This chapter covers microsegmentation in cloud and Software-Defined Networking (SDN) environments, a critical security architecture concept for SY0-701 Objective 3.1. Microsegmentation enables granular security controls that limit lateral movement by enforcing zero-trust principles at the workload or virtual network level. Understanding this topic is essential because it represents a fundamental shift from perimeter-based security to identity- and context-aware micro-perimeters, which the exam tests through scenario-based questions about cloud security groups, SDN policies, and east-west traffic protection.
Jump to a section
Imagine a large office building that used to have a single internal corridor connecting all departments. Anyone could walk from marketing to finance to HR without being stopped. That's like a flat network—once an attacker gains access, they can move laterally everywhere. Now consider a modern building with security turnstiles at every department entrance, and each department has its own locked rooms within. Even if someone sneaks into the building, they can't reach the finance server room without a special badge that only works for that specific turnstile. This is microsegmentation. Each turnstile represents a firewall policy or a virtual network interface that enforces identity-based access. The badge is a combination of source IP, user identity, and application context. If a thief steals a marketing employee's badge, they can only enter marketing areas—they can't access HR or finance. Moreover, the building has a central security console that can instantly revoke the stolen badge and update all turnstiles. In SDN, the controller is that console, pushing new rules to virtual switches. The key mechanic is that the turnstiles don't just check 'who you are' but also 'where you are going' and 'what you are carrying' (e.g., protocol type). This granular control prevents lateral movement even if perimeter defenses fail.
What is Microsegmentation and Why Does It Matter?
Microsegmentation is a security technique that divides a network or cloud environment into isolated segments at the individual workload or virtual machine (VM) level, rather than at the traditional subnet or VLAN level. In a traditional network, once an attacker compromises a host on a subnet, they can often scan and pivot to other hosts on the same subnet using ARP spoofing or simple IP reconnaissance. Microsegmentation eliminates this by enforcing firewall rules per workload, effectively creating a micro-perimeter around each resource. For SY0-701, you must understand that microsegmentation is a core implementation of the zero-trust model—never trust, always verify—applied to network traffic.
How Microsegmentation Works Mechanically
In an SDN environment, a centralized controller manages the forwarding behavior of virtual switches. When a VM sends a packet, the virtual switch consults the controller or a local flow table to determine if the packet is allowed. The rules are based on five-tuple information (source IP, destination IP, source port, destination port, protocol) but can also include identity attributes like user ID, VM name, or security group tag. For example, in VMware NSX, a distributed firewall (DFW) is installed as a kernel module on each hypervisor. When a packet leaves a VM's virtual NIC, the DFW intercepts it and checks against a rule set that is synchronized from the NSX Manager. If the packet matches an allow rule, it is forwarded; otherwise, it is dropped. The key is that this check happens at the source hypervisor, not at a central firewall, which eliminates bottlenecks and allows for line-rate filtering.
Key Components and Variants
Cloud Security Groups (SG): In AWS, a security group acts as a virtual firewall for EC2 instances. Each SG has inbound and outbound rules that are stateful. You can assign multiple SGs to an instance, and rules are evaluated as a union. For example, SG1 allows HTTP from 0.0.0.0/0, and SG2 allows SSH from your office IP. The instance gets both. Microsegmentation is achieved by creating separate SGs for each tier (web, app, DB) and only allowing specific traffic between them.
Network Access Control Lists (NACL): In AWS, NACLs are stateless and apply at the subnet level. They are less granular than SGs and are used for subnet-level segmentation. For SY0-701, know the difference: SGs are stateful and instance-level; NACLs are stateless and subnet-level.
Software-Defined Networking (SDN) Controllers: Controllers like VMware NSX, Cisco ACI, or OpenDaylight manage the network fabric. They use protocols like OpenFlow (RFC 7426) to push flow entries to switches. Microsegmentation policies are defined as security groups or endpoint groups (EPGs) that map to VMs or containers.
