Skip to main content
InfraGap.com Logo
Home
Getting Started
Core Concept What is a CDE? How It Works Benefits CDE Assessment Getting Started Guide
Implementation
Architecture Patterns DevContainers Language Quickstarts IDE Integration AI/ML Workloads Advanced DevContainers
Operations
Performance Optimization High Availability & DR Monitoring Capacity Planning Troubleshooting Runbooks
Security
Security Deep Dive Secrets Management Vulnerability Management Network Security IAM Guide Compliance Guide
Planning
Pilot Program Design Stakeholder Communication Risk Management Migration Guide Cost Analysis Vendor Evaluation Training Resources Team Structure Industry Guides
Resources
Tools Comparison CDE vs Alternatives Case Studies Lessons Learned Glossary FAQ
About InfraGap.com Contact Us Search

CDE Network Security

Comprehensive guide to securing network architecture, implementing zero-trust principles, and protecting your Cloud Development Environment infrastructure.

Architecture VPC Design Zero Trust Firewall Rules Egress Control

Network Architecture Overview

Secure network topology for enterprise CDE deployments

Reference Architecture

Public Subnet

Load Balancer / WAF
Bastion Host (Optional)
NAT Gateway

CIDR: 10.0.1.0/24

Private - Control Plane

CDE Control Plane
PostgreSQL Database
Secrets Manager

CIDR: 10.0.10.0/24

Private - Workspaces

Developer Workspaces
Persistent Volumes
Build Agents

CIDR: 10.0.20.0/22

Defense in Depth

Multiple security layers protect against breaches

Least Privilege

Minimum access needed for each component

Segmentation

Isolate workloads to contain breaches

Encryption

All data encrypted in transit and at rest

VPC Design & Configuration

Cloud provider-specific VPC configurations

AWS VPC Configuration

# Terraform - AWS VPC for CDE

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "~> 5.0"

  name = "cde-vpc"
  cidr = "10.0.0.0/16"

  azs             = ["us-east-1a", "us-east-1b", "us-east-1c"]
  private_subnets = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
  public_subnets  = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]

  # Workspace subnets - larger CIDR for many workspaces
  intra_subnets   = ["10.0.20.0/22", "10.0.24.0/22", "10.0.28.0/22"]

  enable_nat_gateway     = true
  single_nat_gateway     = false  # HA: one per AZ
  enable_vpn_gateway     = false
  enable_dns_hostnames   = true
  enable_dns_support     = true

  # VPC Flow Logs for security monitoring
  enable_flow_log                      = true
  create_flow_log_cloudwatch_log_group = true
  create_flow_log_cloudwatch_iam_role  = true
  flow_log_max_aggregation_interval    = 60

  tags = {
    Environment = "production"
    Project     = "cde"
  }
}

# Private endpoints for AWS services (no internet required)
resource "aws_vpc_endpoint" "s3" {
  vpc_id       = module.vpc.vpc_id
  service_name = "com.amazonaws.us-east-1.s3"
  vpc_endpoint_type = "Gateway"
  route_table_ids   = module.vpc.private_route_table_ids
}

resource "aws_vpc_endpoint" "ecr_api" {
  vpc_id              = module.vpc.vpc_id
  service_name        = "com.amazonaws.us-east-1.ecr.api"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = module.vpc.private_subnets
  security_group_ids  = [aws_security_group.vpc_endpoints.id]
  private_dns_enabled = true
}

resource "aws_vpc_endpoint" "ecr_dkr" {
  vpc_id              = module.vpc.vpc_id
  service_name        = "com.amazonaws.us-east-1.ecr.dkr"
  vpc_endpoint_type   = "Interface"
  subnet_ids          = module.vpc.private_subnets
  security_group_ids  = [aws_security_group.vpc_endpoints.id]
  private_dns_enabled = true
}

Azure VNet Configuration

# Terraform - Azure VNet for CDE

resource "azurerm_virtual_network" "cde" {
  name                = "cde-vnet"
  location            = azurerm_resource_group.cde.location
  resource_group_name = azurerm_resource_group.cde.name
  address_space       = ["10.0.0.0/16"]
}

resource "azurerm_subnet" "control_plane" {
  name                 = "control-plane-subnet"
  resource_group_name  = azurerm_resource_group.cde.name
  virtual_network_name = azurerm_virtual_network.cde.name
  address_prefixes     = ["10.0.10.0/24"]

