Sign in Subscribe
Concepts

Kubernetes Network Policies with VPC Private Subnets and Proxies for Secure, Predictable Traffic

Andrios Robert

1 min read

The pods were alive, ready to move data, but nothing could pass without permission.

Kubernetes Network Policies give you that permission model. They define how pods talk to each other, to services, and to the outside. Combine them with a VPC private subnet, and you create a locked-down environment where only explicit paths exist. Every inbound and outbound connection can be allowed or denied based on namespace, labels, and IP ranges. Without this, workloads are exposed to noise, and an attacker only needs one open door.

In a cloud environment, a VPC private subnet shields internal traffic from public networks. No direct internet route exists for workloads inside it. This is essential when deploying proxies that bridge private clusters to external services. The proxy is the controlled point of contact, often placed in a public subnet but configured to send requests securely into the private subnet over specific ports. Network Policies enforce which pods can reach it. This prevents a misconfigured service from leaking data.

A typical deployment pattern uses three layers:

  1. Private subnet layer: Hosts stateful services, databases, and sensitive workloads. No default egress to the internet.
  2. Proxy layer: Reverse proxy or forward proxy handling ingress/egress between the private subnet and public endpoints.
  3. Policy layer: Kubernetes Network Policies for both ingress and egress, locking traffic to known CIDRs, namespaces, and ports.

To implement:

  • Define NetworkPolicies for each namespace, allowing only required traffic.
  • Place workloads in private subnets with no internet gateway.
  • Deploy a proxy service in a reachable subnet.
  • Whitelist only the proxy’s IPs in egress rules.
  • Use service accounts and RBAC to protect control paths.

This architecture ensures that even if a pod gets compromised, it cannot talk to unauthorized endpoints. The private subnet acts as the physical isolation, while Network Policies act as the logical enforcement. Proxies give you filtered, controlled access to external APIs, software updates, or partner networks.

Security teams can audit these policies alongside cloud firewall rules. When combined, governance and compliance checks become straightforward. Logs from proxy endpoints show exactly what external calls were made. NetworkPolicy enforcement keeps internal traffic aligned with your deployment rules.

Done right, Kubernetes Network Policies with VPC private subnets and proxy deployments are not just secure—they’re predictable.

See how easy it is to deploy this in minutes with hoop.dev. Push your config, set your rules, and watch controlled traffic flow exactly as designed.