System Design Concepts

No fluff โ€” visual, concise, interview-ready

๐ŸŒ 2 ยท NETWORKING

OSI Model

7-layer reference model for network communication โ€” know L4 and L7 for interviews

#LayerVisualProtocolSystem Design Relevance
7ApplicationHTTP, gRPC, DNS, SMTPL7 Load Balancers (ALB), API Gateways, WAF
6PresentationTLS/SSL, JSON, ProtobufEncryption, serialization
5SessionWebSocket, RPCConnection management
4Transport1234segmentsTCP, UDP, QUICL4 Load Balancers (NLB), port-based routing
3NetworkIP routingIP, ICMPRouting, subnets, VPCs, BGP
2Data LinkswitchEthernet, ARPMAC addresses, switches
1Physical01101Fiber, copperData center hardware
Why it matters: L4 LB routes by IP+port (fast, no content inspection). L7 LB routes by URL/headers/cookies (smart, can do path-based routing). Most system design discussions happen at L4 and L7.

TCP / UDP

Transport layer โ€” TCP (reliable, ordered) vs UDP (fast, unreliable)

TCP โ€” 3-Way Handshake

๐Ÿ’ป Client ๐Ÿ–ฅ๏ธ Server SYN SYN-ACK ACK โœ“ Connection established Reliable, ordered, bidirectional

UDP โ€” Fire and Forget

๐Ÿ’ป Client ๐Ÿ–ฅ๏ธ Server Request Response Response โœ— lost No handshake โ€” send immediately No guarantee, no ordering, fast

Unicast (TCP)

One-to-One

Broadcast (UDP)

One-to-All

Multicast (UDP)

One-to-Several
TCPUDP
Connection-oriented: 3-way handshake (SYNโ†’SYN-ACKโ†’ACK)Connectionless: Send immediately
Ordered + guaranteed: Retransmits lost packetsBest-effort: No retransmission, may arrive out-of-order
Flow + congestion control: Sliding window, slow startNo flow control โ€” sender controls pace
Guarantees: TCP guarantees ordered, reliable, duplicate-free delivery via sequence numbers, ACKs, and retransmission. UDP guarantees nothing โ€” but that's why it's fast (no overhead).
TCP: Banking, HTTPS, DB connections, email. Ports: 80/443/3306/5432/6379/9092
UDP: Live video, gaming, DNS, VoIP, QUIC (HTTP/3). Ports: 53/123/443(QUIC)
Real-world: Fortnite/Valorant use UDP for player positions (few lost packets OK, low latency critical). QUIC (HTTP/3) โ€” UDP-based with built-in TLS 1.3, 0-RTT resumption. Used by Chrome, YouTube, Cloudflare.

HTTP / HTTPS

Application layer โ€” HTTP (plaintext) vs HTTPS (TLS encrypted)

HTTP โ€” Plaintext

๐Ÿ‘ค Client ๐Ÿ–ฅ๏ธ Server GET /api/data (plaintext) 200 OK {"password":"abc"} ๐Ÿ‘๏ธ โš  Anyone on network can read everything

