Day 13/21: System Design (Networking Fundamentals)

IP address: An IP address is a unique identifier for devices on a network.

It can be IPv4 (32-bit, e.g., 192.168.1.1) or IPv6 (128-bit, e.g., 2001:db8::ff00:42:8329).

Public vs. Private IPs

• Public IP — Globally unique, accessible from the internet (e.g., website servers)
• Private IP — Used inside internal networks (e.g., databases, backend services).
• Reserved Ranges for Private IPs (RFC 1918):
• 10.0.0.0–10.255.255.255
• 172.16.0.0–172.31.255.255
• 192.168.0.0–192.168.255.255

Subnetting and CIDR (Classless Inter-Domain Routing)

Subnetting Basics

• Subnetting divides a large network into smaller sub-networks (subnets) to improve performance, security, and management.
• Each subnet has an IP range and a subnet mask (e.g., 255.255.255.0).

CIDR Notation

• CIDR notation represents IP ranges efficiently.
• 192.168.1.0/24–256 IPs (192.168.1.0 to 192.168.1.255)
• 192.168.1.0/26–64 IPs (smaller subnet)

Subnet Mask Calculation

• /24 = 256 IPs (common for small networks).
• /16 = 65,536 IPs (used for larger networks).
• /32 = Single IP (used for specific host identification).

Public Subnet

• Contains resources accessible from the internet (e.g., web servers).
• Must have a public IP and a route to an internet gateway (IGW).

Private Subnet

• Contains resources not directly accessible from the internet (e.g., databases, internal APIs).
• No public IP and no direct internet access.
• Can access the internet using a NAT Gateway.

NAT Gateway

• Allows private subnets to access the internet securely without exposing them.
• Used for database updates, API calls, and package installations.

Internet Gateway (IGW)

• Enables communication between public subnets and the internet.
• Must be attached to a VPC (Virtual Private Cloud).

VPC Peering and Transit Gateway

• VPC Peering — Direct communication between two virtual networks.
• Transit Gateway — Connects multiple VPCs and on-prem networks centrally.

Security Groups, Ingress, and Egress Rules

Security Groups (SGs)

• Firewall rules that control inbound (ingress) and outbound (egress) traffic.
• Example Security Group Rules:
• Allow HTTP (80), HTTPS (443), and SSH (22) from specific IPs.
• Allow only database connections (e.g., MySQL 3306, PostgreSQL 5432) from internal subnets.

Ingress Rules (Inbound Traffic)

• Defines what incoming traffic is allowed.
• Example: Allow only SSH (22) from a specific IP.

Egress Rules (Outbound Traffic)

• Defines what outbound traffic is allowed.
• Example: Allow outgoing traffic only to specific API endpoints.

Domain Name System (DNS) Basics

• DNS translates domain names (e.g., google.com) to IP addresses.
• A Record — Maps domain to an IPv4 address.
• CNAME Record — Maps domain to another domain (e.g., www.example.com → example.com).
• MX Record — Email server records.
• TTL (Time To Live) — Controls how long DNS records are cached.

DNS Load Balancing

• Uses multiple IPs behind a single domain name to distribute traffic.
• Example: youtube.com might resolve to different IPs based on location.

Reverse Proxy and CDN Routing

• CDNs (Cloudflare, Akamai) use DNS to route users to the closest edge server.
• Reverse Proxies (NGINX, HAProxy) handle SSL termination and caching.

Zero Trust Networking

• Principle: Never trust any request by default, verify every access request.
• Uses identity-based access instead of just IP-based rules.
• Implemented using VPNs, firewalls, and API gateways.

DDoS Protection

• Rate limiting and WAFs (Web Application Firewalls) protect against bot attacks.
• AWS Shield, Cloudflare, and Google Cloud Armor help prevent large-scale DDoS attacks.

Real world example:

When you launch an EC2 instance, AWS assigns:

• Private IP (for internal network communication)
• Public IP (if in a public subnet and enabled)
• Elastic IP (optional) — A static IP that stays even if the instance restarts

{
 “InstanceId”: “i-0abcd1234efgh5678”,
 “PrivateIpAddress”: “10.0.1.5”,
 “PublicIpAddress”: “3.85.200.15”
}

• Private IP (10.0.1.5): Used for internal communication within AWS VPC.
• Public IP (3.85.200.15): Exposed to the internet if instance is in a public subnet.

To make access easier, you map a domain name (e.g., mywebsite.com) to the EC2's public IP using AWS Route 53.

Creating a Route 53 DNS Record

• A Record: Maps domain name to an IP.

{
  "Type": "A",
  "Name": "mywebsite.com",
  "Value": "3.85.200.15",
  "TTL": 300
}

Now, when someone enters mywebsite.com, DNS resolves it to 3.85.200.15.

Let’s assume a user from India types mywebsite.com in their browser.

• The browser checks its DNS cache.
• If not found, it queries the ISP’s DNS resolver.
• The request reaches AWS Route 53, which returns 3.85.200.15.

Once the browser gets the IP, it sends an HTTP request:

GET / HTTP/1.1
Host: mywebsite.com
User-Agent: Mozilla/5.0

This request reaches the EC2 instance at 3.85.200.15.

AWS checks if the request is allowed by the EC2’s security group.

Example Security Group Rules:

{
  "SecurityGroupId": "sg-01234abcd56789efg",
  "IngressRules": [
    {
      "Protocol": "TCP",
      "Port": 80,
      "Source": "0.0.0.0/0",
      "Description": "Allow HTTP traffic"
    },
    {
      "Protocol": "TCP",
      "Port": 22,
      "Source": "192.168.1.100/32",
      "Description": "Allow SSH from specific IP"
    }
  ]
}

• Port 80 (HTTP) is open to everyone (0.0.0.0/0) → Allowed
• Port 22 (SSH) is only allowed for a specific IP (192.168.1.100) → Blocked for others

If the request is valid, it passes through; otherwise, AWS blocks it.

Since port 80 (HTTP) is open, the EC2 instance processes the request.

If the EC2 is running Apache/Nginx, it serves a response:

HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 1024

<html>
  <body>
    <h1>Welcome to My Website!</h1>
  </body>
</html>

The browser renders the page, and the user sees “Welcome to My Website!”.

If the EC2 is in a private subnet, it does not have a public IP.

• Instead, a NAT Gateway or ALB (Application Load Balancer) is used to route traffic.
• The public-facing ALB has an IP (52.50.150.10), and it forwards traffic to EC2 instances in the private subnet.
• Example:

{
  "LoadBalancerDNS": "mywebsite-alb-123456789.us-east-1.elb.amazonaws.com",
  "TargetInstances": ["10.0.2.5", "10.0.2.6"]
}

• The user’s request goes to mywebsite.com → DNS resolves it to ALB.
• The ALB forwards the request to EC2 instances in a private subnet.

Networking is the backbone of system design. Understanding IP allocation, subnetting, security groups, and DNS routing is crucial for building secure, scalable, and high-performance applications.

I’ll be posting and stay consistent in both my learning followed by daily pushups. Thank you!

Follow my journey:
Medium: https://ankittk.medium.com/
Instagram: https://www.instagram.com/ankitengram/