Isolating workloads from one another within VPCs

Hello, How can I “isolate” a workload from another one?
I have a VPC with a 3-tier prod workload. I need to create a database and an EC2/ECS/serverless service that need to be isolated from the rest. Is it better to create a new VPC and VPC peering or only new subnets?

Depends on what your need for isolation is, I usually find VPCs are the wrong level of abstraction, and subsets and then AWS accounts, are the right levels. different VPCs can be good when you are running test and production versions of the same service AND there is a compliance restriction, otherwise subnets are usually best. For different products or services owned by different teams we always use separate AWS accounts. So where does the need to isolate come from?

We have a database and stepfunction to interact with Treezor (payment/credit cart). So the requirements come from them

Only the stepfunction must interact with the database

And the database can only be modified/read by the stepfunction and from authorized people

IAM gives you all the security you would ever need and should ever need. external 3rd parties don’t have any requirements that you have to implement, so that part doesn’t make sense. But assuming there was some requirement externally, can you articulate, what that requirement is and why it is exists?

I don’t find the document in question but some criteria like using TLS >= 1.2, implement SSL pinning, etc.
I think I am over-engineering this anyway, subnets should be ok

Oh definitely, although based on what you shared so far, the same subnet should also be okay

Thank you :slightly_smiling_face:

We isolate our accounts PROD/UAT/DEV in separate AWS accounts. That way if one gets compromised, we can destroy the entire account and rebuild without effecting all our other accounts. We then use separate VPCs for isolation within the account when needed. For example, internet facing things are in a separate VPC from backend things.

for which part, the PROD/UAT separation or within an account?

Within an account. We also use dedicated accounts

I guess we felt there was better isolation using multiple VPCs vs just subnet isolation.