deployments
2. Enable IPv6 on new VPCs for future compatibility
3. Isolate databases - no direct internet access
4. Use VPC endpoints for AWS services
5. Implement security groups with least privilege
6. Enable VPC Flow Logs for troubleshooting and security
7. Use Transit Gateway for multi-VPC architectures
8. Plan CIDR ranges to avoid conflicts and allow growth

Anti-Patterns to Avoid

❌ Single subnet for all resources
❌ Overly permissive security groups (0.0.0.0/0)
❌ Database in public subnet
❌ Hardcoded IP addresses
❌ Not planning for growth (too small CIDR)

Example 1: Terraform - VPC with IPAM, Dual-Stack, Transit Gateway

This example creates:

• VPC with IPAM-allocated CIDRs
• Dual-stack IPv4/IPv6 subnets
• Three-tier subnet architecture
• Transit Gateway attachment for multi-VPC

📁 Location: terraform/examples/network-segmentation/

Key Features

# IPAM integration for centralized IP management
resource "aws_vpc_ipam_pool_cidr_allocation" "main" {
  ipam_pool_id = var.ipam_pool_id
  cidr         = var.vpc_cidr  # Or let IPAM auto-allocate
}

# Dual-stack VPC
resource "aws_vpc" "main" {
  cidr_block                       = var.vpc_cidr
  enable_dns_hostnames             = true
  enable_dns_support               = true
  assign_generated_ipv6_cidr_block = true  # Enable IPv6
}

# Private subnet with IPv6
resource "aws_subnet" "private" {
  vpc_id                          = aws_vpc.main.id
  cidr_block                      = cidrsubnet(var.vpc_cidr, 4, count.index)
  ipv6_cidr_block                 = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, count.index)
  assign_ipv6_address_on_creation = true
}

Example 2: CDK - Multi-Account Network with IPv6 and Endpoints

This example creates:

• VPC with automatic IPv6 CIDR
• Public/Private/Isolated subnets per AZ
• VPC endpoints for AWS services
• Security group patterns for micro-segmentation

📁 Location: cdk/examples/network-segmentation/

Key Features

// Dual-stack VPC with 3 tiers
const vpc = new ec2.Vpc(this, 'Vpc', {
  ipAddresses: ec2.IpAddresses.cidr('10.0.0.0/16'),
  enableDnsHostnames: true,
  enableDnsSupport: true,
  
  subnetConfiguration: [
    { name: 'Public', subnetType: ec2.SubnetType.PUBLIC, cidrMask: 24 },
    { name: 'Private', subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS, cidrMask: 24 },
    { name: 'Isolated', subnetType: ec2.SubnetType.PRIVATE_ISOLATED, cidrMask: 24 },
  ],
});

// Add IPv6 CIDR
const cfnVpc = vpc.node.defaultChild as ec2.CfnVPC;
cfnVpc.addPropertyOverride('AmazonProvidedIpv6CidrBlock', true);

// VPC Endpoints for AWS services (avoid NAT costs)
vpc.addGatewayEndpoint('S3Endpoint', { service: ec2.GatewayVpcEndpointAwsService.S3 });
vpc.addInterfaceEndpoint('SecretsManager', { service: ec2.InterfaceVpcEndpointAwsService.SECRETS_MANAGER });

IPAM Best Practices

Pool Hierarchy

graph TB
    Root[Root Pool: 10.0.0.0/8]
    Region1[us-east-1: 10.0.0.0/12]
    Region2[us-west-2: 10.16.0.0/12]
    Prod[Production: 10.0.0.0/14]
    Dev[Development: 10.4.0.0/14]
    
    Root --> Region1
    Root --> Region2
    Region1 --> Prod
    Region1 --> Dev

Recommended CIDR Planning

IPv6 Considerations

When to Enable IPv6

✅ New greenfield deployments
✅ Public-facing workloads
✅ IoT/edge computing
✅ Kubernetes with IPv6

IPv6-Only Subnets (Cost Savings)

# IPv6-only subnet - no NAT gateway costs
resource "aws_subnet" "ipv6_only" {
  vpc_id                                         = aws_vpc.main.id
  ipv6_cidr_block                                = cidrsubnet(aws_vpc.main.ipv6_cidr_block, 8, 100)
  assign_ipv6_address_on_creation                = true
  enable_dns64                                   = true
  enable_resource_name_dns_aaaa_record_on_launch = true
  ipv6_native                                    = true  # IPv6-only
}

Validation Checklist

• VPC has at least 3 subnet tiers
• Databases in isolated subnets only
• VPC Flow Logs enabled
• Security groups follow least privilege
• VPC endpoints for frequently used AWS services
• IPv6 enabled for future compatibility
• CIDR ranges don't overlap with other VPCs
• NAT Gateway in each AZ for HA

Related Skills

• Disaster Recovery - Multi-region networking
• Cost Governance - NAT Gateway cost optimization
• Modular IaC - Reusable VPC modules