  # Enable private endpoint support
  private_endpoint_network_policies_enabled = true
}

resource "azurerm_subnet" "workspaces" {
  name                 = "workspaces-subnet"
  resource_group_name  = azurerm_resource_group.cde.name
  virtual_network_name = azurerm_virtual_network.cde.name
  address_prefixes     = ["10.0.20.0/22"]

  # AKS node pool subnet
  service_endpoints = ["Microsoft.Storage", "Microsoft.ContainerRegistry"]
}

resource "azurerm_subnet" "aks" {
  name                 = "aks-subnet"
  resource_group_name  = azurerm_resource_group.cde.name
  virtual_network_name = azurerm_virtual_network.cde.name
  address_prefixes     = ["10.0.32.0/20"]
}

# Network Security Group for workspaces
resource "azurerm_network_security_group" "workspaces" {
  name                = "workspaces-nsg"
  location            = azurerm_resource_group.cde.location
  resource_group_name = azurerm_resource_group.cde.name

  security_rule {
    name                       = "DenyInternetOutbound"
    priority                   = 100
    direction                  = "Outbound"
    access                     = "Deny"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "Internet"
  }

  security_rule {
    name                       = "AllowAzureServicesOutbound"
    priority                   = 90
    direction                  = "Outbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefix      = "*"
    destination_address_prefix = "AzureCloud"
  }
}

GCP VPC Configuration

# Terraform - GCP VPC for CDE

resource "google_compute_network" "cde" {
  name                    = "cde-vpc"
  auto_create_subnetworks = false
  routing_mode            = "REGIONAL"
}

resource "google_compute_subnetwork" "control_plane" {
  name          = "control-plane-subnet"
  ip_cidr_range = "10.0.10.0/24"
  region        = "us-central1"
  network       = google_compute_network.cde.id

  private_ip_google_access = true

  log_config {
    aggregation_interval = "INTERVAL_5_SEC"
    flow_sampling        = 0.5
    metadata             = "INCLUDE_ALL_METADATA"
  }
}

resource "google_compute_subnetwork" "workspaces" {
  name          = "workspaces-subnet"
  ip_cidr_range = "10.0.20.0/22"
  region        = "us-central1"
  network       = google_compute_network.cde.id

  private_ip_google_access = true

  secondary_ip_range {
    range_name    = "pods"
    ip_cidr_range = "10.1.0.0/16"
  }

  secondary_ip_range {
    range_name    = "services"
    ip_cidr_range = "10.2.0.0/20"
  }
}

# Cloud NAT for outbound internet
resource "google_compute_router" "cde" {
  name    = "cde-router"
  region  = "us-central1"
  network = google_compute_network.cde.id
}

resource "google_compute_router_nat" "cde" {
  name                               = "cde-nat"
  router                             = google_compute_router.cde.name
  region                             = "us-central1"
  nat_ip_allocate_option             = "AUTO_ONLY"
  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"

  log_config {
    enable = true
    filter = "ERRORS_ONLY"
  }
}

Zero Trust Architecture

Never trust, always verify - even inside your network

Verify Explicitly

  • Authenticate all users via SSO
  • Validate device posture
  • Check user location/context
  • Require MFA for all access

Least Privilege Access

  • JIT (Just-In-Time) access
  • Time-bound permissions
  • Role-based access control
  • Micro-segmentation

Assume Breach

  • Encrypt all traffic (mTLS)
  • Continuous monitoring
  • Network segmentation
  • Blast radius minimization

Service Mesh Implementation (Istio)

Implement mTLS between all services using a service mesh like Istio for zero-trust within the cluster. 

