Networking Fundamentals
Expert-defined terms from the Advanced Certificate in Cloud Networking course at Greenwich School of Business and Finance. Free to read, free to share, paired with a professional course.
Access Control List (ACL) #
A set of rules that define which traffic is permitted or denied on a network interface. Related terms: Firewall, packet filtering, security policy. In cloud environments, ACLs are often applied to virtual network interfaces or subnets to restrict inbound and outbound traffic. Example: An ACL allowing HTTP (port 80) and HTTPS (port 443) from any source while denying all other ports. Practical application includes isolating tiered application components, such as permitting only web servers to communicate with application servers. Challenges arise when managing large numbers of ACL entries across multiple VPCs, leading to rule sprawl and potential misconfigurations that can unintentionally block legitimate traffic.
ARP (Address Resolution Protocol) #
A protocol used to map an IP address to a MAC (Media Access Control) address on a local Ethernet network. Related terms: IPv4, MAC address, broadcast. When a host needs to send a packet to a destination on the same subnet, it broadcasts an ARP request asking “Who has IP x.X.X.X?” The owner replies with its MAC address. In cloud platforms, ARP is handled by the hypervisor or virtual switch, but understanding ARP is essential for troubleshooting connectivity issues such as duplicate IPs or stale ARP caches. A common challenge is ARP spoofing, where an attacker sends falsified ARP replies to intercept traffic; mitigation includes using dynamic ARP inspection or static ARP entries in critical environments.
BGP (Border Gateway Protocol) #
The exterior routing protocol that exchanges reachability information between autonomous systems (AS) on the Internet. Related terms: Autonomous system, route propagation, path vector. In cloud networking, BGP is used for establishing VPN connections, Direct Connect links, and for advertising on‑premises prefixes to the cloud. Example: A company advertises its on‑premises /24 via BGP over a dedicated MPLS circuit to a cloud provider, enabling seamless traffic flow. Practical applications include multi‑region load balancing and failover by manipulating BGP attributes such as LOCAL_PREF and MED. Challenges include route hijacking, convergence delays, and the complexity of configuring BGP filters to prevent route leaks.
CIDR (Classless Inter #
Domain Routing): A method for allocating IP address space and routing IP packets using variable‑length subnet masks. Related terms: Subnetting, prefix length, IPv4. CIDR notation (e.G., 192.168.0.0/24) Indicates the number of bits used for the network portion, allowing efficient address utilization. In cloud VPC design, CIDR blocks are chosen to avoid overlap with on‑premises networks, simplifying hybrid connectivity. Example: Assigning 10.0.0.0/16 To a VPC and subdividing it into /24 subnets for each availability zone. Practical challenges include planning for future growth, avoiding address exhaustion, and ensuring that overlapping CIDR ranges do not cause routing conflicts.
DHCP (Dynamic Host Configuration Protocol) #
A network service that automatically assigns IP configuration parameters—such as IP address, subnet mask, gateway, and DNS servers—to clients. Related terms: Lease time, DHCP server, IP address pool. In cloud environments, DHCP is typically provided by the virtual network service, allowing instances to obtain an address from the VPC’s CIDR block. Example: A new VM boots and receives 10.0.1.12/24 With the VPC’s default gateway. Practical applications include rapid scaling of workloads without manual IP assignment. Challenges involve lease expiration causing brief connectivity loss, and the need to configure static IPs for services that require fixed addresses, which may require DHCP reservations or manual assignment.
Elastic Load Balancer (ELB) #
A managed service that distributes incoming application traffic across multiple compute resources to improve availability and fault tolerance. Related terms: Traffic distribution, health checks, layer 4, layer 7. Cloud providers offer different ELB types—such as Classic, Application, and Network load balancers—each operating at different OSI layers. Example: An Application Load Balancer terminates HTTP requests, routing them based on URL path to separate target groups. Practical use includes scaling web tiers horizontally and providing a single DNS name for clients. Challenges include configuring appropriate health check thresholds, handling session persistence, and managing cost as traffic volume grows.