HTTPS โ€” TLS Encrypted

๐Ÿ‘ค Client ๐Ÿ–ฅ๏ธ Server ๐Ÿ”’ TLS encrypted tunnel GET /api/data ยท 200 OK ๐Ÿ‘๏ธ โœ“ Sees only encrypted gibberish
โ–ธ How HTTPS Works โ€” TLS Handshake
Client โ†” Server 1 TCP TCP SYN TCP SYN+ACK TCP ACK connection established Asymmetric Encryption 2 Cert Client Hello (supported ciphers, random) Server Hello + Certificate + Server Hello Done Encrypted Session Key 3 Key Client Key Exchange (pre-master secret) Change Cipher Spec + Finished Change Cipher Spec + Finished Session Key ๐Ÿ”‘ 4 Data ๐Ÿ”’ Symmetric encryption (AES-256) using session key Encrypted Data โ†” Encrypted Data Symmetric Encryption Asymmetric (slow) for key exchange โ†’ Symmetric (fast) for data TLS 1.3: 1-RTT handshake ยท 0-RTT resumption ยท ECDHE for forward secrecy
MethodPurposeIdempotentSafeCacheable
GETRetrieveโœ“โœ“โœ“
POSTCreateโœ—โœ—โœ—
PUTReplaceโœ“โœ—โœ—
PATCHPartial updateโœ—โœ—โœ—
DELETERemoveโœ“โœ—โœ—
HTTPS Guarantees: Confidentiality (AES-256 encryption) ยท Integrity (SHA-256 HMAC, tamper-proof) ยท Authenticity (CA-signed certificate proves server identity) ยท Forward secrecy (ECDHE โ€” past sessions safe even if key leaked).
2xx โ€” Success
200OK201Created202Accepted (async)
204No Content206Partial Content (streaming)
3xx โ€” Redirect
301Moved Permanently302Found (temp redirect)304Not Modified (cache)
307Temp Redirect (keep method)308Perm Redirect (keep method)
4xx โ€” Client Error
400Bad Request401Unauthorized403Forbidden
404Not Found405Method Not Allowed408Request Timeout
409Conflict410Gone (deleted)413Payload Too Large
415Unsupported Media Type422Unprocessable Entity429Too Many Requests
451Unavailable For Legal Reasons
5xx โ€” Server Error
500Internal Server Error501Not Implemented502Bad Gateway
503Service Unavailable504Gateway Timeout
HTTP/2: Binary framing, multiplexing, header compression (HPACK), server push. HTTP/3: QUIC-based (UDP), no head-of-line blocking, 0-RTT.
HTTP/1.1 vs 2 vs 3: HTTP/1.1 โ€” one request per TCP connection (or pipelining, rarely used). HTTP/2 โ€” multiplexed streams over single TCP, but TCP head-of-line blocking remains (1 lost packet stalls all streams). HTTP/3 (QUIC) โ€” each stream independent over UDP, lost packet only stalls its own stream. 0-RTT resumption โ€” reconnect without handshake (TLS 1.3 session tickets). Adopted by Chrome, YouTube, Cloudflare, Meta.

DNS

Translates domains โ†’ IP addresses. The internet's phone book โ€” hierarchical, cached, eventually consistent.

โ–ธ DNS Resolution โ€” Full Lookup Path
Browser local cache OS Resolver /etc/hosts Recursive Resolver ISP / 1.1.1.1 / 8.8.8.8 caches by TTL Root (13) โ†’ .com NS TLD (.com) โ†’ example NS Authoritative โ†’ 93.184.216.34 A record + TTL DNS Routing Policies Simple โ€” single IP Weighted โ€” 70/30 split (canary) Latency โ€” nearest region Geolocation โ€” country-based Failover โ€” health-check based Multivalue โ€” return multiple IPs GeoDNS + Anycast = global LB Full resolution: ~50-200ms (uncached) | Cached: 0ms (browser) to ~1ms (resolver)
RecordPurposeExampleTTL Guidance
A / AAAADomain โ†’ IPv4 / IPv6example.com โ†’ 93.184.216.34300s (failover) to 86400s (stable)
CNAMEAlias to another domainwww โ†’ example.comCan't coexist with other records at apex
ALIAS / ANAMECNAME at zone apexexample.com โ†’ cdn.provider.comProvider-specific (Route 53, Cloudflare)
MXMail routing (priority)10 mail.example.com3600s typical
TXTVerification, SPF, DKIMv=spf1 include:_spf.google.com3600s
SRVService discovery (port + weight)_http._tcp.example.com 8080Used by Consul, K8s
NSDelegate to nameserversns1.example.com86400s (rarely changes)
CAAWhich CAs can issue certs0 issue "letsencrypt.org"Security: restrict cert issuance
TTL strategy: Low TTL (60s) = fast failover, higher query load, good for active-passive DR. High TTL (86400s) = less load, slow propagation, good for stable records. Pre-lower TTL before migrations (drop to 60s 24h before cutover).
Real-world: Route 53 โ€” GeoDNS + health checks for multi-region failover. Cloudflare โ€” 1.1.1.1 resolves in ~11ms globally. Anycast โ€” same IP announced from multiple PoPs (nearest wins). DNSSEC โ€” cryptographic chain of trust preventing DNS spoofing.
Anti-patterns: High TTL before migration โ€” users stuck on old IP for hours. CNAME at apex โ€” breaks MX/NS records. No health checks โ€” DNS routes to dead servers. Relying on DNS for sub-second failover โ€” TTL caching prevents it.

