Cloud & Infrastructure

Network & Resource Isolation

Intermediate

The network is a security control, not just plumbing. What can reach what, and from where, decides how far an attacker gets after the first break-in. Default to private. Nothing is reachable unless there is a reason, data stores never face the public internet, and a breach in one segment does not open the whole estate.

Network isolation applies defence-in-depth at the connectivity layer. Even with perfect authentication, a database, cache, or admin surface open to the public internet is a target. Attackers scan it within minutes of it going live. Keep backends private, segment environments and tiers, and allow only the specific flows that are needed. Then a compromised component cannot move freely to the rest.

In the Finperiti audit, the wide-open CORS and public exposure were network-boundary failures. The front door was left open. Combine private endpoints, network segmentation, and tight ingress and egress rules. The platform then stops being a flat network where one foothold reaches everything, and becomes a set of contained segments.

Keep backends private

AlwaysPut data stores and internal services on a private network (VNet), reachable only through private endpoints. Never use a public IP or a firewall exception.
DoDefault-deny network access and open only the specific inbound and outbound flows each component needs, by source and port.
DoTerminate TLS at the edge, enforce HTTPS end to end, and place a WAF or gateway in front of public entry points.
DoRestrict CORS to an explicit allow-list of known origins. This applies the same default-deny principle at the network level (see Secure Defaults).
ConsiderPrivate DNS and service endpoints so even traffic between Azure services avoids the public internet.
NeverExpose a database, cache, storage account, or admin/management surface to the public internet.

Public database and open CORS

Azure SQL: public network access = Enabled, firewall 0.0.0.0-255.255.255.255
API CORS: AllowAnyOrigin()

The database is reachable from anywhere on the internet, and any website can call the API. These two open doors turn any leaked credential or browser exploit into direct access.

Private endpoint and scoped origins

Azure SQL: public network access = Disabled, private endpoint in app VNet
API CORS: WithOrigins("https://app.finperiti.com")

The database is only reachable from the application's private network, and only our own front end can call the API. The attack surface shrinks to the intended paths.

Segment to contain blast radius

DoIsolate environments completely. Use separate networks or subscriptions for dev, test, and prod, with no connectivity between them.
DoSegment by tier and sensitivity (web, app, data) so a compromise in one segment cannot freely reach the others.
DoControl and inspect egress. Restrict outbound traffic to known destinations, so data theft and call-home traffic are limited.
ConsiderPer-tenant or per-workload isolation for the most sensitive data, to limit how far any single compromise spreads.
Do notRun a flat network where every component can reach every other. Lateral movement is how a foothold becomes a breach.
NeverConnect a non-production environment to production data or networks, or copy production data across that boundary.

Self-review checklist

AskIs anything here reachable from the public internet that doesn't strictly need to be?
AskAre data stores on a private network behind private endpoints?
AskIf one component were compromised, how far across the network could an attacker move?
AskAre environments and tiers actually isolated, with controlled egress?

Why it matters: Authentication decides who gets in. Network isolation decides how much they can reach once they are in. Public data stores and flat networks turn a single mistake into a full breach. Private-by-default, segmented networks keep a compromise contained. That is the difference between an incident and a disaster.