Firewall #
A security device or software that enforces a set of rules to permit or deny network traffic based on source, destination, protocol, and port. Related terms: Stateful inspection, packet filtering, security groups. In cloud networking, firewalls may be implemented as virtual appliances, host‑based host firewalls, or as distributed security groups attached to instances. Example: A security group allowing inbound SSH (port 22) from a specific IP range while denying all other inbound traffic. Practical applications involve creating a defense‑in‑depth posture, segmenting workloads, and complying with regulatory standards. Challenges include rule complexity, policy drift over time, and ensuring that firewall logging is integrated with security information and event management (SIEM) systems.
IPv4 #
The fourth version of the Internet Protocol, using 32‑bit addresses expressed in dotted‑decimal notation (e.G., 192.0.2.1). Related terms: Address exhaustion, NAT, subnet mask. IPv4 remains the dominant protocol in most cloud deployments, though IPv6 adoption is increasing. Example: Allocating a /20 CIDR block to a VPC provides 4096 addresses. Practical considerations include designing subnets to balance address utilization and broadcast domain size. Challenges involve the limited address space, reliance on Network Address Translation (NAT) for internet connectivity, and the need to support both IPv4 and IPv6 in dual‑stack applications.
IPv6 #
The sixth version of the Internet Protocol, using 128‑bit addresses represented in hexadecimal notation (e.G., 2001:Db8::1). Related terms: Address autoconfiguration, dual‑stack, NAT66. IPv6 eliminates address scarcity and introduces built‑in features such as mandatory IPsec support. In cloud platforms, IPv6 can be enabled on VPCs, load balancers, and public endpoints. Example: Assigning an IPv6 /56 prefix to a VPC and subdividing it into /64 subnets per availability zone. Practical application includes future‑proofing networks and enabling direct end‑to‑end connectivity without NAT. Challenges involve limited tooling support, the need for application‑level IPv6 awareness, and ensuring that security controls (firewalls, ACLs) are correctly configured for both address families.
LAN (Local Area Network) #
A network that interconnects devices within a limited geographic area such as a data center or office floor. Related terms: VLAN, switch, Ethernet. In cloud contexts, a virtual LAN is realized through VPC subnets and virtual switches that provide layer‑2 connectivity for instances. Example: A subnet representing a “web tier” that contains all web servers. Practical use includes isolating traffic between application tiers and reducing broadcast domains. Challenges arise when extending on‑premises LANs to the cloud via VPN or Direct Connect, requiring careful routing and VLAN tagging to preserve segmentation.
Load Balancing Algorithm #
The method a load balancer uses to select a target for each incoming request. Related terms: Round‑robin, least connections, weighted distribution. Common algorithms include round‑robin (sequentially cycling through targets), least‑connections (choosing the target with the fewest active sessions), and IP‑hash (mapping client IP to a specific target). Example: A Network Load Balancer using the least‑connections algorithm to ensure high‑throughput workloads are evenly spread. Practical application includes optimizing resource utilization and achieving predictable performance. Challenges involve selecting the right algorithm for specific traffic patterns and handling sudden spikes that may overwhelm a single target before redistribution occurs.
Network Address Translation (NAT) #
A technique that modifies IP address information in packet headers while in transit, allowing multiple devices on a private network to share a single public IP address. Related terms: NAT gateway, NAT instance, port forwarding. Cloud providers often offer managed NAT gateways to enable outbound internet access for private subnets. Example: A private subnet with no public IPs routes traffic through a NAT gateway, which translates source addresses to the gateway’s public IP. Practical use includes preserving address space, enhancing security by hiding internal IPs, and complying with regulatory requirements. Challenges include NAT gateway bandwidth limits, added latency, and the difficulty of inbound connections to resources behind NAT without additional configuration like port forwarding or load balancers.
Network Interface Card (NIC) #
A hardware component that connects a computer to a network, providing a unique MAC address and supporting various speeds. Related terms: Virtual NIC, driver, duplex. In virtualized cloud environments, each instance is equipped with one or more virtual NICs that map to underlying physical infrastructure. Example: An EC2 instance with a primary ENI for management traffic and a secondary ENI for data plane traffic. Practical applications involve assigning separate NICs to different security groups, enabling traffic isolation, and supporting high‑throughput workloads. Challenges include managing NIC limits per instance type, ensuring driver compatibility, and troubleshooting performance issues caused by misaligned MTU settings.
