Cloud Networking Internals for Developers: VPCs, Subnets, and Firewalls
Demystify cloud networking for developers — CIDR block math and subnetting, route table evaluation with longest prefix match, Internet Gateways, NAT gateway IP masquerading, stateful Security Groups vs stateless NACLs, and VPC peering with transit routing.
See the Invisible
Interactive simulators visualise what's hidden from view.
Hands-On Labs
Step through executions tick by tick. Manipulate state.
Why, Not Just What
Understand the reasoning behind every design decision.
Quizzes & Cheatsheets
Verify your understanding and keep a quick reference handy.
Get Certified
Earn a shareable certificate to prove your deep expertise.
Become the Engineer Who Supervises AI
As AI generates more code, understanding what that code does becomes more valuable, not less. Someone must verify AI output, debug failures, and make architectural decisions.
Build Your Architectural EdgeAI Can Generate Your Terraform. Can You Verify the Network Actually Works?
Silent Failures, Blind Debugging
You've opened port 443 on the security group, added a route to the
internet gateway, and your service still times out. So you widen the
CIDR range, add 0.0.0.0/0 to the NACL, and toggle
settings until something works — or paste the error into an AI
assistant that confidently suggests the same blind fix. Cloud
networking gives you no stack trace: just a connection that hangs
until you understand the actual packet path.
See the Invisible Network Layer
Step-based simulations that make packet routing, address translation, and firewall evaluation visible.
Trace Packet Routing
Watch a packet evaluate route table entries as longest prefix match selects the winning route.
Map Subnet Boundaries
Divide a VPC CIDR block into subnets and instantly see usable host ranges for each.
Compare Firewall Behaviors
See how stateful Security Groups track connections while stateless NACLs evaluate each packet independently.
What's Covered
5 lessons across VPC architecture, packet routing, NAT translation, firewall configuration, and cross-network connectivity.
Use CIDR block math to split VPCs into isolated subnets and calculate usable host ranges for each segment.
Trace how longest prefix match selects routes and how Internet Gateways enable bidirectional public traffic.
Give private subnets outbound internet access through source IP translation and state table management.
Configure Security Groups and NACLs correctly by knowing how connection tracking changes the rules you need.
Connect isolated networks with VPC peering or Transit Gateways and manage the routing changes required.
The Curriculum
Comprehensive Lessons! Each with theory, interactive simulation, and quiz.
CIDR Block Mathematics and Subnetting
Apply subnet masks to divide a VPC into discrete network
segments. Calculate network addresses, broadcast
addresses, and usable host ranges using CIDR notation
(/16, /24, /28).
Architect data tier isolation with private subnets.
Route Tables and Gateway Traversal
Trace how routing tables evaluate destination CIDR
blocks using longest prefix match. Compare local VPC
routes against default routes (0.0.0.0/0).
Follow packet forwarding through Internet Gateways for
bidirectional public internet access.
NAT Gateways and IP Masquerading
Follow how NAT provides outbound internet access for private subnets. See Port Address Translation modify source IPs and ephemeral ports. Trace the state table that maps return traffic to the original host while blocking unsolicited inbound requests.
Stateful Security Groups vs Stateless ACLs
Compare infrastructure-level filtering mechanisms with opposite behaviors. NACLs evaluate every packet independently, requiring explicit inbound and outbound rules including ephemeral port ranges. Security Groups use connection tracking to automatically permit return traffic.
VPC Peering and Transit Routing
Route traffic between isolated VPC networks with non-overlapping CIDR blocks. See why VPC peering is non-transitive and when to shift to Transit Gateways for hub-and-spoke topologies. Modify routing tables to direct traffic across peering connections.
Stop Guessing at Network Configurations
After this course, you'll read VPC architectures, trace packet paths through route tables and NAT gateways, and configure Security Groups and NACLs knowing which rules you need and why, instead of toggling settings until the connection works.
Ready to see what's really happening?
All deep dives included with your subscription. Cancel anytime.