Cloud Security Architecture on Brewed in the Cloud by Chris Haileshttps://blog.brewedinthecloud.com/categories/cloud-security-architecture/Recent content in Cloud Security Architecture on Brewed in the Cloud by Chris HailesHugo -- gohugo.ioen-usThu, 09 Apr 2026 00:00:00 +1100Network Isolation During Active Compromise: Designing for the Worst Dayhttps://blog.brewedinthecloud.com/p/assume-breach-network-isolation-during-compromise/Thu, 09 Apr 2026 00:00:00 +1100https://blog.brewedinthecloud.com/p/assume-breach-network-isolation-during-compromise/<p>Finding an attacker in your environment isn’t like spotting someone rattling the front door.<br> It’s like hearing footsteps upstairs.</p> <p>At that point, the question isn’t <em>how did they get in?</em><br> It’s <em>how far can they go next and how fast can you stop that from getting worse?</em></p> <p>In an assume‑breach model, <strong>network isolation is not an emergency manoeuvre</strong>.<br> It’s a downgrade path the network already understands.</p> <h2 id="the-mental-model">The Mental Model </h2><h3 id="the-common-assumption">The common assumption </h3><blockquote> <p>“If something gets compromised, we’ll isolate it.”</p> </blockquote> <p>Isolation is treated as an <strong>action</strong> something responders <em>do</em>.</p> <h3 id="why-it-breaks">Why it breaks </h3><p>During an active compromise:</p> <ul> <li>You don’t know what’s already hostile</li> <li>You don’t have time to redesign trust</li> <li>You can’t safely assume the control plane is clean</li> </ul> <p>If isolation requires:</p> <ul> <li>New VNets</li> <li>New peerings</li> <li>Rule surgery across shared infrastructure</li> </ul> <p>…then you don’t have isolation.</p> <p>You have hope.</p> <h2 id="how-it-really-works">How It Really Works </h2><p>Isolation that works under pressure is a <strong>structural property</strong>, not a procedural one.</p> <p>The network must already encode:</p> <ul> <li><strong>Where trust is allowed</strong></li> <li><strong>Where trust is explicitly <em>not</em> allowed</strong></li> <li><strong>How a workload can be downgraded into a less‑trusted state</strong></li> </ul> <p>This is not about perfect segmentation.<br> It’s about <strong>pre‑authorised damage containment</strong>.</p> <p>The key shift:<br> Isolation is not “blocking traffic”.<br> Isolation is <strong>forcing a workload into a smaller, poorer, deliberately constrained network world</strong>.</p> <h2 id="realworld-impact">Real‑World Impact </h2><h3 id="design">Design </h3><p>You stop grouping networks by:</p> <ul> <li>Application name</li> <li>Team ownership</li> <li>Environment labels</li> </ul> <p>And start grouping them by:</p> <ul> <li><strong>Blast radius tolerance</strong></li> <li><strong>Containment requirements</strong></li> <li><strong>What you are willing to lose without collapsing everything else</strong></li> </ul> <p>This almost always means:</p> <ul> <li>Fewer fully‑meshed networks</li> <li>More intentional asymmetry</li> <li>Shared services treated as amplification risks, not conveniences</li> </ul> <h3 id="reliability">Reliability </h3><p>Isolation‑capable designs fail <strong>unevenly</strong>, not catastrophically.</p> <p>You trade some steady‑state elegance for:</p> <ul> <li>Predictable degradation</li> <li>Fewer “everything is on fire” incidents</li> <li>Clear containment boundaries under stress</li> </ul> <p>Availability becomes <strong>graduated</strong>, not binary.</p> <h3 id="security">Security </h3><p>Once credentials or a workload are compromised:</p> <ul> <li>East‑west movement is constrained by structure, not rules</li> <li>Shared services don’t become free pivot points</li> <li>Containment actions are coarse, fast, and reversible</li> </ul> <h3 id="cost">Cost </h3><p>Yes, this often costs more:</p> <ul> <li>More VNets</li> <li>More thought</li> <li>More architectural discipline</li> </ul> <p>It costs far less than rebuilding trust after full lateral spread.</p> <h2 id="implementation-examples">Implementation Examples </h2><p>This is not about NSGs, firewalls, or playbooks.<br> This is about <strong>what the network makes possible and impossible by design</strong>.</p> <h3 id="designed-isolation-as-a-downgrade-path">Designed isolation as a downgrade path </h3><div class="mermaid">flowchart LR subgraph Prod VNet A[App Tier] B[Data Tier] end subgraph Shared Services VNet C[Identity & Control] D[Observability] end subgraph Isolation VNet E[Quarantine] end %% Normal operations A --> B A --> C B --> C A --> D B --> D %% Containment downgrade A -. isolate .-> E B -. isolate .-> E %% Explicitly impossible paths E -.-x C E -.-x B </div> <p>What this diagram deliberately shows:</p> <ul> <li><strong>Isolation is a downgrade</strong>, not an alternative steady state</li> <li>Workloads can move <em>into</em> quarantine, not back into shared trust</li> <li>Quarantine has no path to identity or control services</li> <li>Some connections are <strong>structurally absent</strong>, not “normally blocked”</li> </ul> <p>If your design cannot express these absences, isolation will be fragile.</p> <h3 id="structural-artefact-isolation-that-exists-before-you-need-it">Structural artefact: isolation that exists before you need it </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span><span class="lnt">33 </span><span class="lnt">34 </span><span class="lnt">35 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bicep" data-lang="bicep"><span class="line"><span class="cl"><span class="kd">resource</span><span class="w"> </span><span class="nv">isolationVnet</span><span class="w"> </span><span class="s">&#39;Microsoft.Network/virtualNetworks@2023-09-01&#39;</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">name</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;vnet-isolation&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">location</span><span class="p">:</span><span class="w"> </span><span class="nf">resourceGroup</span><span class="p">().