# Istio PeerAuthentication - Require mTLS
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: coder-system
spec:
  mtls:
    mode: STRICT
---
# Istio AuthorizationPolicy - Control plane access
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: coder-control-plane
  namespace: coder-system
spec:
  selector:
    matchLabels:
      app: coder
  action: ALLOW
  rules:
  - from:
    - source:
        principals: ["cluster.local/ns/istio-system/sa/istio-ingressgateway-service-account"]
    to:
    - operation:
        methods: ["GET", "POST", "PUT", "DELETE"]
        paths: ["/api/*"]
  - from:
    - source:
        namespaces: ["workspaces"]
    to:
    - operation:
        methods: ["POST"]
        paths: ["/api/v2/workspaces/*/agent"]
---
# Istio AuthorizationPolicy - Workspace isolation
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: workspace-isolation
  namespace: workspaces
spec:
  action: DENY
  rules:
  - from:
    - source:
        notNamespaces: ["coder-system", "istio-system"]
    to:
    - operation:
        notPorts: ["22", "13337"]  # SSH and coder agent only

Firewall Rules & Security Groups

Network access control configurations

Security Group Rules Matrix

Source Destination Port Protocol Purpose
0.0.0.0/0 Load Balancer 443 HTTPS User access to CDE
Load Balancer Control Plane 8080 HTTP CDE API/Dashboard
Control Plane Database 5432 PostgreSQL CDE state storage
Control Plane Workspaces 13337 TCP Coder agent
Workspaces Control Plane 443 HTTPS Agent registration
Workspaces NAT Gateway 443 HTTPS Package downloads
Workspace A Workspace B * * DENY - Isolated

Kubernetes Network Policies 

# Default deny all in workspace namespace
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
  namespace: workspaces
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
---
# Allow workspace to reach control plane
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-coder-agent
  namespace: workspaces
spec:
  podSelector:
    matchLabels:
      coder.com/workspace: "true"
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: coder-system
    ports:
    - protocol: TCP
      port: 443
---
# Allow workspace to reach DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
  namespace: workspaces
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector: {}
      podSelector:
        matchLabels:
          k8s-app: kube-dns
    ports:
    - protocol: UDP
      port: 53
---
# Allow workspace egress to approved registries
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-registries
  namespace: workspaces
spec:
  podSelector:
    matchLabels:
      coder.com/workspace: "true"
  policyTypes:
  - Egress
  egress:
  - to:
    - ipBlock:
        cidr: 10.0.10.0/24  # ECR VPC endpoint
    ports:
    - protocol: TCP
      port: 443

Egress Control & Data Loss Prevention

Control outbound traffic and prevent data exfiltration

Egress Proxy

Squid proxy for controlled internet access

# squid.conf - Allowlist approach
acl allowed_domains dstdomain .github.com
acl allowed_domains dstdomain .npmjs.org
acl allowed_domains dstdomain .pypi.org
acl allowed_domains dstdomain .docker.io
acl allowed_domains dstdomain .gcr.io
acl allowed_domains dstdomain .amazonaws.com

http_access allow allowed_domains
http_access deny all

# Block uploads to file sharing sites
acl upload_sites dstdomain .dropbox.com
acl upload_sites dstdomain .wetransfer.com
acl upload_sites dstdomain .pastebin.com
http_access deny upload_sites

All workspace internet traffic is routed through the proxy for logging and filtering.

Data Loss Prevention

Prevent sensitive data exfiltration

Block Git Push to External

Only allow push to approved Git remotes

Block SSH Tunneling

Prevent reverse tunnels to external hosts

Monitor Large Transfers

Alert on uploads > 10MB

Block Clipboard to Internet

Prevent copy-paste to external sites

Recommended Egress Allowlist

Package Registries

  • registry.npmjs.org
  • pypi.org
  • rubygems.org
  • proxy.golang.org
  • crates.io
  • maven.org

Container Registries

  • *.docker.io
  • ghcr.io
  • *.gcr.io
  • *.azurecr.io
  • *.ecr.*.amazonaws.com

Development Tools

  • *.github.com
  • *.gitlab.com
  • api.openai.com
  • *.anthropic.com
  • update.code.visualstudio.com

Network Security Checklist

Infrastructure

  • VPC with private subnets for workspaces
  • VPC flow logs enabled
  • NAT gateway for controlled egress
  • Private endpoints for cloud services
  • WAF in front of load balancer

Access Control

  • Kubernetes network policies enforced
  • Workspace-to-workspace traffic blocked
  • Service mesh with mTLS
  • Egress proxy configured
  • DLP policies implemented

Related Resources

Security Deep Dive

Comprehensive CDE security guide

IAM Guide

Identity and access management

Compliance Guide

HITRUST, SOC2, HIPAA requirements