IP & CIDR

Address space, subnet sizing, and private ranges โ€” CIDR suffix = network bits, smaller suffix = bigger block

10.0.0.0/8 โ€” 16.7M addresses (entire org) /16 (65K) 10.0.0.0/16 โ€” 65,536 addresses (VPC per region) /24 (256) 10.0.0.0/24 โ€” 256 addresses (subnet per AZ) /28 (16) Rule: suffix +1 = half the block | /24 โ†’ /25 = 128 hosts each AWS reserves 5 IPs per subnet (network, router, DNS, future, broadcast)
CIDRHostsTypical UseSubnet Mask
/321Single host (allow-list a server)255.255.255.255
/2816Small subnet (NAT GW, bastion)255.255.255.240
/24256Standard subnet (one AZ)255.255.255.0
/204,096Large subnet (K8s pod CIDR)255.255.240.0
/1665,536VPC per region255.255.0.0
/816.7MEntire org (10.0.0.0/8)255.0.0.0
Private ranges (RFC 1918): 10.0.0.0/8 ยท 172.16.0.0/12 ยท 192.168.0.0/16. Used inside VPCs; not routable on public internet. Plan CIDR carefully โ€” VPC peering requires non-overlapping ranges.
VPC design: Use /16 per VPC, split into /24 subnets per AZ. Separate public (LB), private (app), and isolated (DB) subnets. Leave room for growth โ€” you can't resize a VPC CIDR easily.
Anti-patterns: Overlapping CIDRs โ€” can't peer VPCs. Too small VPC โ€” run out of IPs when scaling. /16 subnets โ€” waste addresses, broadcast domain too large. Using 172.17.0.0/16 โ€” conflicts with Docker default bridge.

Key Ports Cheat Sheet

Standard ports you'll meet in any architecture diagram โ€” ports < 1024 are privileged (need root)

PortServiceProtocolSecurity Notes
22SSHTCPKey-based auth only, disable password login
53DNSUDP/TCPUDP first, TCP for > 512B or zone transfers
80HTTPTCPRedirect to 443, never serve sensitive data
443HTTPSTCPTLS 1.3, HSTS header, cert pinning for mobile
3306MySQLTCPPrivate subnet only, never expose publicly
5432PostgreSQLTCPSSL mode = require, restrict to app CIDR
6379RedisTCPNo auth by default โ€” always set requirepass + ACL
9092KafkaTCP9093 for TLS, SASL for auth
9200ElasticsearchTCPNever expose publicly (data exfil risk)
27017MongoDBTCPEnable auth, bind to private IP only
8080/8443App serversTCPNon-privileged, behind LB on 80/443
2379/2380etcdTCPClient/peer ports, mTLS required
Rule of thumb: Run apps on 8080/8443 (non-privileged) and let a load balancer terminate 80/443. Only expose ports that must be public. Database ports should never be reachable from the internet.
Common breaches: Open Redis (6379) โ€” cryptominer injection. Open Elasticsearch โ€” data exfiltration. Open MongoDB โ€” ransomware. Always scan with nmap or cloud security tools.

