Interactive course · 9 lessons · ~2 hours

Cloud networking,
from 10.0.0.0/16 to the edge of the internet

How a request actually travels through a cloud network — and everything around that journey: the VPC it lives in, the security groups that gate it, the load balancer that distributes it, the DNS that named it, the endpoints and gateways connecting worlds, and the logs that record it all. Every lesson has live diagrams you can poke — fire packets, break rules, watch things fail, then fix them.

Lessons 1–4 are the core request path; 5–9 widen out to the full landscape.

01

The VPC: your slice of the cloud

CIDR blocks, subnets, availability zones, route tables, and what actually makes a subnet "public." Includes a live CIDR sizer and a routable packet you can strand.

CIDRsubnetsroute tablesIGW / NAT
02

Security groups: the stateful gatekeeper

Build your own inbound rules, fire test packets at an instance, and see statefulness in action — then meet the NACL, the stateless cousin at the subnet edge.

SG rulesstateful vs statelessNACLs
03

The ALB: traffic direction & health

Listeners, rules, target groups, and health checks. Route requests by path, take a target down, and watch the balancer quietly heal around it.

listenerstarget groupshealth checksALB vs NLB
04

The full journey — and how it breaks

Trace one HTTPS request hop by hop through everything you've built, then debug three realistically broken setups. Capstone of the core path.

end-to-end tracedebug drills
05

DNS & Route 53: the address book

Step through the resolution chase from browser to authoritative zone, learn the records that matter (ALIAS!), and drive a routing-policy simulator: weighted, latency, and health-checked failover.

resolutionrecord typesrouting policiesfailover DR
06

Connecting VPCs: peering, TGW & hybrid

Wire up a peering connection route by route, crash into the transitivity wall, fix it with a Transit Gateway hub, and see why CIDR overlaps are forbidden. Plus VPN vs Direct Connect.

peeringtransit gatewayVPN / DXCIDR planning
07

VPC endpoints & PrivateLink

Call S3 and Secrets Manager without touching the internet — gateway vs interface endpoints, the NAT bill you stop paying, and how PrivateLink delivers entire SaaS products through a keyhole.

gateway endpointsinterface endpointsPrivateLink
08

The edge: CDN, TLS & WAF

Play the cache hit/miss game across an ocean, trace exactly where TLS terminates (and where traffic runs cleartext), and block a SQL injection the security group never could.

CloudFrontcaching & TTLACM / TLSWAF
09

Observability: reading the network's diary

Learn to read VPC Flow Logs, then solve three incidents by finding the one log line that explains each — including the case where the clue is a line that isn't there.

flow logsreachability analyzerENI / EIP / IPv6 / MTU
packet allowed / healthy denied / failed network component

Terminology is AWS-flavored (VPC, SG, ALB), but the ideas map 1:1 to Azure (VNet, NSG, Application Gateway) and GCP (VPC, firewall rules, HTTP LB).