Network Security Group (NSG) #
A virtual firewall that controls inbound and outbound traffic at the subnet or NIC level within a cloud virtual network. Related terms: Rule set, stateful, priority. NSGs consist of ordered rules where each rule specifies protocol, source, destination, port, and action. Example: An NSG allowing inbound RDP (port 3389) only from a corporate IP range while denying all other inbound traffic. Practical usage includes rapid provisioning of tiered security policies without modifying underlying infrastructure. Challenges involve rule ordering (lower priority numbers execute first), avoiding rule conflicts, and ensuring that NSG changes propagate promptly across distributed regions.
OSI Model (Open Systems Interconnection Model) #
A conceptual framework that standardizes the functions of a telecommunication or computing system into seven abstraction layers. Related terms: Layer 2, layer 3, protocol stack. The layers range from Physical (layer 1) to Application (layer 7). Understanding the OSI model helps engineers pinpoint where a problem occurs—e.G., Link‑layer issues versus transport‑layer issues. Practical application includes mapping cloud services to specific layers, such as using a Layer 4 load balancer versus a Layer 7 application firewall. Challenges involve the fact that many modern protocols straddle multiple layers, making strict categorization sometimes ambiguous.
Peering #
The direct interconnection of two virtual networks, allowing traffic to flow using private IP addresses without traversing the public internet. Related terms: VPC peering, transit gateway, route propagation. Cloud providers enable VPC peering to connect separate accounts or regions. Example: A production VPC peers with a shared services VPC to access centralized authentication servers. Practical benefits include low‑latency, secure communication and reduced data egress costs. Challenges include managing overlapping CIDR blocks, scaling the number of peering connections, and ensuring that route tables are correctly updated to avoid asymmetric routing.
Port Forwarding #
A technique that redirects traffic arriving at a specific port on a gateway or router to a different internal IP address and port. Related terms: NAT, firewall rule, destination NAT. In cloud scenarios, port forwarding is often configured on NAT gateways or load balancers to expose services running on private instances. Example: Forwarding TCP port 8080 on a NAT gateway to an internal web server at 10.0.2.10:80. Practical use includes providing external access to legacy applications that cannot be directly attached to a public subnet. Challenges involve maintaining security (exposing minimal ports), handling multiple services on the same gateway, and ensuring that health checks correctly verify the forwarded destination.
QoS (Quality of Service) #
Mechanisms that prioritize certain types of network traffic to guarantee performance levels such as bandwidth, latency, or jitter. Related terms: Traffic shaping, priority queues, DSCP. In cloud networking, QoS can be applied via virtual routers or network appliances to ensure that latency‑sensitive traffic (e.G., VoIP) receives higher priority than bulk data transfers. Example: Configuring a QoS policy that marks video streaming packets with a higher DSCP value, causing downstream routers to prioritize them. Practical applications include meeting service‑level agreements (SLAs) for real‑time applications. Challenges include limited visibility into underlying provider networks, and the need to coordinate QoS policies across on‑premises and cloud segments to avoid policy mismatches.
Routing Table #
A data structure stored in a router or virtual gateway that contains routes—each mapping a destination network to a next‑hop interface or gateway. Related terms: Static route, dynamic route, route propagation. In cloud VPCs, each subnet is associated with a route table that determines how traffic is directed. Example: A default route (0.0.0.0/0) Pointing to an internet gateway for public subnets, and another default route pointing to a NAT gateway for private subnets. Practical usage includes segmenting traffic between public, private, and hybrid networks. Challenges involve ensuring route consistency across multiple VPCs, avoiding route loops, and managing route table limits imposed by the provider.