</span><span class="nv">location</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">properties</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">addressSpace</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">addressPrefixes</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s">&#39;10.240.0.0/16&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">resource</span><span class="w"> </span><span class="nv">prodVnet</span><span class="w"> </span><span class="s">&#39;Microsoft.Network/virtualNetworks@2023-09-01&#39;</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">name</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;vnet-prod&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">location</span><span class="p">:</span><span class="w"> </span><span class="nf">resourceGroup</span><span class="p">().</span><span class="nv">location</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">properties</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">addressSpace</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">addressPrefixes</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="s">&#39;10.10.0.0/16&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">resource</span><span class="w"> </span><span class="nv">prodToIsolationPeering</span><span class="w"> </span><span class="s">&#39;Microsoft.Network/virtualNetworks/virtualNetworkPeerings@2023-09-01&#39;</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">name</span><span class="p">:</span><span class="w"> </span><span class="s">&#39;</span><span class="si">${</span><span class="nv">prodVnet</span><span class="p">.</span><span class="nv">name</span><span class="si">}</span><span class="s">/prod-to-isolation&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">properties</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">remoteVirtualNetwork</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">id</span><span class="p">:</span><span class="w"> </span><span class="nv">isolationVnet</span><span class="p">.</span><span class="nv">id</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">allowVirtualNetworkAccess</span><span class="p">:</span><span class="w"> </span><span class="kc">true</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">allowForwardedTraffic</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nv">allowGatewayTransit</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>What matters here is not configuration detail, but <strong>intent</strong>:</p> <ul> <li>The isolation VNet exists independently of any incident</li> <li>A downgrade path is pre‑authorised</li> <li>There is <strong>no equivalent peering to shared services</strong></li> <li>Containment does not require new infrastructure</li> </ul> <p>If isolation requires new peerings, you are already too late.</p> <h2 id="designed-isolation-vs-wishful-containment">Designed Isolation vs Wishful Containment </h2><p>This distinction is non‑negotiable.</p> <h3 id="designed-isolation">Designed isolation </h3><ul> <li>Downgrade paths exist ahead of time</li> <li>Shared services are not universally reachable</li> <li>Containment changes <em>routing</em>, not architecture</li> <li>Isolation is fast, coarse, and survivable</li> </ul> <h3 id="wishful-containment">Wishful containment </h3><ul> <li>Flat or fully‑meshed VNets</li> <li>Shared services reachable from everywhere</li> <li>Isolation requires redesign or mass rule changes</li> <li>“We’ll block it when it happens”</li> </ul> <p>Only one of these survives an active compromise.</p> <h2 id="gotchas--edge-cases">Gotchas &amp; Edge Cases </h2><ul> <li> <p><strong>Shared services are blast‑radius multipliers</strong><br> If everything depends on them, nothing can be isolated safely.</p> </li> <li> <p><strong>Fully‑meshed peering kills partial containment</strong><br> You either isolate everything or nothing.</p> </li> <li> <p><strong>Late isolation is usually ineffective</strong><br> Lateral movement is measured in minutes, not hours.</p> </li> <li> <p><strong>Over‑isolation can blind responders</strong><br> If quarantine breaks logging or telemetry, you lose visibility when it matters most.</p> </li> </ul> <h2 id="best-practices">Best Practices </h2><ul> <li>Treat isolation as a <strong>network state</strong>, not an action</li> <li>Design explicit downgrade paths and only a few</li> <li>Group networks by <strong>failure tolerance</strong>, not org charts</li> <li>Assume shared services are hostile <em>by default</em></li> <li>If isolation requires design changes, it doesn’t exist</li> </ul> <div class="insight"> <div class="insight-icon">🍺</div> <div class="insight-content"> <strong>Brewed Insight:</strong> If your network can’t force a compromised workload into a smaller, poorer world <strong>without redesign</strong>, you didn’t design for isolation, you designed for optimism. </div> </div> <style> .insight { display: flex; align-items: center; background-color: #0089e41c; border-left: 10px solid #D69A2D; padding: 10px; margin: 20px 0; border-radius: 4px; } .insight-icon { font-size: 24px; margin-right: 10px; } .insight-content { flex: 1; } </style><h2 id="learn-more">Learn More </h2><ul> <li><a class="link" href="https://learn.microsoft.com/en-us/azure/virtual-network/concepts-and-best-practices" target="_blank" rel="noopener" >Azure Virtual Network design</a></li> <li><a class="link" href="https://learn.microsoft.com/azure/security/fundamentals/network-overview" target="_blank" rel="noopener" >Network security in Azure</a></li> <li><a class="link" href="https://learn.microsoft.com/azure/architecture/framework/" target="_blank" rel="noopener" >Azure architecture design principles</a></li> </ul>