npm - blockmine - Versions diffs - 1.20.0 → 1.22.0 - Mend

blockmine 1.20.0 → 1.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (434) hide show

package/.claude/skills/cloud-engineering/resources/cloud-networking.md ADDED Viewed

@@ -0,0 +1,1058 @@
+# Cloud Networking Patterns
+Comprehensive guide to cloud networking across AWS, Azure, and GCP. Covers VPC design, network security, connectivity patterns, DNS strategies, and load balancing.
+## VPC Design Patterns
+### AWS VPC Architecture
+**Multi-Tier VPC Design:**
+```
+Production VPC (10.0.0.0/16)
+├── Public Subnets (10.0.0.0/20)
+│   ├── us-east-1a: 10.0.0.0/24 (Load Balancers, NAT Gateways)
+│   ├── us-east-1b: 10.0.1.0/24
+│   └── us-east-1c: 10.0.2.0/24
+├── Private App Subnets (10.0.16.0/20)
+│   ├── us-east-1a: 10.0.16.0/24 (Application Tier)
+│   ├── us-east-1b: 10.0.17.0/24
+│   └── us-east-1c: 10.0.18.0/24
+└── Private DB Subnets (10.0.32.0/20)
+    ├── us-east-1a: 10.0.32.0/24 (Database Tier)
+    ├── us-east-1b: 10.0.33.0/24
+    └── us-east-1c: 10.0.34.0/24
+```
+**Implementation (Terraform):**
+```hcl
+# VPC with DNS support
+resource "aws_vpc" "main" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+  tags = {
+    Name        = "production-vpc"
+    Environment = "production"
+  }
+}
+# Internet Gateway for public subnets
+resource "aws_internet_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+  tags = {
+    Name = "production-igw"
+  }
+}
+# Public subnets across AZs
+resource "aws_subnet" "public" {
+  count = 3
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = "10.0.${count.index}.0/24"
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  map_public_ip_on_launch = true
+  tags = {
+    Name = "public-subnet-${count.index + 1}"
+    Type = "public"
+  }
+}
+# Private app subnets
+resource "aws_subnet" "private_app" {
+  count = 3
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.${16 + count.index}.0/24"
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+  tags = {
+    Name = "private-app-subnet-${count.index + 1}"
+    Type = "private"
+    Tier = "application"
+  }
+}
+# Private database subnets
+resource "aws_subnet" "private_db" {
+  count = 3
+  vpc_id            = aws_vpc.main.id
+  cidr_block        = "10.0.${32 + count.index}.0/24"
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+  tags = {
+    Name = "private-db-subnet-${count.index + 1}"
+    Type = "private"
+    Tier = "database"
+  }
+}
+# Elastic IPs for NAT Gateways
+resource "aws_eip" "nat" {
+  count  = 3
+  domain = "vpc"
+  tags = {
+    Name = "nat-eip-${count.index + 1}"
+  }
+}
+# NAT Gateways in each AZ for high availability
+resource "aws_nat_gateway" "main" {
+  count = 3
+  allocation_id = aws_eip.nat[count.index].id
+  subnet_id     = aws_subnet.public[count.index].id
+  tags = {
+    Name = "nat-gateway-${count.index + 1}"
+  }
+  depends_on = [aws_internet_gateway.main]
+}
+# Route table for public subnets
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.main.id
+  }
+  tags = {
+    Name = "public-route-table"
+  }
+}
+# Route tables for private subnets (one per AZ)
+resource "aws_route_table" "private" {
+  count  = 3
+  vpc_id = aws_vpc.main.id
+  route {
+    cidr_block     = "0.0.0.0/0"
+    nat_gateway_id = aws_nat_gateway.main[count.index].id
+  }
+  tags = {
+    Name = "private-route-table-${count.index + 1}"
+  }
+}
+# Associate public subnets with public route table
+resource "aws_route_table_association" "public" {
+  count          = 3
+  subnet_id      = aws_subnet.public[count.index].id
+  route_table_id = aws_route_table.public.id
+}
+# Associate private subnets with private route tables
+resource "aws_route_table_association" "private_app" {
+  count          = 3
+  subnet_id      = aws_subnet.private_app[count.index].id
+  route_table_id = aws_route_table.private[count.index].id
+}
+# VPC Flow Logs
+resource "aws_flow_log" "main" {
+  iam_role_arn    = aws_iam_role.flow_log.arn
+  log_destination = aws_cloudwatch_log_group.flow_log.arn