SDN (Software‑Defined Networking) #
An architecture that decouples the control plane (network intelligence) from the data plane (packet forwarding), enabling centralized management via software APIs. Related terms: Controller, OpenFlow, network virtualization. Cloud providers leverage SDN to provision virtual networks, apply security policies, and orchestrate traffic engineering. Example: Using a cloud‑native SDN controller to automatically create VPCs, subnets, and security groups based on infrastructure‑as‑code templates. Practical benefits include rapid provisioning, programmability, and dynamic scaling. Challenges include the learning curve for operators, potential vendor lock‑in, and ensuring that SDN controllers are highly available and secure.
Subnet #
A logical subdivision of an IP network that groups hosts together for efficient routing and address management. Related terms: CIDR, VPC, broadcast domain. In a cloud VPC, subnets are associated with a specific availability zone and a route table. Example: A /24 subnet (10.0.1.0/24) Designated for a database tier, with no direct internet gateway route to enforce isolation. Practical applications include separating workloads by function (web, app, DB) and applying distinct security policies per subnet. Challenges involve planning for IP address growth, avoiding subnet overlap with on‑premises networks, and managing subnet limits per VPC.
Transit Gateway #
A central hub that interconnects multiple VPCs and on‑premises networks, simplifying routing and reducing the number of peering connections required. Related terms: Hub‑and‑spoke, route aggregation, attachment. The transit gateway aggregates routes from attached VPCs, allowing a single route table to control traffic flow. Example: A corporate network connects to a transit gateway, which in turn routes traffic to three VPCs representing development, testing, and production environments. Practical benefits include scalable architecture, centralized security enforcement, and easier management of cross‑VPC communication. Challenges include added cost, potential single point of failure if not deployed redundantly, and the need to manage route propagation carefully to avoid unintended exposure.
Virtual Private Cloud (VPC) #
An isolated virtual network within a cloud provider’s environment that mimics the functionality of a traditional on‑premises data center network. Related terms: Subnet, internet gateway, security group. A VPC provides control over IP address range, subnets, routing, and security. Example: Creating a VPC with a 10.0.0.0/16 CIDR, three public subnets for web servers, and three private subnets for databases. Practical uses include hosting multi‑tier applications, establishing hybrid connectivity, and enforcing compliance through network segmentation. Challenges involve correctly configuring internet gateways, NAT gateways, and ensuring that CIDR selection does not conflict with existing on‑premises networks.
Virtual Private Network (VPN) #
An encrypted tunnel that extends a private network across a public network, enabling secure communication between on‑premises infrastructure and cloud resources. Related terms: IPsec, tunnel endpoint, site‑to‑site. Cloud providers typically offer managed VPN services that terminate on a virtual gateway. Example: A site‑to‑site IPsec VPN connecting a corporate data center to a cloud VPC, allowing on‑premises servers to access cloud‑based databases. Practical applications include disaster recovery, secure data transfer, and gradual migration of workloads. Challenges include limited bandwidth compared to dedicated connections, latency variability, and the need to manage key rotation and tunnel health monitoring.
VLAN (Virtual LAN) #
A logical segmentation of a physical network at layer 2, allowing devices to be grouped together regardless of physical location. Related terms: Trunk, tag, broadcast domain. In cloud environments, VLAN concepts are abstracted into VPC subnets, but understanding VLANs is essential when extending on‑premises networks via Direct Connect or when deploying virtual switches in hypervisors. Example: Tagging traffic from a data center’s storage VLAN and mapping it to a specific virtual interface on the cloud side. Practical use includes isolating traffic between departments, reducing broadcast storm impact, and simplifying network management. Challenges involve configuring consistent VLAN IDs across sites, avoiding VLAN ID collisions, and ensuring that security policies are applied consistently across both physical and virtual segments.
VPC Endpoint #
A private connection that enables resources in a VPC to communicate with supported cloud services without traversing the public internet. Related terms: Gateway endpoint, interface endpoint, private link. There are two primary types: Gateway endpoints for services like object storage, and interface endpoints that use elastic network interfaces. Example: Creating an interface endpoint for a managed database service, allowing traffic to stay within the VPC’s security boundaries. Practical benefits include reduced latency, enhanced security, and compliance with data residency requirements. Challenges include managing endpoint costs, ensuring DNS resolution is correctly configured, and handling service‑specific limitations (e.G., Supported protocols).