Firewalls โ€” Security Groups vs NACLs

Two layers of network filtering in every cloud VPC โ€” defense in depth

โ–ธ VPC Network Security โ€” Layered Filtering
Internet untrusted VPC NACL (Subnet-level) stateless ยท allow + deny numbered rules, first match coarse: block CIDR ranges Security Group (Instance) stateful ยท allow only all rules evaluated fine: per-port, per-source SG EC2 / Pod app workload port 8080 Layer 1: subnet perimeter Layer 2: instance perimeter
AspectSecurity GroupNACL
ScopeInstance / ENI (can reference other SGs)Entire subnet
StateStateful โ€” return traffic auto-allowedStateless โ€” must allow both directions explicitly
RulesAllow only (implicit deny all)Allow + Deny (explicit deny possible)
EvaluationAll rules evaluated (most permissive wins)Numbered, first match wins
Use caseFine-grained: "app SG can talk to DB SG on 5432"Coarse: "block this CIDR range entirely"
Limits~60 rules per SG, 5 SGs per ENI20 rules per NACL (soft limit)
Best practice: Least-privilege allow-list per port. Default deny everything. Reference SG-to-SG instead of CIDR (survives IP changes). Use NACLs as a coarse "block this CIDR" knife for known-bad ranges.
K8s equivalent: NetworkPolicy โ€” pod-level firewall (Calico, Cilium). Default deny all ingress/egress, then allow specific label selectors. Service Mesh (Istio) adds L7 policies (allow GET /api but deny POST).
Anti-patterns: 0.0.0.0/0 on DB port โ€” database exposed to internet. Single SG for everything โ€” no isolation between tiers. Overly permissive egress โ€” allows data exfiltration. No logging โ€” can't detect unauthorized access.

Zero Trust Networking

"Never trust, always verify" โ€” no implicit trust for internal traffic. Every request authenticated, authorized, encrypted.

โ–ธ Zero Trust โ€” Every Hop Verified
Service A SPIFFE ID: spiffe://cluster/ns/svc-a short-lived cert (1h) Sidecar Proxy Envoy / Linkerd ๐Ÿ”’ mTLS termination cert rotation (auto) L7 observability mTLS Policy Engine OPA / Istio AuthZ โœ“ identity verified โœ“ action authorized deny by default Service B SPIFFE ID: spiffe://cluster/ns/svc-b validates caller identity Zero Trust Pillars โ‘  Verify identity (mTLS/JWT) โ‘ก Verify device posture โ‘ข Least privilege access โ‘ฃ Encrypt everything โ‘ค Log + audit all access โ‘ฅ Assume breach โ‘ฆ Micro-segmentation โ‘ง Continuous verification Network location โ‰  trust. Internal traffic is treated same as external. Result: lateral movement blocked even if one service is compromised
ComponentPurposeTools
Service IdentityCryptographic identity per workloadSPIFFE/SPIRE, K8s ServiceAccount, AWS IAM Roles
mTLSMutual authentication + encryptionIstio, Linkerd, Consul Connect, Cilium
Policy EngineFine-grained authorization (who can call what)OPA/Rego, Istio AuthorizationPolicy, Cedar
Cert ManagementAuto-rotate short-lived certificatescert-manager, Vault PKI, SPIRE
BeyondCorp ProxyIdentity-aware access for humansCloudflare Access, Google IAP, Zscaler
ObservabilityAudit all access decisionsEnvoy access logs, OPA decision logs
Implementation: Istio/Linkerd โ€” inject sidecar proxy, auto-mTLS between all pods. SPIFFE โ€” universal workload identity (x509 SVIDs). OPA โ€” "svc-a can call svc-b GET /api/orders but not DELETE". Short-lived certs (1h) โ€” compromised cert expires quickly.
Real-world: Google BeyondCorp โ€” no VPN, all access through identity-aware proxy. Netflix โ€” mTLS everywhere via custom CA. Airbnb โ€” SPIFFE for service identity. Cloudflare โ€” Access replaces VPN for employee access.
Anti-patterns: VPN = trusted โ€” once inside VPN, full access (flat network). IP-based allow-lists โ€” IPs change, can be spoofed. Long-lived certs โ€” compromised cert valid for years. No east-west encryption โ€” internal traffic sniffable.

