Private endpoints and intranets

1) Why a private network

• isolation of PaaS/DB/storages from public IP;
• Easier compliance (PCI DSS/GDPR)
• predictable delays and routing.

2) Base model: VPC/VNet and hubs

Address space: a single CIDR plan, without intersections (for example, '10. 0. 0. 0/12 'is cut into environments and hubs).
Segmentation: subnets' ingress', 'app', 'data', 'ops', 'shared' with individual routes/ACL/SG.
Transit hub: central VPC/VNet with gateways (VPN/DirectConnect/ExpressRoute/Interconnect), inter-VPC peering/Transit Gateway and network firewalls.
Dual-stack: scheduling IPv6 in advance (saves NAT, improves address scale).

3) Private endpoints: principles

• Traffic goes inside the provider network (not via the Internet).
• Endpoint policy limits where you can go (prefixes/ARN/resources).
• DNS is redefined to private IP (see § 6).

Typical targets: object stores (S3/GCS/Blob), secret/KMS, queues, event buses, managed databases, analytical services, artifact registers.

4) Entry and balancing inside

Internal Load Balancer (ILB) for L4/7, we see only from private subnets.

• 'Service'of type'LoadBalancer' with internal annotations.
• Login via Internal Ingress (Nginx/Contour/Gateway API) at a private address.
• API Gateway (private): private integration with backends; outside - only through edge, if required.

Example: K8s Ingress as internal

yaml apiVersion: networking. k8s. io/v1 kind: Ingress metadata:
name: api-internal annotations:
kubernetes. io/ingress. class: "nginx"
alb. ingress. kubernetes. io/scheme: internal # or provider equivalent spec:
rules:
- host: api. internal. corp http:
paths:
- path: /v1/
pathType: Prefix backend:
service:
name: api port: { number: 8080 }

5) Egress contour: "default - deny"

• NAT Gateway (for updates/repositories) + egress allowlist via FQDN/IP;
• TLS inspection/proxy if policies require control;
• Private endpoints to PaaS/registers instead of NAT.
• SG/NACL: explicit permissions per-service, "east-west" - minimum.
• K8s Egress Policies (CNI/OPA Gatekeeper/Calico NetworkPolicy) - external IP barring, cluster/endpoint permissions.

6) DNS: split-horizon и private zones

Separate inner zones ('.internal. corp ') and public.
Private DNS zones for provider services: override public names (for example, 'bucket. s3. region. amazonaws. com ') to private A/AAAA records.
Forwarders/Conditional DNS между on-prem ↔ cloud.
Name format: encapsulate environment/region ('api. eu1. internal. corp '), avoid PII.

api. internal. corp. A  10. 20. 30. 40 s3. bucket. corp. A  10. 100. 0. 25 # via private endpoint

7) Interconnection patterns

Peering (VPC↔VPC/VNet↔VNet): simple and fast; transit is not always supported → use Transit Gateway/Virtual WAN/Cloud Router for hub-and-spoke.
On-prem ⇄ cloud: IPsec VPN to start, then leased line (DC/ER/IC) with BGP and backup (two providers, different entry points).
VRF/Route-domain segmentation: isolation of prod/stage/dev and card perimeter.

8) Zero Trust and internal authentication

mTLS-default (service mesh: Istio/Linkerd/Consul), machine identity: SPIFFE/SPIRE.
L7 policies: authorization by JWT/claims/scopes, restriction of routes/methods at the proxy level.
Secrets: HashiCorp Vault/КMS + External Secrets Operator; short-lived credential (STS).
Bastion/Privileged Access: access to the privatka only through a broker/JIT session (MFA, command recording).

Example: Envoy filter mTLS + JWT-authz (fragment)

yaml transport_socket:
name: tls typed_config: {... spiffe://svc. api... }
http_filters:
- name: envoy. filters. http. jwt_authn typed_config:
providers:
oidc: { issuer: https://idp. corp, audiences: ["api"], remote_jwks: {...} }
rules: [{ match: { prefix: "/v1" }, requires: { provider_name: oidc } }]

9) Data and PaaS inside the private

Databases/clusters: only private addresses; admin panel via bastion/JIT.
Repositories: access from VPC via private endpoint; endpoint policy allows only the desired buckets/containers.
Queues/buses: private interfaces; producers/consumers - in the same VPC/peering.
Artifact registers: private access from CI/CD runners on private subnets.

