Skip to content
Gallery
5x
5X - One Pagers
5X - Bring your own Snowflake
5X - Bring your own Google BigQuery
5X Product Roadmap
Setup Guide: Google Ads to Azure Data Lake Storage on 5X Platform
5X Platform: Architecture of the fully 5X hosted offering
5X Ingestion vs. Self-Hosted Airbyte
Data Classification Review Process at 5X
S3 Bucket Access Review Process
5X S3 Data Lake Ingestion Setup Guide
Recovery Point Objective (RPO) Definition and Implementation at 5X
Recovery Time Objective (RTO) Definition and Implementation at 5X
Customer Responsibilities for Backup, Recovery, and Availability
Multi-region support for the 5X Platform
5X Platform: Comprehensive DORA Compliance Assessment and Roadmap
Embedding 5X BI Dashboards
5X - Setting Up GitHub Merge-Triggered Workflows Using 5X Webhooks
Action Plan: AWS Support Alternative Strategy
Embedding 5X BI Dashboards
System backup policy and procedures
5X Offsite Storage Policy
Policy and procedures for Problem Management
SDLC Process Document
5X Network Configuration Standards
5X Data Apps: Connecting to Google BigQuery
5X: Proposed Architecture on GCP
5X Semantic Layer Roadmap
Share
Explore

5X Network Configuration Standards

1. Introduction

1.1 Purpose and Scope

The 5X System and Network Configuration Standards document establishes the foundational requirements and specifications for our cloud-native infrastructure. Operating within the AWS ecosystem, these standards govern the configuration, security, and maintenance of all system components and network architecture. This document serves as the authoritative source for all infrastructure configurations, ensuring consistency, security, and operational excellence across our entire technology stack.
These standards encompass our entire AWS infrastructure, including compute resources, networking components, security configurations, and monitoring systems. They apply to all aspects of our cloud operations, from the underlying network architecture to the application delivery layer, with particular emphasis on maintaining the security and integrity of our customer data processing capabilities.

1.2 Regulatory Compliance Context

Our configuration standards are designed and implemented with compliance at their core, specifically aligning with SOC 2 Type II requirements. Each standard detailed in this document has been carefully crafted to meet or exceed industry best practices while ensuring full compliance with relevant regulatory frameworks. Through careful implementation of these standards, we maintain a robust security posture that protects both our infrastructure and our customers' data.

2. Network Architecture and Configuration

2.1 Virtual Private Cloud (VPC) Organization

2.1.1 VPC Design Philosophy and Implementation

Our network architecture implements a clear separation of concerns through a dual-VPC structure, each serving a distinct purpose in our infrastructure. This design philosophy reflects our commitment to security through separation, enabling us to maintain strict controls over data access while ensuring efficient application operation.
The foundation of our network architecture rests on two primary Virtual Private Clouds. The first VPC, designated as our Application VPC, serves as the primary environment for all application workloads. Within this VPC, we host our entire application tier. This VPC contains all customer-facing services, handling the dynamic aspects of our platform's operation while implementing comprehensive security controls and maintaining high availability across multiple AWS availability zones.
Our second VPC, the Data Storage VPC, operates as a dedicated environment for all data storage systems. This VPC implements an additional layer of security and isolation for our most sensitive assets - our databases and data warehouses. The separation of data storage into its own VPC allows us to implement stringent access controls and security measures specifically tailored to data protection requirements. This VPC maintains encrypted connections with the Application VPC, ensuring secure data access while maintaining strict isolation of our storage systems.

2.1.2 Network Segmentation Implementation

Within each VPC, we implement a sophisticated network segmentation strategy that provides multiple layers of security and access control. This segmentation begins at the subnet level, where we carefully partition our network space to ensure proper isolation and access control between different components of our infrastructure.
The Application VPC contains multiple subnets spread across availability zones, each serving specific purposes within our application architecture. Public subnets host our load balancers and bastion hosts, acting as a secure gateway for both user traffic and administrative access. Private subnets contain our application servers and supporting services, protected from direct internet access while maintaining the ability to communicate with necessary external services through carefully controlled NAT gateways.
In our Data Storage VPC, we implement an even more stringent segmentation strategy. All data storage resources reside in private subnets with no direct internet connectivity. Access to these resources is strictly controlled through VPC peering connections and security groups, ensuring that only authorized application components can interact with our data storage systems. This segmentation extends across availability zones, ensuring both high availability and consistent security controls regardless of where data resides.

2.2 CIDR Block Management Strategy

2.2.1 IP Address Allocation Framework

Our IP address allocation strategy implements a carefully planned addressing scheme that ensures scalability while maintaining clear boundaries between different network segments. This framework begins with the allocation of distinct CIDR blocks to each VPC, providing ample address space for current needs while reserving capacity for future growth.
Within each VPC, we implement a hierarchical subnet structure that allocates address spaces according to specific operational requirements. Our subnet allocation strategy ensures that each component has sufficient IP addresses while maintaining clear boundaries between different functional areas. This careful planning enables us to implement effective routing policies and security controls while avoiding address space conflicts.