VPC Peering #
A one‑to‑one network connection between two VPCs that enables routing of traffic using private IP addresses. Related terms: Peering request, route table, transitive peering. Peering is non‑transitive; traffic must be explicitly allowed between each pair. Example: A production VPC peers with a shared services VPC to access a centralized logging platform. Practical use includes consolidating services across accounts while maintaining isolation. Challenges involve CIDR overlap prevention, scaling when many VPCs need interconnectivity (which may necessitate a transit gateway), and managing the increased number of route table entries.
VPC Flow Logs #
A feature that captures information about the IP traffic going to and from network interfaces within a VPC. related terms: CloudWatch, log aggregation, network forensics. Flow logs record details such as source/destination IP, ports, protocol, and acceptance/rejection status. Example: Enabling flow logs on a VPC to monitor suspicious inbound traffic patterns. Practical applications include security analysis, troubleshooting connectivity, and cost optimization by identifying idle resources. Challenges revolve around log volume management, ensuring proper retention policies, and correlating flow log data with other security events for comprehensive insight.
Virtual Router #
A software‑based routing component that performs packet forwarding functions similar to a hardware router. Related terms: Routing engine, control plane, data plane. In cloud environments, virtual routers are embedded in the VPC infrastructure, handling route tables, NAT, and VPN termination. Example: The virtual router processes a packet from a private subnet, matches it against the route table, and forwards it to an internet gateway. Practical benefits include rapid provisioning, elasticity, and integration with SDN controllers. Challenges include limited visibility into the underlying routing decisions, and occasional latency introduced by additional abstraction layers in highly performance‑sensitive workloads.
Virtual Switch (vSwitch) #
A software implementation of a network switch that connects virtual machines (VMs) to each other and to the physical network. Related terms: Bridge, port group, hypervisor. Hypervisors like VMware ESXi or KVM provide vSwitches to enable intra‑host communication. Example: Two VMs on the same host communicate via a vSwitch without leaving the physical server. Practical use includes isolating traffic between tenants in a multi‑tenant environment and applying port‑level security policies. Challenges involve configuring VLAN tagging correctly, avoiding MAC address flooding, and ensuring that vSwitch performance meets the demands of high‑throughput applications.
VPN Tunnel #
An encrypted pathway that carries traffic between two network endpoints, typically using protocols such as IPsec or SSL/TLS. Related terms: Tunnel interface, encryption, key exchange. In cloud networking, a VPN tunnel connects a customer gateway on‑premises to a virtual private gateway in the cloud. Example: A site‑to‑site IPsec tunnel with AES‑256 encryption and SHA‑2 authentication. Practical applications include secure data transfer, remote office connectivity, and extending corporate security policies to cloud workloads. Challenges include maintaining tunnel uptime, handling MTU mismatches that cause fragmentation, and monitoring for tunnel renegotiation failures.
WAN (Wide Area Network) #
A telecommunications network that spans a large geographic area, connecting multiple local networks. Related terms: MPLS, SD‑WAN, latency. Cloud providers often interconnect their global regions via high‑speed WANs, and customers may use their own WAN links (e.G., MPLS circuits) to reach cloud resources. Example: A company uses a dedicated MPLS line to connect its headquarters to a cloud region for low‑latency database replication. Practical use includes supporting distributed teams, disaster recovery, and data replication across regions. Challenges involve managing latency, ensuring consistent routing policies across disparate WAN links, and negotiating bandwidth contracts.
Zero‑Trust Network Access (ZTNA) #
A security model that assumes no implicit trust for any network entity, requiring continuous verification of identity, device posture, and context before granting access. Related terms: Micro‑segmentation, identity‑centric security, least privilege. In cloud networking, ZTNA can be implemented through software agents that enforce policies at the workload level rather than relying on perimeter firewalls. Example: A developer’s laptop must authenticate via a identity provider and meet device compliance checks before accessing a production database endpoint. Practical benefits include reduced attack surface, dynamic policy enforcement, and support for remote workforces. Challenges include integrating with existing identity systems, scaling policy evaluation for large fleets, and ensuring minimal performance impact.
