5.4.3. Third-Party and Cloud Network Connectivity
💡 First Principle: Every external network connection — whether to a cloud provider, a business partner, or a managed service — extends the organization's trust boundary beyond its direct control. The security of these connections depends on contractual, architectural, and cryptographic controls that must compensate for the loss of physical control over the infrastructure.
Dedicated vs. Internet-Based Connectivity
| Connection Type | How It Works | Security Properties | Use Case |
|---|---|---|---|
| AWS Direct Connect / Azure ExpressRoute / GCP Interconnect | Private dedicated circuit between on-premises and cloud | No internet traversal; predictable latency; traffic isolation | Production workloads, regulated data, high-bandwidth transfers |
| Site-to-site VPN (IPsec) | Encrypted tunnel over public internet | Encrypted and authenticated; traverses shared infrastructure | Branch offices, lower-bandwidth connections, backup connectivity |
| SD-WAN | Software-defined overlay across multiple transport links | Application-aware routing; integrated security; multi-path | Distributed enterprises replacing MPLS with flexible connectivity |
| SASE (Secure Access Service Edge) | Cloud-delivered network + security convergence | Security policy follows users regardless of location | Remote-first organizations migrating from perimeter models |
Private peering (Direct Connect, ExpressRoute) provides traffic isolation from the public internet but does not provide encryption by default — the traffic is isolated on the provider's backbone, not encrypted. Organizations requiring confidentiality over private peering must add IPsec or MACsec encryption on top. This is a frequent architectural misunderstanding: "private" means dedicated bandwidth, not encrypted content.
Third-Party Network Risk
Business partner connections (B2B VPNs, API integrations, EDI links) create bidirectional risk: a compromise of the partner's network can propagate through the connection to your network, and vice versa. Controls include:
- Dedicated DMZ for partner connectivity — partner traffic terminates in a controlled zone, never directly on internal networks
- Firewall rules scoped to minimum necessary — permit only the specific protocols, ports, and destination hosts required by the business relationship
- Mutual authentication — both endpoints verify identity (mTLS, IPsec with certificate authentication) rather than relying on source IP alone
- Contractual security requirements — SLAs, right-to-audit clauses, breach notification obligations, and minimum security standards documented in the service agreement
- Monitoring and anomaly detection — baseline normal traffic patterns and alert on deviations (volume spikes, new protocols, off-hours activity)
The SolarWinds attack demonstrated the extreme case: a trusted software vendor's update mechanism became the attack vector. Third-party network connections are the network-layer equivalent — every partner connection is a potential lateral movement path that bypasses your perimeter controls entirely.
Cloud Network Architecture Considerations
Cloud networking introduces abstractions that have no direct on-premises equivalent:
Virtual Private Cloud (VPC) — a logically isolated network segment within a cloud provider. VPCs provide network isolation between tenants and between an organization's own workloads. Security groups (stateful, instance-level) and NACLs (stateless, subnet-level) enforce traffic control within and between VPCs.
VPC Peering and Transit Gateway — connections between VPCs enable cross-account and cross-region communication. Peered VPCs share routing but not security group rules — traffic allowed by routing must still pass security group evaluation at the destination. Transit Gateway provides hub-and-spoke connectivity for organizations with many VPCs, centralizing routing and inspection.
Service endpoints and Private Link — allow access to cloud provider services (S3, Azure Storage, GCP APIs) without traffic traversing the public internet. This eliminates the need for NAT gateways or internet gateways for service access, reducing the attack surface and preventing data exfiltration paths through public endpoints.
⚠️ Exam Trap: Private cloud connectivity (Direct Connect, ExpressRoute) provides traffic isolation but NOT encryption. An organization that assumes "private connection = encrypted connection" has unencrypted traffic on the provider's backbone network. The exam tests whether you understand that isolation and encryption are independent security properties — you can have either without the other, and critical data requires both.
Reflection Question: An organization uses AWS Direct Connect for production workloads and a site-to-site VPN as backup. During a Direct Connect outage, traffic automatically fails over to the VPN. A security architect argues this failover introduces risk. Identify the specific security properties that change during failover and whether compensating controls are needed.
