Playbook

How modern infrastructure actually fits together

A practical, vendor-neutral walkthrough. Each section covers one layer teams need to align on before production traffic hits the wire.

Networking fundamentals

Before picking a load balancer or firewall SKU, map the conversations your systems actually have: client to API, API to database, service to service, batch jobs to storage. DNS names, ports, and protocols should be explicit on that map.

Routing decides where packets go; switching moves them inside a segment; NAT translates addresses when private networks talk to the public internet. If you can explain those three in your own topology, most vendor diagrams become readable.

Cloud infrastructure

Cloud networks usually start with a virtual private network (VPC) or equivalent: isolated address space, subnets per tier, and route tables that send traffic through gateways, firewalls, or private endpoints.

Managed services shift operational work — patching, scaling, backups — but they do not remove design decisions. You still choose regions, availability zones, and which components must stay private versus public-facing.

Security controls

Security on infrastructure is mostly about boundaries and evidence: who can reach what, with which credentials, and what gets logged when something unusual happens. Segment environments (dev/stage/prod) and restrict east-west traffic so a compromised app cannot wander freely.

Encrypt data in transit on every path that crosses an untrusted network. Pair that with least-privilege IAM — humans and services get only the roles they need, for the time they need them.

Enterprise connectivity

Hybrid setups connect on-premise offices or data centers to cloud workloads through VPN tunnels, dedicated private links, or SD-WAN overlays. The right pattern depends on latency requirements, throughput, and how much routing control you need locally.

Branch users often reach SaaS and internal apps through the same identity layer — but not always the same network path. Document both so troubleshooting does not start from guesswork.

Observability on the wire

Metrics (latency, loss, throughput), flow logs, and packet captures each answer different questions. Use metrics for trends, logs for policy and access audits, and captures sparingly when you need to prove what crossed a choke point.

Define SLOs on the paths users care about — login, checkout, API sync — not only on individual server CPU graphs. A healthy VM behind a misconfigured load balancer still looks fine in isolation.

Common pitfalls

Teams repeatedly stumble on the same issues: flat networks with no segmentation, security groups copied from a tutorial without reviewing ports, DNS TTLs that hide failover problems, and monitoring that watches servers but not end-to-end paths.

Another frequent mistake is treating cloud landing zones as "someone else's problem" until the first production incident. Agree on naming, tagging, and network baselines early — retrofit is slower than upfront discipline.

Need a term defined quickly?

The reference section explains networking and cloud vocabulary in one or two sentences.

Open reference