Virtual Local Area Networks (VLANs): Traditional VLANs segment at Layer 2, but they require separate subnets and are limited to 4096 IDs. Microsegmentation overcomes this by using overlay networks (VXLAN, RFC 7348) that encapsulate MAC addresses in UDP, allowing up to 16 million segments.
How Attackers Exploit Weak Segmentation and How Defenders Deploy Microsegmentation
Attackers often exploit flat networks by performing lateral movement after an initial breach. For example, the NotPetya worm (2017) spread via EternalBlue (MS17-010) and then used WMI and PsExec to move laterally within the same subnet. Microsegmentation would have stopped this because even if one VM was compromised, it could not initiate SMB connections (port 445) to other VMs unless explicitly allowed. Defenders deploy microsegmentation by first mapping all application dependencies—which services talk to which—using tools like VMware vRealize Network Insight or Microsoft Azure Network Watcher. Then, they create allow rules that mirror these dependencies and deny all other traffic. A common approach is to use a 'default deny' rule at the end of the policy. In NSX, you can enable 'micro-segmentation' by creating a distributed firewall rule that blocks all traffic except specific flows.
Real Command/Tool Examples
In AWS, you might create a security group for a web tier using the AWS CLI:
aws ec2 create-security-group --group-name WebSG --description "Web tier security group" --vpc-id vpc-12345
aws ec2 authorize-security-group-ingress --group-id sg-12345 --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id sg-12345 --protocol tcp --port 443 --cidr 0.0.0.0/0For the app tier, you would create an AppSG that only allows traffic from WebSG:
aws ec2 authorize-security-group-ingress --group-id sg-67890 --protocol tcp --port 8080 --source-group sg-12345In VMware NSX, a distributed firewall rule might look like this in the API or UI: Source: Web-VM, Destination: App-VM, Service: HTTP, Action: Allow. The rule is pushed to all ESXi hosts via the NSX Manager.
Standards and Protocols
VXLAN (RFC 7348): Encapsulates Layer 2 frames in UDP packets, enabling overlay networks. Each VXLAN segment has a 24-bit VNI (VXLAN Network Identifier), allowing 16 million segments.
OpenFlow (RFC 7426): A protocol that allows an SDN controller to program flow tables in switches. Flow entries consist of match fields (e.g., MAC, IP, ports) and actions (e.g., forward, drop).
TLS (RFC 5246): Used for encrypting communication between SDN controllers and switches to prevent tampering.
Threats Addressed
Microsegmentation primarily addresses lateral movement (also called east-west traffic). It also helps contain VM escape attacks—if a hypervisor is compromised, microsegmentation limits the blast radius. Additionally, it reduces the attack surface for internal reconnaissance (e.g., port scanning) because each VM only sees traffic it is allowed to receive.
Map Application Dependencies
Before implementing microsegmentation, you must understand which workloads need to communicate. Use a tool like VMware vRealize Network Insight or Microsoft Azure Network Watcher to capture flow logs. For example, in AWS, enable VPC Flow Logs and analyze them with Athena or a third-party SIEM. Identify all source-destination pairs, protocols, and ports. Document the expected traffic patterns (e.g., web servers talk to app servers on TCP 8080, app servers talk to databases on TCP 3306). This step is critical because overly restrictive rules can break applications.
Create Security Groups or Policy Groups
Define logical groups based on function (web, app, db) or security tier. In AWS, create security groups (SGs) for each group. In NSX, create security groups that include VMs by dynamic membership criteria (e.g., OS = 'Windows' or tag = 'Production'). For containers, use Kubernetes network policies that select pods by labels. Each group represents a microsegment. For example, a 'Web' SG allows inbound HTTP/HTTPS from the internet and outbound to the 'App' SG on port 8080.