2.2.2 Subnet Organization and Management

The subnet organization within each VPC follows a consistent pattern that supports our security and operational requirements. In the Application VPC, we maintain separate subnet tiers for different application components, ensuring proper isolation while enabling necessary communication paths. Public subnets utilize smaller CIDR blocks, reflecting their limited scope, while private subnets receive larger address spaces to accommodate application scaling requirements.
Our Data Storage VPC implements a subnet organization focused on security and isolation. All subnets in this VPC are private, with address spaces allocated based on the specific requirements of different storage systems. This organization enables us to maintain strict access controls while ensuring sufficient address space for data system scaling and replication requirements.

2.3 Security Group Architecture and Implementation

2.3.1 Security Group Design Philosophy

Our security group implementation follows a defense-in-depth approach, creating multiple layers of access control that protect our infrastructure components. This model implements the principle of least privilege at the network level, ensuring that each component can only communicate with specifically authorized endpoints through explicitly defined channels.
Within our Application VPC, security groups are structured in a hierarchical manner that reflects the layered nature of our application architecture. At the outermost layer, security groups controlling public-facing resources implement strict ingress rules that permit only essential protocols and ports. These groups primarily govern our load balancers and bastion hosts, allowing only HTTP/HTTPS traffic for application access and strictly controlled SSH access for administrative purposes.
The application tier security groups implement more nuanced rules that govern communication between different application components. These groups control both ingress and egress traffic, ensuring that application components can only communicate through designated paths and protocols. This granular control extends to inter-service communication, API access, and database connectivity, with each connection explicitly defined and documented.
In our Data Storage VPC, security groups implement our most stringent access controls. These groups permit only essential database protocols from authorized application components, using specific CIDR ranges and security group references to maintain precise control over data access. This configuration ensures that our data storage systems remain inaccessible to unauthorized systems while maintaining efficient access for legitimate application needs.

2.3.2 Rule Management and Maintenance

The management of security group rules follows a rigorous change control process that ensures both security and operational reliability. Each rule change undergoes careful review to validate its necessity and security implications. Our rule structure implements clear naming conventions and tagging strategies that maintain visibility and traceability across our security group hierarchy.
Within each security group, rules are organized to maximize clarity and maintainability. Ingress rules are grouped by function and ordered by specificity, ensuring that access controls remain clear and auditable. Egress rules implement similar organization, with careful attention paid to maintaining necessary application connectivity while preventing unauthorized data exfiltration.

2.4 Network Access Control List Implementation

2.4.1 NACL Strategy and Design

Network Access Control Lists provide an additional layer of network security in our infrastructure, operating at the subnet level to complement our security group controls. Our NACL implementation follows a structured approach that provides consistent protection across our network while maintaining the flexibility needed for operational requirements.
In the Application VPC, NACLs implement stateless filtering that provides broad protection against unauthorized network access. These rules operate in conjunction with security groups to create defense in depth, with each layer providing distinct security benefits. Public subnet NACLs implement strict ingress filtering that blocks common attack vectors while permitting legitimate application traffic. Private subnet NACLs provide additional protection, restricting traffic to known operational patterns and blocking potentially malicious traffic.
The Data Storage VPC implements even more restrictive NACL rules, reflecting the sensitive nature of these resources. These NACLs permit only essential database protocols and management traffic, creating an additional barrier against unauthorized access attempts. This configuration ensures that our data resources remain protected even in the event of a security group misconfiguration.

2.5 System Configuration Standards

2.5.1 EC2 Instance Configuration Management

Our EC2/ECS instances follow a standardized configuration model that ensures security, manageability, and operational efficiency. This model begins with hardened Amazon Machine Images (AMIs) that provide a secure foundation for all compute resources. These images implement comprehensive security controls, including system hardening, security tooling, and monitoring capabilities.
Each instance type is configured according to its specific role while maintaining consistent security baselines. Application instances receive configurations tailored to their runtime requirements, including necessary language runtimes, application frameworks, and performance optimizations. Management instances implement additional security controls, including enhanced logging and access restrictions, reflecting their privileged status in our infrastructure.

2.5.2 Container Orchestration and Security

Our container infrastructure implements a secure-by-default configuration that ensures consistent protection across our containerized workloads. This configuration begins at the host level, with container instances receiving specialized configurations that optimize both security and performance. The container runtime environment implements strict controls that prevent privilege escalation and unauthorized access to host resources.
Container images follow a strict security lifecycle that begins with minimal base images from trusted sources. Our build process implements comprehensive security scanning that identifies vulnerabilities in both application code and dependencies. Runtime controls ensure that containers operate with minimal privileges while maintaining necessary functionality. This configuration extends to networking, storage, and resource allocation, ensuring comprehensive protection of containerized workloads.