IPsec (Internet Protocol Security) #
A suite of protocols that provide authentication and encryption for IP packets, commonly used to secure VPN tunnels. Related terms: ESP, AH, key exchange. IPsec can operate in transport mode (encrypting payload only) or tunnel mode (encrypting entire IP packet). Example: Configuring a site‑to‑site VPN with IPsec tunnel mode, using IKEv2 for key exchange and AES‑256 for encryption. Practical applications include protecting data in transit between data centers and cloud VPCs, and establishing secure communications for branch offices. Challenges involve configuring compatible parameters on both ends, handling NAT traversal, and monitoring for potential rekeying delays that can interrupt traffic.
Network Topology #
The arrangement of network elements (nodes, links, devices) and how they interconnect. Related terms: Mesh, star, hierarchical. In cloud design, common topologies include hub‑and‑spoke (using a transit gateway), full mesh (direct VPC peering between all regions), and hybrid (combining on‑premises and cloud segments). Example: A hub‑and‑spoke design where a central VPC hosts shared services, and each workload VPC connects via a transit gateway. Practical considerations include scalability, fault tolerance, and cost. Challenges involve selecting a topology that balances performance with operational complexity, especially as the number of connected VPCs grows.
Network Latency #
The time it takes for a packet to travel from source to destination, typically measured in milliseconds. Related terms: Round‑trip time, jitter, propagation delay. Latency is affected by distance, number of hops, congestion, and processing overhead. Example: Measuring latency between a client in Europe and a cloud instance in the US West region to assess suitability for real‑time gaming. Practical applications involve performance tuning, selecting appropriate regions for latency‑sensitive workloads, and designing caching layers to mitigate impact. Challenges include unpredictable internet latency, the need for multi‑region deployments to meet SLA requirements, and the trade‑off between redundancy and added hop count.
Network Throughput #
The amount of data successfully transferred over a network in a given time, often expressed in Mbps or Gbps. Related terms: Bandwidth, capacity, saturation. Throughput depends on link speed, protocol overhead, and congestion. Example: Provisioning a 10 Gbps network interface for a high‑performance computing cluster in the cloud. Practical uses include ensuring sufficient capacity for data‑intensive applications such as video streaming or big‑data analytics. Challenges involve avoiding oversubscription, monitoring for bottlenecks, and adjusting instance types or load balancer configurations to match required throughput levels.
Network Segmentation #
The practice of dividing a network into distinct zones or segments to limit broadcast domains and improve security. Related terms: Micro‑segmentation, VLAN, security zone. In cloud environments, segmentation is achieved through subnets, security groups, and network ACLs. Example: Separating a public web tier from a private database tier, with strict inbound rules only allowing traffic from the web tier. Practical benefits include reduced attack surface, easier compliance, and better traffic management. Challenges involve maintaining consistent policies across many segments, avoiding unnecessary complexity, and ensuring that segmentation does not impede legitimate inter‑service communication.
Network Interface (ENI) #
In cloud terminology, an Elastic Network Interface that provides a virtual NIC with its own private IP, MAC address, and security group association. Related terms: Secondary IP, attachment, elastic IP. ENIs can be detached and re‑attached to different instances, enabling flexible network designs such as moving a static IP from a failed instance to a new one. Example: Assigning a dedicated ENI to a bastion host for management access. Practical applications include high‑availability configurations, multi‑homed instances for traffic separation, and implementing network appliances. Challenges involve ENI limits per instance type, managing IP address assignments, and ensuring that security group changes propagate promptly.
Network Load Balancer (NLB) #
A Layer 4 load balancer that distributes TCP/UDP traffic based on network‑level information without inspecting packet payloads. Related terms: Flow‑hash, target group, high‑throughput. NLBs are designed for ultra‑low latency and can handle millions of connections per second. Example: Using an NLB to distribute traffic to a fleet of microservices that communicate over gRPC. Practical benefits include support for static IP addresses, preserving source IP for backend instances, and handling volatile workloads. Challenges include limited Layer 7 features (such as host‑based routing), the need for health checks that operate at the transport level, and ensuring that TLS termination is correctly configured when required.
