Appendices

Appendix A: The Analogy Blueprint

This is a quick reference for the core analogies used throughout this book. Use it as a cheat sheet to refresh your memory on the key concepts.

Think in rooms, floors, buildings, and streets. You send an envelope from your room, the concierge guides it across floors and buildings, and the city directory helps you find the right address. When you outgrow your building, you rent a private floor in a hotel and keep your hallways private.

The Core Building Analogy

  • Building: A local network you control.
  • Room: A device (computer, phone, server).
  • Room Number: An IP address inside a network.
  • Street Address: A public IP address.
  • Door: A network interface with a unique door tag (MAC address).
  • Hallway Width: Bandwidth.
  • Floor: A subnet.
  • Floor Manager: A switch.
  • Elevator: A default gateway.
  • Concierge: A router.
  • Envelope: A packet.
  • Mail Slot: A port number.
  • Languages: Protocols (TCP is registered mail, UDP is a postcard).
  • City Directory: DNS.
  • Security Guard: A firewall.

The Cloud Hotel Analogy

  • Hotel or Serviced Office: A cloud provider (like AWS, Google Cloud, Azure).
  • Private Floor: A Virtual Private Cloud (VPC).
  • Service Door: A VPC Endpoint.
  • Street Entrance / Staff Exit: An Internet Gateway / NAT Gateway.
  • Door Guards vs. Hallway Rules: Security Groups vs. Network Access Control Lists (NACLs).
  • Private Hallway to Another Hotel: VPC Peering.
  • Private Elevator to Your Office: A VPN or Direct Connect.
  • Hotel’s Internal Phonebook: Private DNS and Service Discovery.
  • Badges and Roles: Identity and Access Management (IAM).
  • Hall Cameras and Logbooks: Flow Logs, Metrics, and Traces.
  • Hotel Branches in Other Cities: Multi-Region Architecture.
  • Room Service on Demand: Serverless Functions.
  • Personal Ushers: A Service Mesh.

Chapter Mantras

  • Addresses: A name is useful, but the number gets you there.
  • Subnets: Same floor, easy talk. New floor, take the elevator.
  • Switches: The floor manager learns who lives where.
  • Routers: The concierge finds the next best step.
  • Ports: The right slot gets the right service.
  • DNS: Ask the directory before you wander.
  • Firewalls: Guards check lists, not vibes.
  • Cloud: Rent a floor, bring your own rules.
  • VPC Endpoints: Service doors that keep you off the street.
  • Serverless: Order in, no kitchen to manage.
  • Service Mesh: Ushers make every trip consistent and safe.

