Domain 3: Cloud Platform & Infrastructure Security Module 28 of 70

Module 28: Network and Communications Security

CCSP Domain 3 — Cloud Platform & Infrastructure Security Section A 6–8 min read
The CCSP exam expects you to understand that cloud networking is software-defined, which means misconfiguration — not physical compromise — is the primary threat vector.

Software-Defined Networking Changes Everything

In traditional networks, security relies on physical separation — VLANs, firewalls, and physical cables. In cloud, everything is virtual. The exam tests whether you understand what this shift means for security.

Software-Defined Networking (SDN) separates the control plane from the data plane:

  • Control plane — decides where traffic goes (managed by the CSP or orchestration tools)
  • Data plane — moves the actual packets

This separation means network behavior is programmable, auditable, and reproducible. But it also means a single API call can open a network to the entire internet.

When the exam presents a network breach scenario in cloud, look for misconfiguration first — not sophisticated attacks.

Virtual Network Isolation

Every major CSP offers virtual private clouds (VPCs) or virtual networks. The exam expects you to understand their security properties:

  • VPCs provide logical isolation at the network layer
  • Subnets within a VPC can be public (internet-facing) or private
  • Route tables control traffic flow between subnets
  • Peering allows VPCs to communicate without traversing the public internet

Exam trap: Just because two VPCs are in the same account does not mean they can communicate. Network connectivity must be explicitly configured. This is an example of default-deny in cloud networking.

Encryption in Transit

The exam tests your understanding of when and how to encrypt data moving between cloud components:

  • TLS 1.2/1.3 — standard for client-to-cloud communications
  • IPsec VPN — encrypted tunnels between on-premises and cloud networks
  • Mutual TLS (mTLS) — both sides authenticate, common in microservices
  • Private connectivity (Direct Connect, ExpressRoute) — dedicated links that bypass the public internet but are not encrypted by default
Dedicated private connections are NOT automatically encrypted. The exam loves this distinction. A Direct Connect link provides network isolation and consistent bandwidth, but you still need IPsec or TLS for confidentiality.

Network Security Controls in Cloud

Cloud platforms offer layered network controls. The exam expects you to know the difference:

  • Security groups — stateful firewalls attached to instances; allow rules only
  • Network ACLs — stateless firewalls at the subnet level; allow and deny rules
  • Web Application Firewalls (WAF) — Layer 7 inspection for HTTP/HTTPS traffic
  • DDoS protection services — absorb volumetric attacks at the provider edge

The difference between stateful and stateless matters for exam questions. A security group remembers return traffic automatically. A NACL requires explicit rules for both inbound and outbound.

Micro-Segmentation and Zero Trust Networking

Traditional perimeter security does not translate to cloud. The exam increasingly tests zero trust concepts:

  • Every workload should have its own security group with least-privilege rules
  • East-west traffic (between internal services) must be inspected, not just north-south
  • Identity-based access replaces network-location-based trust
  • Service mesh architectures enforce mTLS between all microservices
If a scenario describes lateral movement between cloud workloads, the correct answer usually involves micro-segmentation or zero trust — not adding another perimeter firewall.

DNS and Content Delivery Security

Cloud-native DNS and CDN services introduce their own security considerations:

  • DNS hijacking can redirect traffic to attacker-controlled infrastructure
  • DNSSEC provides integrity and authentication for DNS responses
  • CDNs cache content at edge locations, which means sensitive data might persist in unexpected places
  • CDN misconfigurations can expose origin servers or bypass WAF rules

The exam may ask about securing the full communication path from client to cloud service, which includes DNS resolution, CDN edge, load balancer, and finally the application.

Exam Thinking: The Network Scenario Pattern

When you see a network security question on the exam, apply this mental checklist:

  1. Is the traffic encrypted in transit?
  2. Are network controls following least privilege?
  3. Is segmentation preventing lateral movement?
  4. Could this be solved by configuration rather than new tooling?

Most cloud network breaches are configuration errors. The exam rewards candidates who think about governance and process over adding more security appliances.

Next Module Module 29: Compute and Virtualization Security