Networking#

A handful of components handle the bulk of production traffic. Load balancers, reverse proxies, DNS, CDNs, and (inside Kubernetes clusters) service meshes. The wiring is also the map of trust, what can reach what, where the edge sits, and which segment was left flat, the first thing an attacker enumerates on contact.

        flowchart LR
  User --> DNS[(DNS)]
  DNS --> CDN[CDN / Edge]
  CDN -->|"static cache hit"| User
  CDN --> WAF[WAF]
  WAF --> LB[L7 Load Balancer<br/>TLS termination]
  LB --> Ing[Ingress / API Gateway]
  Ing --> Svc1[Service A]
  Ing --> Svc2[Service B]

  Svc1 -. "mTLS via mesh" .- Svc2
  Svc1 --> DB[(Database)]
  Svc2 --> Cache[(Cache)]
    

Load Balancers#

Load balancers spread traffic across healthy backends, at L4 by address or at L7 by HTTP semantics. The L7 balancer is the defended edge and the TLS termination point, the first thing an attacker meets from outside and the first thing the operator instruments.

Layer

Behavior

L4 (TCP/UDP)

Forwards by IP and port, fast, blind to the payload

L7 (HTTP)

Routes by host and path, terminates TLS, retries, rewrites headers

L4 implementations include AWS NLB and HAProxy in TCP mode; L7 implementations include AWS ALB, nginx, Envoy, HAProxy, and Traefik. Health checks, deregistration delay, and connection draining are the three flags that go wrong most often.

Reverse Proxies#

The middlebox between clients and backends, doing the work that does not belong in either. A reverse proxy is where infrastructure becomes part of the application’s behavior.

Proxy

Strength

nginx

Battle-tested and ubiquitous

Envoy

Rich L7 features, the service-mesh data plane

HAProxy

High-performance L4 and L7

Caddy

Automatic HTTPS

Traefik

Dynamic config, container-native

Common jobs are TLS termination, path and host routing, caching, rate limiting, authentication, compression, and header rewrites.

DNS#

The record types that show up in production zones. TTL choices govern how fast changes propagate. A target’s zone leaks subdomains, mail routing, and delegation, prime recon, and DNS doubles as a covert channel out of a contained network.

Record

Purpose

A

Map a name to an IPv4 address

AAAA

Map a name to an IPv6 address

CNAME

Alias one name to another, cannot coexist with other records at the name

MX

Mail server

TXT

Arbitrary text, used for SPF, DKIM, and ownership proof

SRV

Host and port for a service

NS

Delegate a zone

CAA

Restrict which CAs may issue certificates for the name

Lower the TTL before a planned change so it rolls through resolvers quickly.

TLS / Certificates#

The certificate-issuance and validation surface. Certificates name a target’s hosts, and mTLS is the control the operator enforces between services, and the one an attacker must satisfy to move between them.

Topic

Detail

Let’s Encrypt

Free 90-day certificates over ACME

cert-manager

Automates ACME issuance inside Kubernetes

Wildcard certs

Many subdomains via DNS-01 challenges

mTLS

Authenticates both sides, common inside service meshes

CDN / Edge#

A Content Delivery Network caches static (and increasingly dynamic) content at points of presence near users. Modern CDNs also run code at the edge, which widens the attack surface to every point of presence.

Provider

Edge runtime

CloudFront

CloudFront Functions, Lambda@Edge

Cloudflare

Workers

Fastly

Compute

Akamai

EdgeWorkers

Service Mesh#

The infrastructure pattern that puts a sidecar proxy next to every service to handle cross-cutting concerns, mTLS, retries, circuit breaking, traffic shifting, and L7 observability, uniformly. That uniform mTLS is exactly what an attacker must defeat to move laterally, and the mesh control plane is a high-value pivot.

Mesh

Note

Istio

Most feature-rich, Envoy-based

Linkerd

Lighter, focused on simplicity

Cilium

eBPF-based, can replace kube-proxy

Consul

HashiCorp’s, multi-platform

Service meshes are powerful but rarely free; the additional moving parts have a cost. Adopt for a concrete need, not by default.

Network Policy#

Inside a cluster, NetworkPolicy resources control which Pods can talk to which. Default-deny with explicit allows turns a single foothold into a dead end; a flat cluster hands an attacker free lateral movement.

The Wire#

The application-layer protocols an operator should recognize on sight. Each has different head-of-line, multiplexing, and streaming characteristics, and the protocol on the wire tells the operator what is talking, and an attacker where to wedge in.

Protocol

Characteristic

HTTP/1.1

One request per connection, pipelining rarely useful

HTTP/2

Multiplexed streams over one TCP connection, binary framing

HTTP/3

HTTP over QUIC on UDP, avoids head-of-line blocking

gRPC

HTTP/2 plus Protocol Buffers, bidirectional streaming

WebSocket

Long-lived bidirectional channel over an upgraded HTTP connection