Segment cloud networks to limit attack spread and improve monitoring.

• Use multi-account/multi-subscription strategies to separate environments (e.g., Prod vs Dev)
• Isolate blast radiuses using VPC peering selectively or Transit Gateways
• Log accepted and rejected traffic (VPC Flow Logs)