Appendix B: Glossary of Terms

Access Control List (ACL)
A list of rules that a firewall uses to permit or deny traffic. The security guard’s list of approved visitors.
Address Resolution Protocol (ARP)
The protocol used by hosts to discover a neighbor’s physical door tag (MAC address) from its room number (IP address). The switch forwards the broadcast and learns MACs from the frames, but it does not perform the resolution itself. For IPv6, see Neighbor Discovery (NDP).
Bandwidth
The maximum capacity of a network connection. The width of the hallway.
Certificate (TLS/SSL)
An electronic ID card used to prove a server’s identity online, signed by a trusted third party.
Certificate Authority (CA)
A trusted third party that issues and verifies identity certificates for websites and servers.
Content Delivery Network (CDN)
A network of servers that store copies of content closer to users. The convenience store network that stocks popular items locally.
CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance)
The set of politeness rules Wi-Fi devices use to avoid talking over each other in a shared space.
Default Gateway
The device that network traffic is sent to when the destination is on a different network. The elevator that takes you to other floors.
Disaster Recovery
The strategy for keeping a system online in case of a major failure. Having a backup hotel in another city.
DNS (Domain Name System)
The system that translates human-readable domain names into machine-readable IP addresses. The city directory.
Firewall
A network security device that monitors and filters incoming and outgoing traffic based on a set of rules. The security guard in the lobby.
IaaS (Infrastructure as a Service)
A cloud model where you rent fundamental computing resources like servers and storage. Renting an empty office space.
Internet Gateway
A VPC component that allows two-way communication between your VPC and the internet. The hotel’s main public entrance.
IP Address
A unique numerical label assigned to each device on a network. The room number.
LAN (Local Area Network)
A network confined to a small area, like a single office building. The building itself.
Latency
The time it takes for data to travel from its source to its destination. The travel time between two points.
Load Balancer
A device that distributes network traffic across multiple servers to ensure no single server gets overwhelmed. The team of concierges directing visitors to identical elevators.
MAC Address
A unique physical identifier assigned to a network interface card (NIC). The unique tag on a room’s door.
Multi-region
A cloud architecture strategy where an application is deployed in multiple geographic locations for resilience and lower latency. Operating a chain of hotels in different cities.
Mutual TLS (mTLS)
A type of authentication where both the client and the server prove their identity to each other. The secret handshake used between personal ushers in a service mesh.
NAT (Network Address Translation)
A method that allows multiple devices in a private network to share a single public IP address. The building’s mail forwarding service.
NAT Gateway
A managed cloud service that allows devices in a private subnet to connect to the internet, but prevents the internet from initiating connections with those devices. The hotel’s monitored, staff-only exit.
Network Access Control List (NACL)
A firewall for a subnet that controls traffic in and out. The security rules for an entire private district or community.
Network Metrics
High-level data about network performance, such as traffic volume and latency. The concierge’s logbook of general hallway activity.
PaaS (Platform as a Service)
A cloud model where you are provided a platform to build and run applications without managing the underlying infrastructure. Renting a fully serviced workspace.
Packet
A small segment of a larger message, containing data and addressing information. An envelope.
Port
A number that specifies which service or application a packet is intended for on a device. The mail slot on a door.
PrivateLink
A cloud service that provides secure, private connectivity between VPCs and services. The private service hatch to a neighbor’s service.
Protocol
A set of rules governing how data is exchanged between devices. A shared language.
Router
A device that forwards data packets between computer networks, choosing the best path for the traffic. The concierge in the lobby.
Routing Table
A set of rules, often in a table, used by a router to determine where to forward packets. The concierge’s map and directory.
SaaS (Software as a Service)
A cloud model where software is licensed on a subscription basis and is centrally hosted. Simply using the hotel’s services without renting any space.
Security Group
A firewall for a specific device (like a server) that controls traffic in and out. The security guard at a specific room’s door.
Serverless
A cloud computing model where the cloud provider runs the server and dynamically manages the allocation of machine resources. Ordering room service instead of managing your own kitchen.
Service Discovery
The process of automatically detecting devices and services on a network. The magical, self-updating internal phonebook.
Service Mesh
A dedicated infrastructure layer for making service-to-service communication safe, fast, and reliable. The team of personal ushers assigned to every room.
Sidecar Proxy
A small application that runs alongside a main application to handle networking tasks. The personal usher standing next to a room’s door.
Subnet
A logical subdivision of a larger network. A floor in the building.
Switch
A device that connects other devices on a local network and forwards packets to the correct destination. The floor manager.
TCP (Transmission Control Protocol)
A core protocol of the internet that provides reliable, ordered, and error-checked delivery of data. Registered mail.
TLS (Transport Layer Security)
A cryptographic protocol that provides end-to-end security of data sent between applications over the internet. The secret handshake ritual.
Tracing
A method for monitoring requests as they travel through a distributed system. The personal assistant who follows a single request from start to finish.
UDP (User Datagram Protocol)
A core protocol of the internet that is fast but does not guarantee delivery or order. A quick postcard.
VPC (Virtual Private Cloud)
A secure, isolated private cloud hosted within a public cloud. Your private floor or district in the cloud hotel.
VPC Endpoint
A feature that enables private connections between your VPC and supported cloud services. The private service doors to the hotel’s amenities.
VPC Flow Logs
A feature that captures information about the IP traffic going to and from network interfaces in your VPC. The security cameras in the hallways.
VPN (Virtual Private Network)
A secure, encrypted connection over a public network. A private subway line from your office to the hotel.
Wi-Fi
A wireless networking technology that uses radio waves to provide network connectivity. A shared, noisy room where everyone must take turns talking.
DHCP (Dynamic Host Configuration Protocol)
The leasing desk that assigns IP addresses, default gateways, and DNS resolvers to devices for a limited time called a lease.
NDP (Neighbor Discovery Protocol)
The IPv6 method for learning neighbor MAC addresses and discovering routers. The IPv6 version of “who has this number?”
OSPF (Open Shortest Path First)
An interior routing protocol used within an organization to compute best paths based on link costs. The staff huddle that keeps interior maps fresh.
BGP (Border Gateway Protocol)
The routing protocol that connects different organizations across the internet. City signage and agreements that coordinate paths between owners.
QUIC / HTTP/3
A modern, encrypted transport running over UDP that provides reliable, multiplexed streams for the web. Like sending many secure envelopes inside one fast courier bag.
PMTUD (Path MTU Discovery)
The process of finding the largest packet size that can traverse a path without fragmentation. Checking staircase clearance before moving a couch.