Network Address Translation (NAT) Gateway #
A managed service that provides outbound internet connectivity for resources in private subnets without exposing them to inbound internet traffic. Related terms: NAT instance, egress, public IP. NAT gateways are highly available within an Availability Zone and scale automatically to handle traffic bursts. Example: A private subnet hosting database servers routes outbound software updates through a NAT gateway. Practical usage includes preserving internal IP address schemes while allowing external updates and patches. Challenges involve cost (charged per GB of data processed), potential throughput limits in heavily trafficked environments, and the need to deploy redundant NAT gateways across multiple zones for high availability.
Port Mirroring #
A technique that copies network traffic from one port or VLAN to another for analysis or monitoring. Related terms: SPAN, TAP, network sniffer. In virtual environments, port mirroring can be configured on virtual switches to feed traffic into an intrusion detection system (IDS). Example: Mirroring traffic from a web server NIC to a security appliance VM that performs deep packet inspection. Practical applications include threat detection, performance monitoring, and compliance auditing. Challenges include the additional processing overhead on the host, potential privacy concerns, and ensuring that the mirrored traffic does not become a bottleneck.
Private Link #
A cloud service that enables private connectivity to a provider‑managed service over a virtual network interface, eliminating exposure to the public internet. Related terms: Service endpoint, VPC endpoint, internal load balancer. Private Link creates an interface endpoint that appears as a regular ENI within a VPC. Example: Connecting a VPC to a managed database service via Private Link, allowing traffic to stay within the provider’s backbone. Practical benefits include reduced latency, enhanced security, and simplified compliance. Challenges involve managing DNS resolution, handling service‑specific limitations (such as supported protocols), and understanding pricing models that may charge per endpoint hour and per GB transferred.
Routing Protocol #
An algorithm and set of rules used by routers to dynamically exchange routing information and select optimal paths. Related terms: OSPF, BGP, IGP. In cloud networking, routing protocols are often used in hybrid scenarios where on‑premises routers exchange routes with cloud virtual routers. Example: Establishing BGP sessions over a VPN to advertise on‑premises prefixes to the cloud. Practical applications include automatic failover, dynamic route updates, and reducing manual configuration effort. Challenges include ensuring protocol compatibility, handling route flapping, and configuring appropriate filters to prevent route leaks.
Software‑Defined WAN (SD‑WAN) #
An approach that uses software‑based control to manage WAN connections, allowing dynamic path selection, centralized policy enforcement, and cost‑effective transport options. Related terms: Overlay network, branch routing, cloud gateway. SD‑WAN can route traffic from branch offices directly to cloud regions, bypassing traditional MPLS backbones. Example: An SD‑WAN appliance routes latency‑sensitive traffic over a dedicated broadband link to a cloud region, while sending bulk data over a cheaper internet connection. Practical benefits include improved application performance, simplified network management, and reduced operational costs. Challenges involve integrating with existing security frameworks, ensuring consistent QoS across heterogeneous links, and managing the complexity of multiple overlay tunnels.
Static Route #
A manually configured entry in a routing table that defines a fixed path for specific destination prefixes. Related terms: Route entry, manual routing, default gateway. In cloud VPCs, static routes are often used to direct traffic to a virtual appliance or a VPN gateway. Example: Adding a static route for 10.2.0.0/16 To point to a virtual private gateway for on‑premises connectivity. Practical usage includes establishing deterministic paths for specialized traffic, such as directing all traffic to a security appliance for inspection. Challenges include maintaining route accuracy as network topology evolves, avoiding route conflicts, and ensuring that static routes do not override more specific dynamic routes unintentionally.
Subnet Mask #
A 32‑bit number that separates the network portion of an IP address from the host portion, indicating which bits represent the network ID. Related terms: CIDR, prefix length, host bits. In IPv4, a /24 subnet mask translates to 255.255.255.0, Allowing 256 total addresses (254 usable hosts). Example: Assigning a subnet mask of 255.255.252.0 To a /22 CIDR block. Practical relevance includes calculating the number of available hosts, designing IP schemes, and configuring devices that still require a traditional mask rather than CIDR notation. Challenges involve ensuring that the mask aligns with the chosen CIDR block, preventing overlap, and addressing legacy systems that may not support CIDR.