Write Allow-Only Rules
Define rules that explicitly allow only the necessary traffic between groups. Use the principle of least privilege. For each rule, specify the source group, destination group, protocol, and port. In AWS SGs, rules are stateful, so you only need to define inbound rules; outbound is automatically allowed for return traffic. In NSX, you must define both inbound and outbound rules. At the end of the policy, add a default deny rule that drops all other traffic. For example, an NSX rule: Source: Web-SG, Destination: App-SG, Service: TCP 8080, Action: Allow. Then a catch-all: Source: Any, Destination: Any, Service: Any, Action: Drop.
Test in Audit Mode
Before enforcing rules, deploy them in audit or logging mode. In NSX, you can set the action to 'Log' instead of 'Allow' or 'Drop'. This allows you to see which traffic would be blocked without causing outages. Monitor logs for denied flows that should be allowed. Use tools like vRealize Log Insight or Splunk to analyze the logs. Adjust rules as needed. This step is often skipped in real-world deployments, leading to application downtime.
Enforce and Monitor
Once testing is complete, switch the rules to enforce mode. In AWS, this means the SGs are active. In NSX, change the action from 'Log' to 'Allow' or 'Drop'. Continuously monitor for violations using flow logs or firewall logs. For example, in AWS, enable VPC Flow Logs to capture accepted and rejected traffic. Set up alerts for unexpected denied traffic, which may indicate a misconfiguration or an ongoing attack. Periodically review and update rules as application dependencies change.
Scenario 1: Healthcare Organization with Cloud Migration A hospital migrates its patient records system to AWS. The security engineer creates separate security groups for the web servers, application servers, and database servers. The web SG allows HTTPS from the internet, the app SG allows HTTP from the web SG, and the DB SG allows MySQL (TCP 3306) from the app SG. All other traffic is denied by default because security groups have an implicit deny. One day, a vulnerability in the web application allows an attacker to execute arbitrary code. The attacker tries to connect directly to the database server on port 3306, but the DB SG only allows traffic from the app SG. The attacker's source IP is not in the app SG, so the connection is dropped. The attacker then tries to scan other subnets, but since no outbound rules allow scanning, the packets are dropped. The security team sees the denied traffic in VPC Flow Logs and triggers an incident response. The correct response is to isolate the compromised web instance, patch the application, and verify that no lateral movement occurred. A common mistake is to assume that because the web server is compromised, the database is also compromised—but microsegmentation prevented that.
Scenario 2: Enterprise SDN Deployment with NSX A financial company uses VMware NSX to microsegment its data center. The security team creates security groups for 'Trading-Apps' and 'Settlement-DB'. A distributed firewall rule allows Trading-Apps to talk to Settlement-DB on TCP 1433 (MSSQL). All other traffic is blocked. An analyst notices that a server in the Trading-Apps group is sending ICMP echo requests to servers in the HR group. The distributed firewall drops these packets because no rule allows ICMP between those groups. The analyst sees the dropped packets in the NSX logs and investigates the trading server. It turns out the server was infected with a worm that tried to propagate via ICMP. The microsegmentation contained the worm to the Trading-Apps group. The correct response is to quarantine the infected VM, analyze the worm, and update the policy if needed. A common mistake is to create overly broad rules like 'allow all traffic between groups' to avoid troubleshooting, which would defeat the purpose.
Scenario 3: Kubernetes Environment A tech startup runs its microservices on Kubernetes. They implement network policies to microsegment pods. The frontend pod has a label 'tier: frontend' and the backend pod has 'tier: backend'. A network policy allows ingress to backend only from frontend on TCP 8080. An attacker compromises a frontend pod via a vulnerable library. The attacker tries to access a database pod directly, but the database pod's network policy only allows ingress from backend pods. The connection is blocked. The attacker then tries to scan the cluster, but Kubernetes network policies deny all traffic not explicitly allowed. The security team uses kubectl to view network policies and checks the logs of the CNI plugin (e.g., Calico) for denied packets. The correct response is to isolate the compromised pod and patch the vulnerability. A common mistake is to rely on Kubernetes default 'allow all' policy, which would have allowed the attack.