+  traffic_type    = "ALL"
+  vpc_id          = aws_vpc.main.id
+  tags = {
+    Name = "production-vpc-flow-logs"
+  }
+}
+```
+### Azure Virtual Network
+**Hub-and-Spoke Topology:**
+```hcl
+# Hub VNet (Shared Services)
+resource "azurerm_virtual_network" "hub" {
+  name                = "hub-vnet"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.network.name
+  address_space       = ["10.0.0.0/16"]
+  subnet {
+    name           = "GatewaySubnet"
+    address_prefix = "10.0.0.0/24"
+  }
+  subnet {
+    name           = "AzureFirewallSubnet"
+    address_prefix = "10.0.1.0/24"
+  }
+  subnet {
+    name           = "SharedServicesSubnet"
+    address_prefix = "10.0.2.0/24"
+  }
+}
+# Spoke VNet (Production)
+resource "azurerm_virtual_network" "spoke_prod" {
+  name                = "spoke-prod-vnet"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.network.name
+  address_space       = ["10.1.0.0/16"]
+  subnet {
+    name           = "ApplicationSubnet"
+    address_prefix = "10.1.0.0/24"
+  }
+  subnet {
+    name           = "DatabaseSubnet"
+    address_prefix = "10.1.1.0/24"
+  }
+}
+# VNet Peering: Hub to Spoke
+resource "azurerm_virtual_network_peering" "hub_to_spoke" {
+  name                         = "hub-to-spoke-prod"
+  resource_group_name          = azurerm_resource_group.network.name
+  virtual_network_name         = azurerm_virtual_network.hub.name
+  remote_virtual_network_id    = azurerm_virtual_network.spoke_prod.id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  allow_gateway_transit        = true
+}
+# VNet Peering: Spoke to Hub
+resource "azurerm_virtual_network_peering" "spoke_to_hub" {
+  name                         = "spoke-prod-to-hub"
+  resource_group_name          = azurerm_resource_group.network.name
+  virtual_network_name         = azurerm_virtual_network.spoke_prod.name
+  remote_virtual_network_id    = azurerm_virtual_network.hub.id
+  allow_virtual_network_access = true
+  allow_forwarded_traffic      = true
+  use_remote_gateways          = true
+}
+# Network Security Group
+resource "azurerm_network_security_group" "app" {
+  name                = "app-nsg"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.network.name
+  security_rule {
+    name                       = "allow-https"
+    priority                   = 100
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "443"
+    source_address_prefix      = "*"
+    destination_address_prefix = "*"
+  }
+  security_rule {
+    name                       = "allow-app-tier"
+    priority                   = 200
+    direction                  = "Inbound"
+    access                     = "Allow"
+    protocol                   = "Tcp"
+    source_port_range          = "*"
+    destination_port_range     = "8080"
+    source_address_prefix      = "10.1.0.0/24"
+    destination_address_prefix = "*"
+  }
+}
+```
+### GCP VPC Network
+**Global VPC with Regional Subnets:**
+```hcl
+# VPC network (global)
+resource "google_compute_network" "main" {
+  name                    = "production-network"
+  auto_create_subnetworks = false
+  routing_mode            = "GLOBAL"
+}
+# Subnet in us-central1
+resource "google_compute_subnetwork" "us_central" {
+  name          = "us-central-subnet"
+  ip_cidr_range = "10.0.0.0/20"
+  region        = "us-central1"
+  network       = google_compute_network.main.id
+  secondary_ip_range {
+    range_name    = "pods"
+    ip_cidr_range = "10.1.0.0/16"
+  }
+  secondary_ip_range {
+    range_name    = "services"
+    ip_cidr_range = "10.2.0.0/20"
+  }
+  log_config {
+    aggregation_interval = "INTERVAL_5_SEC"
+    flow_sampling        = 0.5
+    metadata             = "INCLUDE_ALL_METADATA"
+  }
+}
+# Cloud Router for NAT
+resource "google_compute_router" "nat_router" {
+  name    = "nat-router"
+  region  = "us-central1"
+  network = google_compute_network.main.id
+  bgp {
+    asn = 64514
+  }
+}
+# Cloud NAT
+resource "google_compute_router_nat" "nat" {
