Application Isolation
Architecture
Implement application isolation using dedicated security groups:
- Per-application security groups with explicit allow rules
- No shared security groups between different applications
- Explicit cross-application rules when communication is required
When to Use
- Multi-tenant environments
- Applications with different compliance requirements
- Zero-trust network architectures
- Environments requiring strict blast radius containment
Implementation Pattern
Each application receives its own security group with rules limited to its specific requirements:
module "app_a_sg" {
source = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
version = "1.2.0"
name = "application-a"
vpc_id = module.vpc.vpc_id
ingress_rules = [
{
from_port = 8080
to_port = 8080
protocol = "tcp"
cidr_blocks = [module.vpc.private_subnet_cidrs[0]]
description = "Application A API"
}
]
egress_rules = [
{
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTPS to external services"
}
]
}
module "app_b_sg" {
source = "registry.patterneddesigns.ca/patterneddesigns/security-group/aws"
version = "1.2.0"
name = "application-b"
vpc_id = module.vpc.vpc_id
ingress_rules = [
{
from_port = 9000
to_port = 9000
protocol = "tcp"
cidr_blocks = [module.vpc.private_subnet_cidrs[1]]
description = "Application B API"
}
]
egress_rules = [
{
from_port = 5432
to_port = 5432
protocol = "tcp"
security_groups = [module.shared_db_sg.security_group_id]
description = "PostgreSQL access"
}
]
}
Benefits
- Clear security boundaries between applications
- Reduced blast radius in case of compromise
- Easier compliance auditing with isolated policies