Preserving network segmentation for cloud web app in a user friendly way
Assuming a team maintaining multiple simple cloud web apps with associated secret key stores.
The control plane for the app needs to access secrets, and we don't want to expose the secret store on the internet, thus we put both resources in the same VNet and then expose the web service through other means (e.g. application gateway)
I think this is a fair way to do defence-in-depth, protecting the secret store from the internet. However, I see that VNets are peered into the corporate network more and more. I think this is mainly for convenience as e.g. secrets management can then be done on a personal laptop on the corporate VPN.
If most teams follow this strategy, we face a risk of a supply chain attack on one of the services, and now we have malicious code running somewhere and it has access to the entire corporate network.
Without peering, our developers complain that maintaining all these different VNets and VPN connections is too hard, and start challenging the value of segmentation altogether (to the tune of "the keyvault authz/n is as secure as the Azure portal itself")
I don't want to face the risk of exposing the secret store on the internet, and I also don't want to have a large pool of VNets peered together with the corporate network, as this essentially violates network segmentation.
Is there a way to preserve good network network segmentation as defined in the zero trust security model, while retaining some form of user friendliness for developers managing the solutions? Or any other recommendations for this scenario?