+  name                               = "nat-gateway"
+  router                             = google_compute_router.nat_router.name
+  region                             = "us-central1"
+  nat_ip_allocate_option             = "AUTO_ONLY"
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+  log_config {
+    enable = true
+    filter = "ERRORS_ONLY"
+  }
+}
+# Firewall rules
+resource "google_compute_firewall" "allow_internal" {
+  name    = "allow-internal"
+  network = google_compute_network.main.name
+  allow {
+    protocol = "tcp"
+    ports    = ["0-65535"]
+  }
+  allow {
+    protocol = "udp"
+    ports    = ["0-65535"]
+  }
+  allow {
+    protocol = "icmp"
+  }
+  source_ranges = ["10.0.0.0/8"]
+}
+```
+## Network Connectivity Patterns
+### VPC Peering vs Transit Gateway
+**VPC Peering (AWS):**
+```hcl
+# Peer two VPCs
+resource "aws_vpc_peering_connection" "peer" {
+  vpc_id      = aws_vpc.vpc1.id
+  peer_vpc_id = aws_vpc.vpc2.id
+  auto_accept = true
+  tags = {
+    Name = "vpc1-to-vpc2"
+  }
+}
+# Add routes in VPC1 route tables
+resource "aws_route" "vpc1_to_vpc2" {
+  route_table_id            = aws_route_table.vpc1_private.id
+  destination_cidr_block    = aws_vpc.vpc2.cidr_block
+  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
+}
+# Add routes in VPC2 route tables
+resource "aws_route" "vpc2_to_vpc1" {
+  route_table_id            = aws_route_table.vpc2_private.id
+  destination_cidr_block    = aws_vpc.vpc1.cidr_block
+  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
+}
+```
+**Transit Gateway (Hub-and-Spoke):**
+```hcl
+# Transit Gateway
+resource "aws_ec2_transit_gateway" "main" {
+  description                     = "Central transit hub"
+  default_route_table_association = "enable"
+  default_route_table_propagation = "enable"
+  dns_support                     = "enable"
+  vpn_ecmp_support               = "enable"
+  tags = {
+    Name = "main-tgw"
+  }
+}
+# Attach VPCs to Transit Gateway
+resource "aws_ec2_transit_gateway_vpc_attachment" "vpc1" {
+  subnet_ids         = aws_subnet.vpc1_private[*].id
+  transit_gateway_id = aws_ec2_transit_gateway.main.id
+  vpc_id             = aws_vpc.vpc1.id
+  tags = {
+    Name = "vpc1-attachment"
+  }
+}
+resource "aws_ec2_transit_gateway_vpc_attachment" "vpc2" {
+  subnet_ids         = aws_subnet.vpc2_private[*].id
+  transit_gateway_id = aws_ec2_transit_gateway.main.id
+  vpc_id             = aws_vpc.vpc2.id
+  tags = {
+    Name = "vpc2-attachment"
+  }
+}
+# Routes to Transit Gateway
+resource "aws_route" "vpc1_to_tgw" {
+  route_table_id         = aws_route_table.vpc1_private.id
+  destination_cidr_block = "0.0.0.0/0"
+  transit_gateway_id     = aws_ec2_transit_gateway.main.id
+}
+```
+### Private Link / Private Endpoint
+**AWS PrivateLink:**
+```hcl
+# VPC Endpoint for AWS services (Gateway endpoint)
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id       = aws_vpc.main.id
+  service_name = "com.amazonaws.${var.region}.s3"
+  route_table_ids = aws_route_table.private[*].id
+  tags = {
+    Name = "s3-gateway-endpoint"
+  }
+}
+# Interface endpoint for other AWS services
+resource "aws_vpc_endpoint" "ecr_api" {
+  vpc_id              = aws_vpc.main.id
+  service_name        = "com.amazonaws.${var.region}.ecr.api"
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = aws_subnet.private_app[*].id
+  security_group_ids  = [aws_security_group.vpc_endpoints.id]
+  private_dns_enabled = true
+  tags = {
+    Name = "ecr-api-endpoint"
+  }
+}
+# PrivateLink for your own service
+resource "aws_vpc_endpoint_service" "api" {
+  acceptance_required        = false
+  network_load_balancer_arns = [aws_lb.api.arn]
+  tags = {
+    Name = "api-privatelink-service"
+  }
+}
+```
+**Azure Private Endpoint:**
+```hcl
+resource "azurerm_private_endpoint" "storage" {
+  name                = "storage-private-endpoint"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.main.name
+  subnet_id           = azurerm_subnet.private.id
