This post gives practical, hands-on steps to implement subnet segmentation for public-facing services in AWS, Azure, and GCP to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 control SC.L1-B.1.XI — focusing on preventing direct exposure of internal systems, documenting controls for audits, and providing small-business-friendly examples and command snippets you can apply today.
Design principles and overall implementation notes
Start with a simple, auditable network design: separate a "public-facing" network layer (load balancers, ingress points, reverse proxies) from an "application" layer (web/app servers) and a "data" layer (databases, caches, internal services). Example CIDR plan for a single-account/single-VNet environment: VPC/VNet 10.0.0.0/16, public subnets 10.0.0.0/24 (AZ-a), app-private subnets 10.0.1.0/24 (AZ-a/b), db-private subnets 10.0.2.0/24 (AZ-b). Public subnets contain only NAT/IGW + load balancers and bastion/jump hosts; application and data subnets must have no direct route to the internet and should use NAT Gateways / Firewall egress for outbound updates. Document this architecture in your System Security Plan (SSP) and produce network diagrams as evidence for audits.
AWS: concrete steps and example commands
In AWS: create a VPC, separate public & private subnets, attach an Internet Gateway for public subnets, and create NAT Gateways in public subnets for private subnet egress. Example CLI outline: aws ec2 create-vpc --cidr-block 10.0.0.0/16; aws ec2 create-subnet --vpc-id
Azure: practical guidance and policy settings
In Azure: create a VNet with separate subnets (public-facing: load balancer or Application Gateway subnet; app: VM scale sets / app services in private subnets; db: subnet with NSG blocking Internet access). Use Azure Application Gateway or Front Door in the public subnet for TLS termination and WAF capabilities. For outbound-only private instances, use Azure NAT Gateway. Apply Network Security Groups (NSGs) at subnet-level to restrict traffic (example: allow incoming 443 to the AppGateway, allow traffic from AppGateway subnet to App subnet on app ports only). Use Azure Private Endpoint for PaaS resources (Azure SQL, Storage) to avoid public exposure. Turn on NSG flow logs via Network Watcher and export to Log Analytics or storage for evidence retention. Use Azure Policy to enforce approved IP ranges, disallow public IPs on VMs, and audit or deny non-compliant deployments.
GCP: implementation specifics and logging
In GCP: use a VPC with regional subnets and place external load balancers in "public" subnets while keeping backends in private subnets with Cloud NAT for outbound connections. Use GCP Firewall rules scoped by target tags or service accounts: allow 80/443 to the load balancer and only allow backend instances to accept traffic from the load balancer's health check and proxy IP ranges. Enable VPC Flow Logs to Cloud Logging and export to a retention bucket for audit artifacts. Use Private Service Connect or VPC Service Controls for sensitive data access and consider Identity-Aware Proxy (IAP) for management-plane access. Use organization policies to prevent externally created external IPs on VM instances except via approved modules.
Operational controls, evidence collection, and compliance tips
For FAR 52.204-21 and CMMC L1 evidence: maintain architecture diagrams, subnet and route table exports, Security Group / NSG / Firewall rule dumps, and flow log retention policies. Capture automated evidence by exporting Terraform state files (safely), CloudFormation/Azure ARM templates, and scheduled reports from AWS Config / Azure Policy / GCP Config Validator. Implement change control — require code review of infra-as-code changes and retain pull request history as evidence of design decisions. Use tagging and naming conventions (e.g., env:prod, zone:public-facing, compliance: cmmc-l1) to speed audits and queries. Schedule quarterly reviews for rule engines and run automated scanning (e.g., ScoutSuite, Prowler, AzSK) that map findings to FAR / CMMC controls so you can show remediation timelines.
Risk of not implementing subnet segmentation: public-facing services collocated with databases or internal controllers increase the risk of lateral movement after a web-tier compromise; misconfigurations can expose credentials or PII; non-segmentation can lead to failed audits, contract penalties, or disqualification from government work. For small businesses, a single exposed admin interface or database can cause disproportionate harm — financial loss, forced incident reporting, or loss of Federal contract opportunities.
Best practices and quick wins for small businesses: keep the public layer minimal (only load balancer + jump host), enforce least-privilege IAM, restrict management plane access to a management subnet or trusted IPs, enable WAF (AWS WAF / Azure WAF / Cloud Armor) on public entry points, and use a single NAT/egress point with logging. Automate compliance checks using AWS Config/Azure Policy/GCP Organization Policy and gate deployments with CI (terraform plan + security scanning). Consider a multi-account or multi-subscription model where production, non-prod, and management are separate to reduce blast radius, even if it's a small environment.
Summary: subnet segmentation for public-facing services is a practical, high-impact control to meet FAR 52.204-21 and CMMC 2.0 Level 1 SC.L1-B.1.XI — design clear public/app/db layers, enforce controls with security groups/NSGs/firewalls and NAT, collect automated evidence (flow logs, config snapshots, IaC history), and automate continuous checks; start with the simple CIDR and IAM rules above, codify them in IaC, and bake logging/retention into your deployment to satisfy auditors and reduce breach risk.
