Security zones classify network segments by trust level: Untrusted (internet), DMZ (semi-trusted, public-facing), Trusted (internal), Restricted (highest security — PCI, HR, executive).
Traffic rules between zones enforce least privilege networking. DMZ → Internal requires explicit permit. Traffic moves from lower-trust to higher-trust = stricter inspection. Micro-segmentation extends zones to individual workloads. East-west traffic (intra-zone) should also be inspected in zero trust architectures.