+  private_service_connection {
+    name                           = "storage-privateserviceconnection"
+    private_connection_resource_id = azurerm_storage_account.main.id
+    is_manual_connection           = false
+    subresource_names              = ["blob"]
+  }
+  private_dns_zone_group {
+    name                 = "default"
+    private_dns_zone_ids = [azurerm_private_dns_zone.blob.id]
+  }
+}
+resource "azurerm_private_dns_zone" "blob" {
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = azurerm_resource_group.main.name
+}
+```
+## Load Balancing
+### AWS Application Load Balancer
+```hcl
+# Application Load Balancer
+resource "aws_lb" "main" {
+  name               = "app-alb"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alb.id]
+  subnets            = aws_subnet.public[*].id
+  enable_deletion_protection = true
+  enable_http2              = true
+  enable_cross_zone_load_balancing = true
+  access_logs {
+    bucket  = aws_s3_bucket.lb_logs.id
+    enabled = true
+  }
+  tags = {
+    Name = "production-alb"
+  }
+}
+# Target group
+resource "aws_lb_target_group" "app" {
+  name     = "app-tg"
+  port     = 8080
+  protocol = "HTTP"
+  vpc_id   = aws_vpc.main.id
+  health_check {
+    enabled             = true
+    healthy_threshold   = 2
+    unhealthy_threshold = 2
+    timeout             = 5
+    interval            = 30
+    path                = "/health"
+    matcher             = "200"
+  }
+  deregistration_delay = 30
+  tags = {
+    Name = "app-target-group"
+  }
+}
+# HTTPS listener
+resource "aws_lb_listener" "https" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = "443"
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  certificate_arn   = aws_acm_certificate.main.arn
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+}
+# HTTP to HTTPS redirect
+resource "aws_lb_listener" "http" {
+  load_balancer_arn = aws_lb.main.arn
+  port              = "80"
+  protocol          = "HTTP"
+  default_action {
+    type = "redirect"
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+# Listener rule for path-based routing
+resource "aws_lb_listener_rule" "api" {
+  listener_arn = aws_lb_listener.https.arn
+  priority     = 100
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.api.arn
+  }
+  condition {
+    path_pattern {
+      values = ["/api/*"]
+    }
+  }
+}
+```
+### GCP Load Balancer
+```hcl
+# Backend service
+resource "google_compute_backend_service" "default" {
+  name                  = "app-backend"
+  protocol              = "HTTP"
+  port_name             = "http"
+  timeout_sec           = 30
+  load_balancing_scheme = "EXTERNAL"
+  backend {
+    group           = google_compute_instance_group_manager.app.instance_group
+    balancing_mode  = "UTILIZATION"
+    capacity_scaler = 1.0
+  }
+  health_checks = [google_compute_health_check.default.id]
+  log_config {
+    enable      = true
+    sample_rate = 1.0
+  }
+}
+# Health check
+resource "google_compute_health_check" "default" {
+  name               = "app-health-check"
+  check_interval_sec = 5
+  timeout_sec        = 5
+  http_health_check {
+    port         = 8080
+    request_path = "/health"
+  }
+}
+# URL map
+resource "google_compute_url_map" "default" {
+  name            = "app-url-map"
+  default_service = google_compute_backend_service.default.id
+  host_rule {
+    hosts        = ["api.example.com"]
+    path_matcher = "api"
+  }
+  path_matcher {
+    name            = "api"
+    default_service = google_compute_backend_service.api.id
+    path_rule {
+      paths   = ["/v1/*"]
+      service = google_compute_backend_service.v1.id
+    }
+    path_rule {
+      paths   = ["/v2/*"]
+      service = google_compute_backend_service.v2.id
+    }
+  }
+}
+# HTTPS proxy
+resource "google_compute_target_https_proxy" "default" {
+  name             = "app-https-proxy"
+  url_map          = google_compute_url_map.default.id
+  ssl_certificates = [google_compute_ssl_certificate.default.id]
+}
+# Forwarding rule