SY0-701 Tests These Sub-Objectives Under Objective 3.1: - Explain the concept of microsegmentation as a security control. - Differentiate between microsegmentation and traditional VLAN segmentation. - Identify use cases for microsegmentation in cloud and SDN environments. - Understand how security groups (SGs) and network access control lists (NACLs) implement microsegmentation. - Recognize that microsegmentation is a zero-trust enabler.
Most Common Wrong Answers and Why Candidates Choose Them: 1. 'Microsegmentation is the same as VLAN segmentation.' – Candidates confuse the two because both involve dividing networks. However, VLANs segment at Layer 2 using 802.1Q tags and are limited to 4096 segments, while microsegmentation uses overlay networks like VXLAN (16 million segments) and can filter at the VM level. 2. 'Security groups are stateless.' – Many candidates mix up SGs and NACLs. SGs are stateful (return traffic automatically allowed), NACLs are stateless (must define inbound and outbound rules). The exam tests this distinction. 3. 'Microsegmentation only applies to on-premises networks.' – The exam emphasizes cloud and SDN environments. Microsegmentation is a key feature of cloud security groups and SDN controllers. 4. 'Microsegmentation eliminates the need for firewalls.' – Microsegmentation complements firewalls but does not replace them. Perimeter firewalls still protect against external threats.
Specific Terms, Values, and Acronyms: - VXLAN (Virtual Extensible LAN) – RFC 7348, uses 24-bit VNI. - OpenFlow – RFC 7426, protocol for SDN controllers. - Security Group (SG) – stateful, instance-level firewall in AWS. - Network ACL (NACL) – stateless, subnet-level firewall in AWS. - East-west traffic – traffic between servers within a data center. - Lateral movement – the attack technique microsegmentation prevents.
Common Trick Questions: - A question may describe a scenario where an attacker moves from one VM to another in the same subnet. The correct control is microsegmentation, not a VLAN. VLANs would not prevent this because VMs in the same VLAN can communicate freely. - Another trick: 'Which AWS feature provides microsegmentation?' The answer is security groups, not NACLs. NACLs are subnet-level and less granular.
Decision Rule for Eliminating Wrong Answers: For scenario questions about limiting lateral movement in a cloud environment, look for keywords like 'per-instance firewall,' 'security group,' 'zero trust,' or 'workload-level segmentation.' Eliminate answers that mention VLANs, subnetting, or traditional network firewalls unless the scenario specifically mentions on-premises networks without SDN.
Microsegmentation creates micro-perimeters around individual workloads to prevent lateral movement.
It is a core zero-trust enforcer: never trust, always verify, even inside the network.
Cloud security groups (e.g., AWS SG) are stateful and instance-level; NACLs are stateless and subnet-level.
SDN uses overlay networks like VXLAN (RFC 7348) with 24-bit VNIs (16 million segments).
OpenFlow (RFC 7426) is a protocol for SDN controllers to program flow tables.
Microsegmentation requires mapping application dependencies before implementing policies.
Common exam scenario: attacker moves between VMs in the same subnet – answer is microsegmentation, not VLAN.
These come up on the exam all the time. Here's how to tell them apart.
Security Group (SG)
Stateful – return traffic automatically allowed
Applies at the instance (VM) level
Supports allow rules only (implicit deny all)
Evaluated before NACL for the same VPC
Example: AWS EC2 security groups
Network ACL (NACL)
Stateless – must define inbound and outbound rules
Applies at the subnet level
Supports allow and deny rules
Evaluated after SG for the same VPC
Example: AWS VPC network ACLs
Mistake
Microsegmentation is the same as VLAN segmentation.
Correct
VLANs segment at Layer 2 using 802.1Q tags and are limited to 4096 segments. Microsegmentation uses overlay networks like VXLAN (16 million segments) and can filter at the individual workload level, not just subnet.