10) Observability in private networks

OpenTelemetry Collector - as a telemetry gateway: internal exporters to self-hosted (Prometheus/Tempo/Loki/ClickHouse) or to managed backends via private endpoints.
Flow logs/NSG/NACL logs and reachability analyzer are required.

SLO-slices: 'site/region/vpc/subnet', alerts to egress and an unexpected "Internet direction."

11) Testing and verification

Policy as Code (OPA/Gatekeeper) for network rules/Ingress/Service.
Canary routes: test domains in private DNS, synthetic checks from different subnets/AZ/regions.
Chaos network: delays/losses in inter-VPC/inter-AZ (netem/Toxiproxy), timeout checks and retry policies.

12) Configuration examples

12. 1 Terraform: labels and routes (idea)

hcl resource "aws_route_table" "app" {
vpc_id = aws_vpc. core. id tags = { Name = "rt-app", env = var. env, zone = "private" }
}
Route on PrivateLink endpoint (interface endpoint is created separately)
resource "aws_vpc_endpoint_route_table_association" "s3" {
route_table_id = aws_route_table. app. id vpc_endpoint_id = aws_vpc_endpoint. s3. id
}

12. 2 K8s NetworkPolicy: deny everything except what you need

yaml apiVersion: networking. k8s. io/v1 kind: NetworkPolicy metadata: { name: deny-all }
spec:
podSelector: {}
policyTypes: ["Ingress","Egress"]
kind: NetworkPolicy metadata: { name: allow-core }
spec:
podSelector: { matchLabels: { app: api } }
egress:
- to:
- namespaceSelector: { matchLabels: { ns: db } }
ports: [{ port: 5432, protocol: TCP }]
- to:
- ipBlock: { cidr: 10. 100. 0. 0/16 }  # private endpoints ports: [{ port: 443, protocol: TCP }]

12. 3 Nginx Ingress (internal scheme) + HSTS

yaml metadata:
annotations:
alb. ingress. kubernetes. io/scheme: internal nginx. ingress. kubernetes. io/hsts: "true"

13) Antipatterns

Common "management-Internet" from private subnets; lack of egress control.
Split-brain DNS and random manual '/etc/hosts'.

Intersecting CIDRs and "NAT nesting dolls."

Public endpoints for databases/storages "for the sake of convenience."

No flow logs/rule audits; "open" SG '0. 0. 0. 0/0`.
Long-lived static access keys in code/CI.

14) Cost and performance

Private endpoints are often cheaper than permanent NAT egress and safer.
Schedule NAT clusters/az-local for bandwidth to avoid creating bottleneck.
Cache/edge and SWR reduce cross-regional traffic.
Choice of protocols: HTTP/2/gRPC inside the → there are fewer connections and TLS overhead.

15) Specifics of iGaming/Finance

PCI DSS: card circuit (CDE) in a separate network/VRF, no internet; access to the store/PSP logs only by private endpoints; immutable audits (WORM/Object Lock).
KMS/Vault: keys segmented per region/brand; signing operations (HSM) are only available from CDE over mTLS.
PSP/KYC: if there is private connectivity/markets - use; otherwise, egress through a trusted proxy with HMAC/mTLS and explicit allowlist.
Multi-tenancy: tags and policies by 'tenant '/' brand'; separate private DNS names and SG layers.

16) Prod Readiness Checklist

• CIDR plan without intersections; dual-stack ready (IPv6).
• Hub-and-Spoke, Transit, peering; on-prem ⇄ cloud - BGP, backup link pairs.
• All PaaS/storages/DB - via private endpoints + endpoint policies.
• Internal LB/Ingress; public perimeter - on edge/WAF only.
• Split-horizon DNS, private zones, and conditional-forwarding are configured.
• Egress is "deny" by default; NAT/proxies are restricted and logged.
• Mesh mTLS + SPIFFE; JWT-authz on L7; Vault/ESO, short secrets.
• NetworkPolicy/SG/NACL - "minimum necessary," flow-logs and reachability-analysis.
• OTel Collector inside; alerts to egress, SLO by 'site/region/vpc'.
• PCI/audit: WORM logs, KMS/HSM, CDE isolation, access runbook.

17) TL; DR

Build a hub-and-spoke network with a clear CIDR plan, use private endpoints to each PaaS/storage/database, and traffic to the outside only through managed egress points. Inside - internal LB/Ingress, mTLS + SPIFFE, split-horizon DNS, strict NetworkPolicy/SG and telemetry via OTel. For iGaming/Finance, add PCI segmentation, KMS/Vault, and immutable auditing; PSP/KYC output through private channels or a tightly controlled proxy.