Transit VPC #
A design pattern where a central VPC acts as a hub for routing traffic between multiple spoke VPCs, often combined with a transit gateway or VPN attachments. Related terms: Hub‑and‑spoke, peering, central services. The transit VPC typically hosts shared services such as DNS, logging, and security appliances. Example: A central transit VPC peered with development, testing, and production VPCs, allowing all to reach a shared firewall appliance. Practical benefits include consolidated security policy management and reduced number of direct peering relationships. Challenges include managing route tables to avoid loops, handling scaling limits of peering connections, and ensuring high availability of the central hub.
VPC Peering Limit #
The maximum number of concurrent peering connections allowed per VPC, imposed by the cloud provider. Related terms: Peering quota, scalability, transit gateway. Exceeding the limit requires either requesting a quota increase or redesigning the network architecture. Example: A multi‑account environment with 150 VPCs each needing full mesh connectivity would surpass a typical 125‑peer limit. Practical solutions involve moving to a transit gateway architecture or consolidating VPCs. Challenges include balancing network design simplicity with provider constraints, and coordinating quota changes across multiple accounts and regions.
Network Address Translation (NAT) Instance #
A user‑managed EC2 instance configured to perform NAT functions, providing outbound internet access for private subnets. Related terms: Iptables, source/destination NAT, custom routing. NAT instances offer more control than managed NAT gateways, allowing custom firewall rules or logging. Example: Deploying a hardened Linux instance with iptables rules to filter outbound traffic before it reaches the internet. Practical uses include advanced traffic inspection, protocol translation, and cost optimization for low‑traffic workloads. Challenges include ensuring instance availability (requires scaling or failover), managing security patches, and handling performance limitations compared to managed NAT gateways.
IPv4 Private Address Space #
Reserved IP address ranges defined by RFC 1918 for use within private networks, not routable on the public internet. Related terms: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Cloud VPCs commonly use these ranges to avoid conflicts with public IPs. Example: Allocating 10.0.0.0/16 For a VPC to ensure isolation from external networks. Practical considerations include selecting a range that does not overlap with on‑premises networks for hybrid connectivity. Challenges arise when multiple VPCs across accounts need to interconnect without overlapping CIDR blocks, requiring careful planning or the use of NAT and translation mechanisms.
Network Time Protocol (NTP) #
A protocol used to synchronize clocks of computer systems over packet‑switched networks. Related terms: Time drift, stratum, synchronization. Accurate timekeeping is critical for security (e.G., Certificate validation) and distributed systems coordination. Example: Configuring all cloud VMs to use the provider’s NTP service endpoint. Practical applications include log correlation, database replication consistency, and compliance with regulations that require precise timestamps. Challenges include network latency affecting synchronization accuracy, firewall rules blocking NTP traffic, and ensuring redundancy by configuring multiple NTP sources.
Packet Capture (PCAP) #
The process of recording network packets for analysis, typically saved in a .Pcap file format. Related terms: Tcpdump, Wireshark, network forensics. Cloud providers may allow packet capture on virtual interfaces or load balancers for troubleshooting. Example: Initiating a packet capture on a VPC subnet to investigate intermittent latency spikes. Practical uses include diagnosing protocol errors, detecting malicious traffic, and validating firewall rule behavior. Challenges involve the performance impact of capturing high‑volume traffic, storage considerations for captured data, and ensuring that captured packets are handled in compliance with privacy regulations.
Policy‑Based Routing (PBR) #
A routing technique that directs traffic based on policies such as source IP, application, or user identity rather than solely on destination address. Related terms: Route map, ACL, traffic engineering. In cloud environments, PBR can be implemented on virtual appliances or through advanced routing services. Example: Routing traffic from a specific application subnet through a security appliance for deep inspection, while other traffic uses the default route. Practical benefits include granular control over traffic paths, enabling compliance with regulatory requirements, and supporting multi‑tenant isolation.