Implement proper VPC configuration with subnets, security groups, and routing.

• Keep databases and internal services in private subnets without public IPs
• Use Security Groups to model stateful application-tier boundaries
• Use Network ACLs for stateless, subnet-level deny rules
• Route outbound external traffic through NAT Gateways, avoiding direct IGW access where not needed