Cloud Network Architecture Maturity
Cloud Network Architecture Maturity
Not every company needs a global anycast fabric — but every company should understand where they sit on the maturity curve and what comes next. This guide walks through seven progressive levels of cloud network architecture, mapping each to the company stage where it typically appears, the security posture it enables, and the blast radius it exposes.
Use it to:
- Understand what “good” looks like at your stage
- Plan your next infrastructure evolution
- Evaluate the architecture maturity of SaaS vendors you depend on
- Communicate infrastructure risk to non-technical stakeholders
The 7 Levels at a Glance
| Level | Name | Typical Stage | Blast Radius | Availability | Security |
|---|---|---|---|---|---|
| L1 | Flat VPC | Seed / Pre-product | CRITICAL | 1/10 | 1/10 |
| L2 | Basic Subnet Segmentation | Early Startup (Seed–A) | HIGH | 3/10 | 3/10 |
| L3 | Layered Defense | Series A · SOC 2 Ready | MEDIUM-HIGH | 4/10 | 5/10 |
| L4 | Multi-AZ High Availability | Series B · HA Production | MEDIUM | 7/10 | 6/10 |
| L5 | Multi-Region Active-Passive | Series C · Multi-Region | LOW-MEDIUM | 8/10 | 7/10 |
| L6 | Zero-Trust Network | Late Stage · Enterprise | LOW | 9/10 | 9/10 |
| L7 | Global Anycast Fabric | Hyperscale · Global Platform | MINIMAL | 10/10 | 9/10 |
What Each Level Means
L1 — Flat VPC
Everything lives in a single VPC with public or minimally-filtered access. Databases sit in public subnets. SSH happens over public IPs. Prod and dev share the same account. If any host is compromised, lateral movement to everything else is trivial. This is common in demos, MVPs, and hackathon-to-company transitions where shipping speed dominates all other concerns.
L2 — Basic Subnet Segmentation
Databases move to private subnets behind NAT. A load balancer becomes the internet-facing entry point. Security groups get tightened. This is usually the first “real” architecture — triggered by a security scare, a compliance push, or an enterprise prospect asking hard questions.
L3 — Layered Defense
WAF protects the application perimeter. Engineers access production only via VPN or bastion. AWS accounts split into prod/staging/dev. Logging and threat detection go active (GuardDuty, Security Hub, VPC Flow Logs). SOC 2 becomes achievable. Still single-region, so a regional outage means downtime.
L4 — Multi-AZ High Availability
True high availability through active-active deployment across multiple Availability Zones. No single AZ failure causes downtime. Databases replicate synchronously. Infrastructure is defined entirely in code. 99.9%+ SLA becomes credible. Still single-region.
L5 — Multi-Region Active-Passive
Primary region serves traffic with a warm standby in a secondary region. Transit Gateway interconnects VPCs across accounts and regions. Cross-region database replication enables RTO < 15 minutes. Disaster recovery is tested quarterly. Data residency policies are enforceable.
L6 — Zero-Trust Network
The network perimeter is abolished. Every service-to-service connection is authenticated and encrypted with mTLS. Workload identity (SPIFFE/SPIRE) replaces IP-based trust. SASE replaces VPN for human access. Network policies are enforced at the workload level. Lateral movement requires identity compromise, not just network access.
L7 — Global Anycast Fabric
Traffic routes to the nearest Point of Presence via anycast BGP. Active-active deployments across multiple clouds and regions serve requests with sub-20ms latency globally. Companies at this level: Cloudflare, Stripe, Datadog, Fastly. Complexity itself becomes the primary operational risk.
Assessment Dimensions
Each level is scored across four dimensions:
- Availability (1–10) — Resilience to infrastructure failures and ability to maintain uptime SLAs
- Security (1–10) — Depth of defense, segmentation, and threat detection capabilities
- Observability (1–10) — Visibility into network flows, anomalies, and security events
- Ops Complexity (1–10) — Operational burden and engineering expertise required (higher = more complex)
How to Read Each Level
Every level in the catalog includes:
- What you’ll see — Observable architecture signals that indicate this level
- Remaining risks / gaps — What hasn’t been addressed yet
- Compliances achievable — Which frameworks are realistically attainable
- Blast radius — The potential scope of impact from a security incident
- Assessment signals — Specific questions to ask during evaluation (phrased as yes/no checks)
- Score bars — Visual 1–10 ratings across the four dimensions
- Trigger to next level — The business conditions that typically drive evolution
Resources
Content Generation Prompt
The complete LLM prompt system for generating maturity catalog content. Includes the TypeScript-style content model schema, ground truth definitions for all 7 levels, and the full design system specification.
Interactive Maturity Catalog
A visual, filterable reference with architecture diagrams, assessment signals, score bars, and blast radius meters for all 7 levels. Filter by stage: Early Stage, Growth, or Enterprise.