Networking 1

This doc covers:

Core Networking Concepts

• IP Addresses

• DNS

• Ports

Security & Network Organization

• Subnets

• Routing

• Firewalls

• NAT

Cloud Networking Essentials

• VPC

• Internet Gateway

• NAT Gateway

• Route Tables

Container [[Networking-Docker]]

Sam

Top 5 concepts

• Addressing (IP, DNS): How devices find each other

• Ports: How multiple apps share one IP

• Segmentation (Subnets, Routing): How we organize networks

• Firewalls: How we control traffic (between segments & ports)

• NAT: How private addresses access the internet

PreReq-Clients-Servers

┌──────────────┐          request           ┌──────────────┐
│    Client    │    ───────────────────▶    │    Server    │
│  (library)   │    ◀───────────────────    │  (runtime)   │
└──────────────┘          response          └──────────────┘

Client examples:

• AWS ⟶ boto3

• Postgres ⟶ psycopg2

• HTTP APIs ⟶ requests

• LLMs ⟶ LangChain

Server examples:

• FastAPI app

• Database engine

• Model runtime (Ollama, Bedrock)

• Managed service endpoint (AWS APIs)

Networking Concepts

Every Networking Concept

TravelBuddy | The system. Broken down:

Frontend application

• Website UI

Backend application

• Payment system

Database application

• MySQL database

1: Single Server (IP, DNS)

Sam

Assumed we launched TravelBuddy with 1 server running the entire app.

Q1: How do customers find our server on the internet? A1: Our public IP address (203.0.113.10)

Sam

Q2: Do I need to remember IP addresses? A2: No, use the DNS.

Ex:

• DNS: travelbuddy.com

• IP: 203.0.113.10

2: Multiple Apps (Ports)

Sam

Our single server is now running 3 apps:

• website: port 80 or port 443

• MySQL DB: port 3306

• payment service: port 9090

Q3: When a client request arrives, where should the server direct it? A3: To the appropriate port (in this case, the website on port 80)

Sam

Port mapping (or binding) is how the server routes outside calls to the right port.

1. Someone calls the building (the host machine) via the front desk phone number (the host port).

2. Reception forwards to the apartment (the container) via the apartment number (the container port).

3: Security and Segmentation (Subnets, Routing, Firewall)

Sam

Having only one server ⟶ security risk.

Q4: What should we do? A4: Use network segmentation to separate apps.

Sam

Q5: How do we apply network segmentation? A5: Use subnets to divide our network into separate sections.

Most systems have many apps per subnet.

Sam

Q6: How do apps across subnets talk? A6: Use routing (directs traffic between segments).

Sam

Q7: How do we restrict routing for security? A7: Use firewalls. Restrict traffic based on our rules.

• host firewalls protect indy servers

• network firewalls sit between subnets

4: NAT

Sam

We now have 50 backend servers in a private subnet, each with their own private IP addresses.

Q8: How can backend servers reach the internet? A8: Via NAT (Network Address Translation)

Flow

• Backend server ⟶ NAT device ⟶ Internet ⟶ NAT device ⟶ Backend server

5: Cloud Networking (VPC, Subnets, Gateways)

Sam

• Problem: Maintaining physical servers is getting expensive and slow.

• Solution: Move to the cloud, where served are provided as managed services.

Concepts remain, but tools change:

• Physical routers ⟶ VPCs

• Physical firewalls ⟶ Security Groups

• Bare metal ⟶ Containers ⟶ Kubernetes

Sam

In the cloud

1. create a VPC (private IP space).

2. create subnets (public/private).

3. attach route tables (where traffic can go).

4. attach an Internet Gateway (public internet path).

5. attach a NAT Gateway (private subnet outbound internet).

6. lock it down with Security Groups / NACLs (ports + allowed sources).

Image

6: Container Networking

Sam

Problem: We move to microservices for scalability, but deployment becomes harder ("it works on my machine"). Solution: A container packages everything an application needs into 1 portable unit.

• code

• runtime

• libraries

• settings

See note Networking-2-Containers.