+resource "google_compute_global_forwarding_rule" "default" {
+  name                  = "app-forwarding-rule"
+  ip_protocol           = "TCP"
+  load_balancing_scheme = "EXTERNAL"
+  port_range            = "443"
+  target                = google_compute_target_https_proxy.default.id
+  ip_address            = google_compute_global_address.default.id
+}
+```
+## DNS Strategies
+### Route 53 (AWS)
+**Failover Routing:**
+```hcl
+resource "aws_route53_health_check" "primary" {
+  fqdn              = "primary.example.com"
+  port              = 443
+  type              = "HTTPS"
+  resource_path     = "/health"
+  failure_threshold = 3
+  request_interval  = 30
+  tags = {
+    Name = "primary-health-check"
+  }
+}
+resource "aws_route53_record" "primary" {
+  zone_id = aws_route53_zone.main.zone_id
+  name    = "api.example.com"
+  type    = "A"
+  failover_routing_policy {
+    type = "PRIMARY"
+  }
+  set_identifier  = "primary"
+  health_check_id = aws_route53_health_check.primary.id
+  alias {
+    name                   = aws_lb.primary.dns_name
+    zone_id                = aws_lb.primary.zone_id
+    evaluate_target_health = true
+  }
+}
+resource "aws_route53_record" "secondary" {
+  zone_id = aws_route53_zone.main.zone_id
+  name    = "api.example.com"
+  type    = "A"
+  failover_routing_policy {
+    type = "SECONDARY"
+  }
+  set_identifier = "secondary"
+  alias {
+    name                   = aws_lb.secondary.dns_name
+    zone_id                = aws_lb.secondary.zone_id
+    evaluate_target_health = true
+  }
+}
+```
+**Geolocation Routing:**
+```hcl
+resource "aws_route53_record" "us" {
+  zone_id = aws_route53_zone.main.zone_id
+  name    = "www.example.com"
+  type    = "A"
+  geolocation_routing_policy {
+    country = "US"
+  }
+  set_identifier = "us-customers"
+  alias {
+    name                   = aws_lb.us_east.dns_name
+    zone_id                = aws_lb.us_east.zone_id
+    evaluate_target_health = true
+  }
+}
+resource "aws_route53_record" "eu" {
+  zone_id = aws_route53_zone.main.zone_id
+  name    = "www.example.com"
+  type    = "A"
+  geolocation_routing_policy {
+    continent = "EU"
+  }
+  set_identifier = "eu-customers"
+  alias {
+    name                   = aws_lb.eu_west.dns_name
+    zone_id                = aws_lb.eu_west.zone_id
+    evaluate_target_health = true
+  }
+}
+```
+## CDN Configuration
+### CloudFront (AWS)
+```hcl
+resource "aws_cloudfront_distribution" "main" {
+  enabled             = true
+  is_ipv6_enabled     = true
+  comment             = "Production CDN"
+  default_root_object = "index.html"
+  price_class         = "PriceClass_All"
+  origin {
+    domain_name = aws_lb.main.dns_name
+    origin_id   = "alb"
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_protocol_policy = "https-only"
+      origin_ssl_protocols   = ["TLSv1.2"]
+    }
+    custom_header {
+      name  = "X-Custom-Header"
+      value = "CloudFront"
+    }
+  }
+  origin {
+    domain_name = aws_s3_bucket.static.bucket_regional_domain_name
+    origin_id   = "s3"
+    s3_origin_config {
+      origin_access_identity = aws_cloudfront_origin_access_identity.main.cloudfront_access_identity_path
+    }
+  }
+  default_cache_behavior {
+    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "alb"
+    forwarded_values {
+      query_string = true
+      headers      = ["Host", "Authorization"]
+      cookies {
+        forward = "all"
+      }
+    }
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 3600
+    max_ttl                = 86400
+    compress               = true
+  }
+  ordered_cache_behavior {
+    path_pattern     = "/static/*"
+    allowed_methods  = ["GET", "HEAD"]
+    cached_methods   = ["GET", "HEAD"]
+    target_origin_id = "s3"
+    forwarded_values {
+      query_string = false
+      cookies {
+        forward = "none"
+      }
+    }
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    default_ttl            = 86400
+    max_ttl                = 31536000