DDoS Defense

Layers of mitigation from edge to origin โ€” absorb volumetric attacks, filter application-layer floods

โ–ธ DDoS Defense โ€” Multi-Layer Protection
Attackers โ†ฏ 100 Gbps botnet flood โ‘  Anycast Edge absorb volumetric 300+ PoPs globally 100+ Tbps capacity Cloudflare / AWS Shield BGP blackhole for L3 โ‘ก WAF L7 filtering rate-limit per IP/JA3 geo-block, IP reputation OWASP rules (SQLi, XSS) custom rules per endpoint โ‘ข Bot Mgmt CAPTCHA / JS challenge browser fingerprinting ML anomaly detection device attestation behavioral analysis โ‘ฃ App Layer auto-scaling circuit breakers graceful degradation queue-based admission signed cookies/tokens โœ“ Origin (clean traffic) drops 95% volumetric blocks 90% L7 attacks filters 99% bots handles remaining load Capacity rule: edge must absorb 10-100ร— your peak legitimate traffic
LayerAttack TypeDefenseTools
L3/L4 (Network)SYN flood, UDP amplification, ICMP floodAnycast absorption, scrubbing centers, BGP blackholeCloudflare Magic Transit, AWS Shield Advanced
L7 (Application)HTTP flood, slowloris, cache-bustingWAF rules, rate-limit per IP/JA3/path, geo-blockCloudflare WAF, AWS WAF, Akamai Kona
Bot / CredentialCredential stuffing, scraping, account takeoverCAPTCHA, device fingerprint, behavioral MLCloudflare Bot Mgmt, PerimeterX, DataDome
DNSDNS amplification, NXDOMAIN floodAnycast DNS, rate-limit queries, DNSSECRoute 53 Shield, Cloudflare DNS
APIAPI abuse, enumeration, resource exhaustionAPI gateway rate-limit, token bucket, signed requestsKong, Apigee, AWS API Gateway
โ–ธ DDoS Attack Types & Signatures

Volumetric (L3/L4)

  • SYN flood: exhaust connection table
  • UDP amplification: DNS/NTP/memcached reflection
  • ICMP flood: saturate bandwidth
  • Scale: 1-3 Tbps (record attacks)
  • Defense: absorb at edge, can't filter at app

Application (L7)

  • HTTP flood: legitimate-looking requests at scale
  • Slowloris: hold connections open slowly
  • Cache-busting: unique URLs bypass CDN
  • Scale: 10K-10M RPS
  • Defense: WAF, rate-limit, CAPTCHA, behavioral
Defense-in-depth: Edge (Cloudflare/Shield) absorbs volumetric โ†’ WAF filters L7 โ†’ Rate limiting per IP/path โ†’ Bot management challenges suspicious โ†’ App gracefully degrades under remaining load. Each layer reduces attack surface for the next.
Preparation: Always-on protection (not on-demand โ€” too slow to activate). Runbook for escalation. Load test your own infrastructure to know breaking points. Separate static assets on CDN (attackers can't exhaust origin for static content).
Anti-patterns: No edge protection โ€” origin directly exposed. On-demand only โ€” takes 10+ min to activate during attack. Single-region โ€” no geographic distribution to absorb. Exposing origin IP โ€” attackers bypass CDN directly.
Real-world: Cloudflare โ€” mitigated 71M RPS attack (2023). AWS Shield Advanced โ€” auto-mitigates with DDoS Response Team. Google Cloud Armor โ€” adaptive protection with ML. GitHub โ€” survived 1.35 Tbps memcached amplification (2018).