Microsegmented Cloud Network Architecture Using Open-Source Tools for a Zero Trust Foundation
Sunil Arora, John Hastings
TL;DR
The paper addresses the security challenges of multi-cloud and microservices architectures by proposing a cloud-agnostic, zero-trust, micro-segmented network built with open-source tools such as Istio and Calico. It introduces a five-layer architecture—Core Network, Gateway, Software Defined Perimeter, Cloud Network, and Management layers—that enables fine-grained segmentation and secure connectivity across diverse workloads, including containers, VMs, IaaS, and PaaS. A detailed treatment of network-, resource-, and application-level segmentation, combined with service-mesh-based authentication/authorization and encryption, demonstrates how to enforce least-privilege access in transit across distributed environments. The authors validate the approach with a prototype that showcases Istio-based mTLS and policy enforcement across namespaces, underscoring the practical viability and vendor-neutral benefits for secure multi-cloud deployments.
Abstract
This paper presents a multi-cloud networking architecture built on zero trust principles and micro-segmentation to provide secure connectivity with authentication, authorization, and encryption in transit. The proposed design includes the multi-cloud network to support a wide range of applications and workload use cases, compute resources including containers, virtual machines, and cloud-native services, including IaaS (Infrastructure as a Service (IaaS), PaaS (Platform as a service). Furthermore, open-source tools provide flexibility, agility, and independence from locking to one vendor technology. The paper provides a secure architecture with micro-segmentation and follows zero trust principles to solve multi-fold security and operational challenges.