Networking fundamentals
Before picking a load balancer or firewall SKU, map the conversations your systems
actually have: client to API, API to database, service to service, batch jobs to storage.
DNS names, ports, and protocols should be explicit on that map.
Routing decides where packets go; switching moves them inside a segment; NAT
translates addresses when private networks talk to the public internet. If you can explain
those three in your own topology, most vendor diagrams become readable.
Cloud infrastructure
Cloud networks usually start with a virtual private network (VPC) or equivalent: isolated
address space, subnets per tier, and route tables that send traffic through gateways,
firewalls, or private endpoints.
Managed services shift operational work — patching, scaling, backups — but they do not
remove design decisions. You still choose regions, availability zones, and which components
must stay private versus public-facing.
Security controls
Security on infrastructure is mostly about boundaries and evidence: who can reach what,
with which credentials, and what gets logged when something unusual happens. Segment
environments (dev/stage/prod) and restrict east-west traffic so a compromised app cannot
wander freely.
Encrypt data in transit on every path that crosses an untrusted network. Pair that with
least-privilege IAM — humans and services get only the roles they need, for the time they
need them.
Enterprise connectivity
Hybrid setups connect on-premise offices or data centers to cloud workloads through VPN
tunnels, dedicated private links, or SD-WAN overlays. The right pattern depends on latency
requirements, throughput, and how much routing control you need locally.
Branch users often reach SaaS and internal apps through the same identity layer — but not
always the same network path. Document both so troubleshooting does not start from guesswork.
Observability on the wire
Metrics (latency, loss, throughput), flow logs, and packet captures each answer different
questions. Use metrics for trends, logs for policy and access audits, and captures sparingly
when you need to prove what crossed a choke point.
Define SLOs on the paths users care about — login, checkout, API sync — not only on
individual server CPU graphs. A healthy VM behind a misconfigured load balancer still looks
fine in isolation.
Common pitfalls
Teams repeatedly stumble on the same issues: flat networks with no segmentation, security
groups copied from a tutorial without reviewing ports, DNS TTLs that hide failover problems,
and monitoring that watches servers but not end-to-end paths.
Another frequent mistake is treating cloud landing zones as "someone else's problem" until
the first production incident. Agree on naming, tagging, and network baselines early — retrofit
is slower than upfront discipline.