Networking#
A handful of components handle the bulk of production traffic. Load balancers, reverse proxies, DNS, CDNs, and (inside Kubernetes clusters) service meshes. The wiring is also the map of trust, what can reach what, where the edge sits, and which segment was left flat, the first thing an attacker enumerates on contact.
flowchart LR
User --> DNS[(DNS)]
DNS --> CDN[CDN / Edge]
CDN -->|"static cache hit"| User
CDN --> WAF[WAF]
WAF --> LB[L7 Load Balancer<br/>TLS termination]
LB --> Ing[Ingress / API Gateway]
Ing --> Svc1[Service A]
Ing --> Svc2[Service B]
Svc1 -. "mTLS via mesh" .- Svc2
Svc1 --> DB[(Database)]
Svc2 --> Cache[(Cache)]
Load Balancers#
Load balancers spread traffic across healthy backends, at L4 by address or at L7 by HTTP semantics. The L7 balancer is the defended edge and the TLS termination point, the first thing an attacker meets from outside and the first thing the operator instruments.
Layer |
Behavior |
|---|---|
L4 (TCP/UDP) |
Forwards by IP and port, fast, blind to the payload |
L7 (HTTP) |
Routes by host and path, terminates TLS, retries, rewrites headers |
L4 implementations include AWS NLB and HAProxy in TCP mode; L7 implementations include AWS ALB, nginx, Envoy, HAProxy, and Traefik. Health checks, deregistration delay, and connection draining are the three flags that go wrong most often.
Reverse Proxies#
The middlebox between clients and backends, doing the work that does not belong in either. A reverse proxy is where infrastructure becomes part of the application’s behavior.
Proxy |
Strength |
|---|---|
nginx |
Battle-tested and ubiquitous |
Envoy |
Rich L7 features, the service-mesh data plane |
HAProxy |
High-performance L4 and L7 |
Caddy |
Automatic HTTPS |
Traefik |
Dynamic config, container-native |
Common jobs are TLS termination, path and host routing, caching, rate limiting, authentication, compression, and header rewrites.
DNS#
The record types that show up in production zones. TTL choices govern how fast changes propagate. A target’s zone leaks subdomains, mail routing, and delegation, prime recon, and DNS doubles as a covert channel out of a contained network.
Record |
Purpose |
|---|---|
A |
Map a name to an IPv4 address |
AAAA |
Map a name to an IPv6 address |
CNAME |
Alias one name to another, cannot coexist with other records at the name |
MX |
Mail server |
TXT |
Arbitrary text, used for SPF, DKIM, and ownership proof |
SRV |
Host and port for a service |
NS |
Delegate a zone |
CAA |
Restrict which CAs may issue certificates for the name |
Lower the TTL before a planned change so it rolls through resolvers quickly.
TLS / Certificates#
The certificate-issuance and validation surface. Certificates name a target’s hosts, and mTLS is the control the operator enforces between services, and the one an attacker must satisfy to move between them.
Topic |
Detail |
|---|---|
Let’s Encrypt |
Free 90-day certificates over ACME |
cert-manager |
Automates ACME issuance inside Kubernetes |
Wildcard certs |
Many subdomains via DNS-01 challenges |
mTLS |
Authenticates both sides, common inside service meshes |
CDN / Edge#
A Content Delivery Network caches static (and increasingly dynamic) content at points of presence near users. Modern CDNs also run code at the edge, which widens the attack surface to every point of presence.
Provider |
Edge runtime |
|---|---|
CloudFront |
CloudFront Functions, Lambda@Edge |
Cloudflare |
Workers |
Fastly |
Compute |
Akamai |
EdgeWorkers |
Service Mesh#
The infrastructure pattern that puts a sidecar proxy next to every service to handle cross-cutting concerns, mTLS, retries, circuit breaking, traffic shifting, and L7 observability, uniformly. That uniform mTLS is exactly what an attacker must defeat to move laterally, and the mesh control plane is a high-value pivot.
Mesh |
Note |
|---|---|
Istio |
Most feature-rich, Envoy-based |
Linkerd |
Lighter, focused on simplicity |
Cilium |
eBPF-based, can replace kube-proxy |
Consul |
HashiCorp’s, multi-platform |
Service meshes are powerful but rarely free; the additional moving parts have a cost. Adopt for a concrete need, not by default.
Network Policy#
Inside a cluster, NetworkPolicy resources control which Pods can
talk to which. Default-deny with explicit allows turns a single foothold into a
dead end; a flat cluster hands an attacker free lateral movement.
The Wire#
The application-layer protocols an operator should recognize on sight. Each has different head-of-line, multiplexing, and streaming characteristics, and the protocol on the wire tells the operator what is talking, and an attacker where to wedge in.
Protocol |
Characteristic |
|---|---|
HTTP/1.1 |
One request per connection, pipelining rarely useful |
HTTP/2 |
Multiplexed streams over one TCP connection, binary framing |
HTTP/3 |
HTTP over QUIC on UDP, avoids head-of-line blocking |
gRPC |
HTTP/2 plus Protocol Buffers, bidirectional streaming |
WebSocket |
Long-lived bidirectional channel over an upgraded HTTP connection |