Networking & Security

OSI Model

IP Addressing & Subnetting

# Private IP Ranges (RFC 1918)
10.0.0.0/8        # 10.0.0.0 - 10.255.255.255    (16M+ addresses)
172.16.0.0/12     # 172.16.0.0 - 172.31.255.255   (1M+ addresses)
192.168.0.0/16    # 192.168.0.0 - 192.168.255.255 (65K addresses)

# CIDR Notation Cheat Sheet
/16 = 255.255.0.0     = 65,534 hosts  (VPC)
/20 = 255.255.240.0   = 4,094 hosts   (Large subnet)
/24 = 255.255.255.0   = 254 hosts     (Typical subnet)
/28 = 255.255.255.240 = 14 hosts      (Small subnet)
/32 = 255.255.255.255 = 1 host        (Single host)

# Typical VPC layout
VPC:       10.0.0.0/16
Public-1a: 10.0.1.0/24   (web servers, load balancers)
Public-1b: 10.0.2.0/24
Private-1a: 10.0.10.0/24  (app servers, databases)
Private-1b: 10.0.11.0/24

DNS

Record Types

HTTP/HTTPS

Important Status Codes

Load Balancing

Load Balancing Algorithms

• Round Robin — Distributes sequentially
• Least Connections — Sends to server with fewest active connections
• IP Hash — Routes based on client IP (session persistence)
• Weighted — Distributes based on server capacity weights

# Nginx as a load balancer
upstream backend {
    least_conn;
    server app1:3000 weight=3;
    server app2:3000 weight=2;
    server app3:3000 weight=1;
}

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

TLS/SSL Certificates

# Generate a self-signed certificate (dev only)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# Use Let's Encrypt with Certbot (production)
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d example.com -d www.example.com

# Auto-renewal
sudo certbot renew --dry-run

# Check certificate expiry
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Firewalls & Security Groups

# AWS Security Group (Terraform)
resource "aws_security_group" "web" {
  name   = "web-sg"
  vpc_id = aws_vpc.main.id

  # Allow HTTPS from anywhere
  ingress {
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  # Allow SSH from office only
  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = ["203.0.113.0/24"]  # Office IP range
  }

  # Allow all outbound
  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

Service Mesh

A service mesh handles service-to-service communication with mTLS, observability, and traffic management.

• Istio — Most feature-rich, uses Envoy proxy sidecars
• Linkerd — Lightweight, easy to set up, CNCF graduated
• Consul Connect — HashiCorp's service mesh solution

Zero-Trust Networking

"Never trust, always verify." Zero-trust assumes no implicit trust based on network location.

1. Verify identity — Authenticate every request
2. Least privilege — Minimal access permissions
3. Micro-segmentation — Fine-grained network policies
4. Encrypt everything — mTLS between all services
5. Continuous monitoring — Log and inspect all traffic