Appendix C: Further Reading

This book was designed to be a starting point, using analogies to make complex topics more approachable. If you are ready to go deeper and explore the underlying technical details, the resources below are excellent next steps on your journey.

They are dense, technical, and comprehensive, and represent the gold standard of computer networking literature.

Appendix D: Troubleshooting Playbook

When something breaks, do not guess. Follow the envelope.

Core Loop

  1. Sender room: confirm the app can reach the local network.
    • Check IP/DHCP lease; default gateway; DNS resolver.
  2. Door guard (Security Group / host firewall): is egress allowed on the slot?
  3. Floor rules (NACL/ACL): any stateless deny on the subnet wing?
  4. Route table: is there a next hop for that destination?
  5. Boundary device: NAT/Internet Gateway/VPN/Direct Link healthy?
  6. Remote side: is the destination listening on that slot and allowed by its guard?
  7. Observe: VPC Flow Logs, metrics, and traces at each boundary.

Mantra: address, path, permission. Verify each in order.

Common Patterns

  • DNS mismatch: Name resolves to public when caller is private (or vice versa). Fix split-horizon DNS or endpoint usage.
  • SG asymmetry: Egress allowed but return path blocked on remote ingress. Add reply rules or use stateful guards.
  • NACL block: Stateless deny on ephemeral ports. Open ephemeral ranges or prefer stateful SGs.
  • PMTUD black hole: ICMP blocked on path; large payloads fail. Allow needed ICMP or reduce MTU.
  • NAT table exhaustion: Too many concurrent flows through one NAT. Scale or add another egress.

Two Quick Walkthroughs

  1. Private app cannot reach public API
  • Sender has IP and gateway. SG allows egress 443. NACL allows outbound and ephemeral return. Route points to NAT Gateway. NAT metrics show connections but no responses. VPC Flow Logs show REJECT at destination. Root cause: API provider only allows public IPs; add egress IP to allowlist or use a public-facing path.
  1. Web is slow for EU users
  • Latency high from EU to single region. Metrics confirm high RTT. Fix by adding a nearby region, enable latency-based DNS, and put static assets behind a CDN so “corner shops” serve them locally.

Keep logs on, change one thing at a time, and write down what you observe.

Foundational Textbooks

These are the academic cornerstones of networking. They are deep, thorough, and will give you a complete picture of the field.

  1. Computer Networking: A Top-Down Approach

    • by James F. Kurose and Keith W. Ross
    • Why it’s useful: This book is beloved for its inverted approach, starting with the applications you use every day (like the web) and working its way down the network stack to the physical wires. It makes the material more intuitive for many learners.

  2. Computer Networks

    • by Andrew S. Tanenbaum and David J. Wetherall
    • Why it’s useful: A true classic, this book is a comprehensive and authoritative reference for nearly all aspects of networking, from theory to practice. It’s an essential part of any networking library.

  3. TCP/IP Illustrated, Volume 1: The Protocols

    • by W. Richard Stevens and Kevin R. Fall
    • Why it’s useful: When you absolutely need to understand the nitty-gritty details of how TCP/IP works, this is the book. It is famous for its clarity and in-depth protocol analysis.

Practical Guides

These books are more focused on the real-world tasks of building and managing networks.

  1. Network Warrior

    • by Gary A. Donahue
    • Why it’s useful: This book moves from theory to the practical realities of enterprise networking, focusing on the hardware, commands, and configurations you would encounter in a real job.

  2. Networking All-in-One For Dummies

    • by Doug Lowe
    • Why it’s useful: A very accessible and broad overview of the entire field, this book is great for filling in gaps and learning about the many different areas of networking without getting bogged down in deep theory.