TCP/IP Primer for Operators
This page is a compact reference for people who configure VPCs, security groups, load balancers, and DNS — not a replacement for a full computer networks course. It aligns vocabulary with AWS Networking and HTTP for Operators.
Layers (OSI-ish)
Section titled “Layers (OSI-ish)”Cloud docs often mix OSI layers with product names:
| Layer (typical) | Examples | Cloud products |
|---|---|---|
| L2 | Ethernet, VLANs, MAC addresses | Rarely exposed directly; VPC abstracts L2. |
| L3 | IP, ICMP, routing | Subnets, route tables, NACLs (stateless filtering). |
| L4 | TCP, UDP, ports | NLB, security groups (stateful, port/protocol oriented). |
| L7 | HTTP, TLS SNI, host headers | ALB, WAF, Ingress HTTP routing. |
Security groups in AWS are stateful at L3/L4: if you allow an outbound flow, return traffic for that flow is allowed. NACLs are stateless: you must allow both directions explicitly. See Stateful vs Stateless Firewalls on the AWS networking page.
IP Addressing and CIDR
Section titled “IP Addressing and CIDR”- IPv4 addresses are 32-bit; CIDR notation (e.g.
10.0.1.0/24) defines a block of addresses. - Private ranges (RFC 1918) commonly used inside VPCs:
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16. - Non-overlapping CIDRs are required for VPC peering and many VPN designs — see VPC Connectivity.
TCP vs UDP
Section titled “TCP vs UDP”TCP is connection-oriented: three-way handshake (SYN, SYN-ACK, ACK), reliable ordered delivery, flow control. UDP is datagram-based: no handshake in the protocol itself; good for DNS, some real-time protocols.
Symptoms:
- TCP hang — SYN retransmits (see packet capture), middlebox dropping, or wrong security group/NACL on return path.
- UDP “works sometimes” — fragmentation, firewalls that treat UDP differently, or path MTU issues.
TCP Handshake (Troubleshooting Mental Model)
Section titled “TCP Handshake (Troubleshooting Mental Model)”Client Server |---- SYN ------------------->| |<--- SYN-ACK -----------------| |---- ACK -------------------->| | (connection established)If SYN never gets SYN-ACK: server not listening, firewall drop, routing blackhole, or wrong IP/port. strace may show connect() hanging or timing out; flow logs show whether traffic was seen and REJECT vs ACCEPT — Flow logs and network RCA.
DNS maps names to A/AAAA records (and many other types). Resolvers cache TTL. In clouds:
- Route 53 (AWS), Azure DNS, or CoreDNS in Kubernetes answer for your zones.
- Split-horizon or private zones affect what clients see inside a VPC vs on the internet.
Misconfigured CNAME, wrong TTL, or authoritative vs recursive confusion causes “it works from my laptop but not from the pod” — compare resolver and effective record from each vantage point (dig, nslookup).
ARP and Neighbors (Brief)
Section titled “ARP and Neighbors (Brief)”On a LAN, ARP resolves IP → MAC for the next hop. In VPC, you rarely configure ARP directly, but “no neighbor” or asymmetric L2 themes appear when bridging containers or diagnosing bare metal. For cloud RCA, routing and security rules dominate.
MTU and Path MTU
Section titled “MTU and Path MTU”MTU is the maximum packet size on a link. Path MTU is the minimum along the path. If a packet is too large and DF (don’t fragment) is set, routers may send ICMP fragmentation needed; if ICMP is blocked, you get black holes (especially for large UDP or some TCP payloads).
VPN and overlay networks often use lower effective MTU (e.g. MSS clamping on TCP). Symptoms: small payloads work, large transfers stall. Flow logs show bytes; confirming ICMP may need host capture.
Where to Go Next
Section titled “Where to Go Next”| Need | Resource |
|---|---|
| VPC, subnets, SG, NACL, LB | AWS Networking |
| VNet, NSG, Application Gateway | Azure Networking |
| Service DNS, Ingress | Kubernetes Networking |
| HTTP semantics | HTTP for Operators |
| TLS and certs on AWS | TLS and Certificates |