AS-301b · Module 1

Designing Communication Maps

3 min read

The communication map is the blueprint for your microsegmentation. It is a directed graph where nodes are agents and services, and edges are allowed connections. Drawing this map requires answering one question for every pair of components: does A need to talk to B? Not "might A ever need to talk to B" — does A need to talk to B to perform its current tasks? The difference between those two questions is the difference between a tight map and a permissive one.

Do This

Draw the communication map before deploying the mesh — the map is the input, not the output
Validate the map against actual traffic patterns — if a connection in the map carries zero traffic for 30 days, remove it
Version control the map alongside your infrastructure code — changes to the map are changes to the security posture

Avoid This

Build the map by allowing everything and then restricting — that approach never converges to tight isolation
Let developers add connections without security review — every new edge is a new attack path
Maintain the map in a document separate from the enforcement configuration — drift between map and enforcement creates false confidence