2.6 Monitoring and Observability Framework

2.6.1 Infrastructure Monitoring

Our monitoring infrastructure provides comprehensive visibility into all aspects of our system operation. This framework begins with fundamental infrastructure metrics, collecting detailed data about resource utilization, system performance, and operational health. The monitoring system implements automatic alerting for anomalous conditions, enabling rapid response to potential issues.
Within the Application VPC, monitoring focuses on application performance and operational metrics. This includes detailed tracking of request patterns, error rates, and system resource utilization. The monitoring system collects metrics at multiple levels, from instance-level statistics to application-specific performance data, providing a complete view of system operation.
The Data Storage VPC implements specialized monitoring that focuses on database performance and data integrity. This includes tracking of query performance, storage utilization, and replication health. The monitoring system implements specific alerts for database-related issues, ensuring rapid response to potential data concerns.

2.6.2 Security Monitoring and Logging

Our security monitoring framework implements continuous surveillance of all system components, providing real-time detection of potential security issues. This system collects and analyzes security-relevant events from across our infrastructure, including authentication attempts, configuration changes, and network activity patterns.
Log collection follows a structured approach that ensures comprehensive coverage while maintaining data security. All system logs are collected and transmitted securely to centralized storage, where they undergo analysis for security relevance. The logging system implements retention policies that ensure compliance with regulatory requirements while maintaining operational utility.

2.7 Backup and Recovery Framework

2.7.1 System Backup Architecture

Our backup system implements a comprehensive data protection strategy across both VPCs. Within the Application VPC, the backup system captures application state, configuration data, and system settings through automated snapshot processes. These backups occur on defined schedules that balance data protection needs with operational impact. The Data Storage VPC implements specialized backup procedures focused on database consistency and data integrity, utilizing AWS RDS automated backups supplemented by manual snapshots for critical operations.

2.7.2 Recovery Process Implementation

The recovery framework provides systematic procedures for restoring system functionality across multiple failure scenarios. This process begins with automated health checks that validate backup integrity and availability. Recovery procedures follow predetermined workflows that ensure consistent results while minimizing downtime. The system implements different recovery strategies based on the severity and scope of the incident, ranging from individual instance recovery to full environment restoration.

2.8 Access Control Systems

2.8.1 Authentication Framework

Our authentication system implements a centralized model that enforces consistent access controls across our infrastructure. This system utilizes AWS IAM as the primary authentication provider, supplemented by additional security measures including multi-factor authentication for privileged access. Role-based access control ensures that users receive only necessary permissions, with regular access reviews maintaining security over time.

2.8.2 Authorization Implementation

Authorization controls extend across both VPCs through a granular permission model. The Application VPC implements service-level permissions that control access to application components and management interfaces. Within the Data Storage VPC, authorization controls focus on data access patterns, implementing strict controls over database access and management functions. This model ensures consistent security while maintaining operational efficiency.

2.9 Compliance and Audit Systems

2.9.1 Compliance Monitoring

The compliance monitoring framework provides continuous validation of our security controls and operational practices. This system automatically tracks configuration states, comparing them against defined compliance requirements. Deviations trigger immediate alerts, enabling rapid response to potential compliance issues. The framework extends across both VPCs, with specialized monitoring for data handling practices in the Data Storage VPC.

2.9.2 Audit Trail Management

Our audit system maintains comprehensive records of all security-relevant events across the infrastructure. This includes tracking of access attempts, configuration changes, and data access patterns. Audit logs undergo secure collection and storage, with retention policies that ensure compliance with regulatory requirements. The system implements automated analysis to identify potential security issues while maintaining evidence for compliance purposes.

2.10 Change Management Integration

2.10.1 Change Control Process

Change management follows a structured workflow that ensures security and stability throughout our infrastructure. All changes undergo risk assessment and technical review before implementation. The process implements different approval requirements based on change scope and potential impact. Emergency changes follow accelerated procedures while maintaining necessary security controls.

2.10.2 Configuration Management

Configuration management ensures consistency across our environment through version-controlled infrastructure definitions. This system maintains authoritative records of all infrastructure configurations, enabling rapid validation and restoration when needed. The process implements automated validation of configuration changes, preventing unauthorized or potentially harmful modifications.

2.11 Incident Response Framework

2.11.1 Detection and Analysis

The incident response system provides rapid identification and assessment of security events across our infrastructure. This begins with automated detection of potential security issues through log analysis and behavior monitoring. The system implements different response patterns based on incident severity and type, ensuring appropriate resource allocation for incident handling.

2.11.2 Response and Recovery

Incident response procedures follow predetermined workflows that ensure consistent and effective handling of security events. This includes automated response actions for common scenarios and escalation procedures for more complex incidents. The system maintains secure communication channels for incident coordination while preserving evidence for post-incident analysis.


Version Control

Version
Date
Description
Author
Approved By
1.0
2024-01-15
Initial Release
Security Team
Head of Technology
There are no rows in this table

Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.