Cloud Networking Internals for Developers: VPCs, Subnets, and Firewalls
See cloud networking from the inside: CIDR block math and subnetting, route table evaluation with longest prefix match, Internet Gateways, NAT gateway IP masquerading, stateful Security Groups vs stateless NACLs, and VPC peering with transit routing.
See the Invisible
Interactive simulators visualise what's hidden from view.
Hands-On Labs
Step through executions tick by tick. Manipulate state.
Why, Not Just What
Understand the reasoning behind every design decision.
Quizzes & Cheatsheets
Verify your understanding and keep a quick reference handy.
Get Certified
Earn a shareable certificate to prove your deep expertise.
Become the Engineer Who Supervises AI
As AI generates more code, understanding what that code does becomes more valuable, not less. Someone must verify AI output, debug failures, and make architectural decisions.
Build Your Architectural EdgeAI writes your Terraform, but you're still the one debugging why packets never reach the database subnet.
You can't debug a packet path you've never visualized
You've miscalculated a CIDR range and locked out instances, stared at security group rules unsure whether return traffic needs an explicit entry, or added a route table entry that silently dropped packets instead of forwarding them. AI-generated infrastructure configs compound the problem: Copilot suggests VPC layouts and firewall rules that look reasonable, so you merge them. When connectivity breaks at 2 AM, "looked reasonable" doesn't help you trace a packet through route tables, NAT gateways, and NACLs to find the actual failure point.
Watch your network rules execute, packet by packet
Interactive simulations that make invisible cloud networking mechanics visible and concrete.
Trace packets through route tables
Watch a packet hit a routing table and see longest prefix match select the winning route, step by step, so you know exactly why traffic goes where it does.
See NAT address translation live
Follow a packet from a private subnet through a NAT Gateway as source IPs and ports are rewritten, then watch the state table route return traffic back to the original host.
Compare stateful vs stateless filtering
Send traffic through Security Groups and NACLs side by side to see when return traffic is auto-permitted by connection tracking and when it requires an explicit outbound rule.
What's Covered
Five lessons covering the complete packet lifecycle inside a VPC: addressing, routing, translation, filtering, and multi-network connectivity.
Divide VPCs into isolated network segments using CIDR notation, calculate usable host ranges, and architect private subnets for data tier isolation.
Trace how route tables, Internet Gateways, and NAT Gateways work together to forward packets using longest prefix match and IP masquerading.
Configure Security Groups and Network ACLs correctly by seeing how connection tracking and explicit rule evaluation produce different behaviors for the same traffic.
Connect isolated VPC networks through peering and Transit Gateways, avoiding CIDR overlap and non-transitive routing pitfalls in hub-and-spoke topologies.
The Curriculum
Comprehensive Lessons! Each with theory, interactive simulation, and quiz.
CIDR Block Mathematics and Subnetting
Divide a VPC into discrete network segments by applying
subnet masks to CIDR blocks like /16,
/24, and /28. Calculate
network addresses, broadcast addresses, and usable host
ranges. Architect private subnets for data tier
isolation.
Route Tables and Gateway Traversal
Trace how routing tables evaluate destination CIDR
blocks using longest prefix match to forward packets.
Compare local VPC routes against default routes
(0.0.0.0/0) and see how Internet Gateways
enable bidirectional public internet access.
NAT Gateways and IP Masquerading
Follow a packet from a private subnet through NAT as Port Address Translation rewrites source IPs and ephemeral ports. See how state tables map returning internet traffic back to the original host while natively blocking unsolicited inbound requests.
Stateful Security Groups vs Stateless ACLs
Compare stateless Network ACL evaluation (requiring explicit inbound and outbound rules, including ephemeral port ranges) with stateful Security Group connection tracking that automatically permits return traffic for established connections.
VPC Peering and Transit Routing
Route traffic between isolated VPC networks, managing non-overlapping CIDR block requirements and the non-transitive nature of VPC peering. See how Transit Gateways provide centralized hub-and-spoke routing and the route table modifications needed to direct cross-peering traffic.
Packet-level VPC fluency: from CIDR addressing to firewall evaluation to multi-network routing
After this Deep Dive, you'll calculate subnet ranges on sight, trace packet paths through route tables and NAT gateways, configure Security Groups and NACLs knowing how each evaluates traffic, and design multi-VPC architectures without guessing. The kind of working knowledge that makes every infrastructure decision faster and every debugging session shorter.
Ready to see what's really happening?
All deep dives included with your subscription. Cancel anytime.