+    compress               = true
+  }
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+  viewer_certificate {
+    acm_certificate_arn      = aws_acm_certificate.main.arn
+    ssl_support_method       = "sni-only"
+    minimum_protocol_version = "TLSv1.2_2021"
+  }
+  web_acl_id = aws_wafv2_web_acl.main.arn
+  tags = {
+    Environment = "production"
+  }
+}
+```
+## Network Security
+### Security Groups (AWS)
+```hcl
+# ALB security group
+resource "aws_security_group" "alb" {
+  name        = "alb-sg"
+  description = "Security group for Application Load Balancer"
+  vpc_id      = aws_vpc.main.id
+  ingress {
+    description = "HTTPS from internet"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  ingress {
+    description = "HTTP from internet"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    description = "All outbound"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "alb-security-group"
+  }
+}
+# Application security group
+resource "aws_security_group" "app" {
+  name        = "app-sg"
+  description = "Security group for application tier"
+  vpc_id      = aws_vpc.main.id
+  ingress {
+    description     = "HTTP from ALB"
+    from_port       = 8080
+    to_port         = 8080
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb.id]
+  }
+  egress {
+    description = "All outbound"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "app-security-group"
+  }
+}
+# Database security group
+resource "aws_security_group" "db" {
+  name        = "db-sg"
+  description = "Security group for database tier"
+  vpc_id      = aws_vpc.main.id
+  ingress {
+    description     = "PostgreSQL from app tier"
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    security_groups = [aws_security_group.app.id]
+  }
+  tags = {
+    Name = "db-security-group"
+  }
+}
+```
+### Network ACLs
+```hcl
+resource "aws_network_acl" "public" {
+  vpc_id     = aws_vpc.main.id
+  subnet_ids = aws_subnet.public[*].id
+  # Allow inbound HTTP
+  ingress {
+    protocol   = "tcp"
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 80
+    to_port    = 80
+  }
+  # Allow inbound HTTPS
+  ingress {
+    protocol   = "tcp"
+    rule_no    = 110
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 443
+    to_port    = 443
+  }
+  # Allow return traffic
+  ingress {
+    protocol   = "tcp"
+    rule_no    = 120
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 1024
+    to_port    = 65535
+  }
+  # Allow all outbound
+  egress {
+    protocol   = "-1"
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+  tags = {
+    Name = "public-nacl"
+  }
+}
+```
+## Best Practices
+1. **VPC Design:**
+   - Use multiple availability zones for high availability
+   - Separate subnets by tier (public, app, database)
+   - Reserve IP space for future growth
+   - Enable VPC Flow Logs for security monitoring
+2. **Network Connectivity:**
+   - Use Transit Gateway for complex hub-and-spoke topologies
+   - VPC peering for simple point-to-point connections
+   - PrivateLink for service-to-service communication
+   - Avoid overlapping CIDR ranges
+3. **Security:**
+   - Apply principle of least privilege
+   - Use security groups as virtual firewalls
+   - Network ACLs for subnet-level controls
+   - Enable encryption in transit
+   - Regular security audits
+4. **Load Balancing:**
+   - Use health checks for automatic failover
+   - Enable access logs for troubleshooting
+   - Configure SSL/TLS termination at load balancer
+   - Implement WAF for application protection
+5. **DNS:**
+   - Use health checks for failover routing
+   - Geolocation routing for global applications
+   - TTL management for flexibility
+   - DNSSEC for enhanced security
+## Anti-Patterns
+- Single AZ deployment (no redundancy)
+- Overly permissive security groups
+- No network segmentation
+- Missing health checks on load balancers
+- Hard-coded IPs instead of DNS
+- No VPC Flow Logs
+- Public subnets for databases
+- Missing encryption in transit