Mistake
Security groups in AWS are stateless.
Correct
Security groups are stateful: if you allow inbound HTTP, return traffic is automatically allowed. Network ACLs are stateless and require explicit outbound rules.
Mistake
Microsegmentation only applies to on-premises data centers.
Correct
Microsegmentation is a key concept in cloud environments (e.g., AWS security groups, Azure NSGs) and SDN (e.g., VMware NSX distributed firewall).
Mistake
Microsegmentation eliminates the need for perimeter firewalls.
Correct
Microsegmentation controls east-west traffic, but perimeter firewalls are still needed for north-south traffic (inbound/outbound from the internet).
Mistake
Implementing microsegmentation is a one-time task.
Correct
Microsegmentation requires ongoing monitoring and updates as application dependencies change. Policies must be reviewed regularly.
Traditional VLAN segmentation divides networks at Layer 2 using 802.1Q tags, limiting you to 4096 segments and requiring separate subnets. Microsegmentation uses overlay networks like VXLAN (RFC 7348) that encapsulate Ethernet frames in UDP, allowing up to 16 million segments. More importantly, microsegmentation enforces firewall rules per workload (VM or container) rather than per subnet, enabling granular zero-trust policies. For the exam, remember that VLANs are coarse-grained and microsegmentation is fine-grained.
Lateral movement is when an attacker moves from a compromised host to other hosts on the network. Microsegmentation prevents this by enforcing firewall rules at the workload level. Each workload has a micro-perimeter that only allows traffic necessary for its function. For example, if a web server is compromised, it cannot initiate connections to the database server unless explicitly allowed. The rules are enforced by a distributed firewall (e.g., VMware NSX DFW) or cloud security groups. In the exam, look for answers that mention 'per-instance firewall' or 'workload-level segmentation.'
Security groups are stateful, instance-level firewalls that support allow rules only (implicit deny all). You assign them to EC2 instances. Network ACLs are stateless, subnet-level firewalls that support both allow and deny rules. They apply to all instances in a subnet. For the exam, remember: SGs = stateful, instance-level; NACLs = stateless, subnet-level. A common question asks which one to use for microsegmentation—the answer is security groups because they are more granular.
In SDN, the controller is the central brain that manages network policies. It pushes flow entries to virtual switches using protocols like OpenFlow (RFC 7426). For microsegmentation, the controller maintains a policy database (e.g., security group definitions) and distributes rules to all hypervisors or switches. When a VM sends a packet, the virtual switch checks the local flow table (populated by the controller) to decide whether to forward or drop. This enables consistent, centralized management of microsegmentation policies across the entire data center.
No, microsegmentation complements traditional firewalls. Traditional firewalls (perimeter firewalls) protect against north-south traffic (inbound from the internet). Microsegmentation controls east-west traffic (between internal workloads). Both are needed for defense in depth. On the exam, a scenario about limiting internal movement after a breach should point to microsegmentation, not a perimeter firewall.
The first step is to map application dependencies. You need to understand which workloads communicate with each other, on which ports and protocols. Tools like VMware vRealize Network Insight or AWS VPC Flow Logs can capture this traffic. Without this mapping, you risk breaking applications by creating overly restrictive policies. For the exam, remember that 'discover communication patterns' is the initial phase of microsegmentation deployment.
VXLAN (Virtual Extensible LAN) is an overlay network protocol defined in RFC 7348. It encapsulates Layer 2 frames in UDP packets, allowing virtual networks to span across physical boundaries. Each VXLAN segment has a 24-bit VNI (VXLAN Network Identifier), providing up to 16 million segments. This scalability enables microsegmentation at massive scale, as each workload can be placed in its own VXLAN segment. In SDN, VXLAN is commonly used to create isolated networks for microsegmentation.
You've just covered Microsegmentation in Cloud and SDN — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?