blockmine 1.24.0 → 1.27.0

package/.claude/skills/cloud-engineering/resources/cloud-networking.md

@@ -1,1058 +0,0 @@
-# Cloud Networking Patterns
-
-Comprehensive guide to cloud networking across AWS, Azure, and GCP. Covers VPC design, network security, connectivity patterns, DNS strategies, and load balancing.
-
-## VPC Design Patterns
-
-### AWS VPC Architecture
-
-**Multi-Tier VPC Design:**
-```
-Production VPC (10.0.0.0/16)
-├── Public Subnets (10.0.0.0/20)
-│   ├── us-east-1a: 10.0.0.0/24 (Load Balancers, NAT Gateways)
-│   ├── us-east-1b: 10.0.1.0/24
-│   └── us-east-1c: 10.0.2.0/24
-├── Private App Subnets (10.0.16.0/20)
-│   ├── us-east-1a: 10.0.16.0/24 (Application Tier)
-│   ├── us-east-1b: 10.0.17.0/24
-│   └── us-east-1c: 10.0.18.0/24
-└── Private DB Subnets (10.0.32.0/20)
-    ├── us-east-1a: 10.0.32.0/24 (Database Tier)
-    ├── us-east-1b: 10.0.33.0/24
-    └── us-east-1c: 10.0.34.0/24
-```
-
-**Implementation (Terraform):**
-```hcl
-# VPC with DNS support
-resource "aws_vpc" "main" {
-  cidr_block           = "10.0.0.0/16"
-  enable_dns_hostnames = true
-  enable_dns_support   = true
-
-  tags = {
-    Name        = "production-vpc"
-    Environment = "production"
-  }
-}
-
-# Internet Gateway for public subnets
-resource "aws_internet_gateway" "main" {
-  vpc_id = aws_vpc.main.id
-
-  tags = {
-    Name = "production-igw"
-  }
-}
-
-# Public subnets across AZs
-resource "aws_subnet" "public" {
-  count = 3
-
-  vpc_id                  = aws_vpc.main.id
-  cidr_block              = "10.0.${count.index}.0/24"
-  availability_zone       = data.aws_availability_zones.available.names[count.index]
-  map_public_ip_on_launch = true
-
-  tags = {
-    Name = "public-subnet-${count.index + 1}"
-    Type = "public"
-  }
-}
-
-# Private app subnets
-resource "aws_subnet" "private_app" {
-  count = 3
-
-  vpc_id            = aws_vpc.main.id
-  cidr_block        = "10.0.${16 + count.index}.0/24"
-  availability_zone = data.aws_availability_zones.available.names[count.index]
-
-  tags = {
-    Name = "private-app-subnet-${count.index + 1}"
-    Type = "private"
-    Tier = "application"
-  }
-}
-
-# Private database subnets
-resource "aws_subnet" "private_db" {
-  count = 3
-
-  vpc_id            = aws_vpc.main.id
-  cidr_block        = "10.0.${32 + count.index}.0/24"
-  availability_zone = data.aws_availability_zones.available.names[count.index]
-
-  tags = {
-    Name = "private-db-subnet-${count.index + 1}"
-    Type = "private"
-    Tier = "database"
-  }
-}
-
-# Elastic IPs for NAT Gateways
-resource "aws_eip" "nat" {
-  count  = 3
-  domain = "vpc"
-
-  tags = {
-    Name = "nat-eip-${count.index + 1}"
-  }
-}
-
-# NAT Gateways in each AZ for high availability
-resource "aws_nat_gateway" "main" {
-  count = 3
-
-  allocation_id = aws_eip.nat[count.index].id
-  subnet_id     = aws_subnet.public[count.index].id
-
-  tags = {
-    Name = "nat-gateway-${count.index + 1}"
-  }
-
-  depends_on = [aws_internet_gateway.main]
-}
-
-# Route table for public subnets
-resource "aws_route_table" "public" {
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block = "0.0.0.0/0"
-    gateway_id = aws_internet_gateway.main.id
-  }
-
-  tags = {
-    Name = "public-route-table"
-  }
-}
-
-# Route tables for private subnets (one per AZ)
-resource "aws_route_table" "private" {
-  count  = 3
-  vpc_id = aws_vpc.main.id
-
-  route {
-    cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = aws_nat_gateway.main[count.index].id
-  }
-
-  tags = {
-    Name = "private-route-table-${count.index + 1}"
-  }
-}
-
-# Associate public subnets with public route table
-resource "aws_route_table_association" "public" {
-  count          = 3
-  subnet_id      = aws_subnet.public[count.index].id
-  route_table_id = aws_route_table.public.id
-}
-
-# Associate private subnets with private route tables
-resource "aws_route_table_association" "private_app" {
-  count          = 3
-  subnet_id      = aws_subnet.private_app[count.index].id
-  route_table_id = aws_route_table.private[count.index].id
-}
-
-# VPC Flow Logs
-resource "aws_flow_log" "main" {
-  iam_role_arn    = aws_iam_role.flow_log.arn
-  log_destination = aws_cloudwatch_log_group.flow_log.arn
-  traffic_type    = "ALL"
-  vpc_id          = aws_vpc.main.id
-
-  tags = {
-    Name = "production-vpc-flow-logs"
-  }
-}
-```
-
-### Azure Virtual Network
-
-**Hub-and-Spoke Topology:**
-```hcl
-# Hub VNet (Shared Services)
-resource "azurerm_virtual_network" "hub" {
-  name                = "hub-vnet"
-  location            = var.location
-  resource_group_name = azurerm_resource_group.network.name
-  address_space       = ["10.0.0.0/16"]
-
-  subnet {
-    name           = "GatewaySubnet"
-    address_prefix = "10.0.0.0/24"
-  }
-
-  subnet {
-    name           = "AzureFirewallSubnet"
-    address_prefix = "10.0.1.0/24"
-  }
-
-  subnet {
-    name           = "SharedServicesSubnet"
-    address_prefix = "10.0.2.0/24"
-  }
-}
-
-# Spoke VNet (Production)
-resource "azurerm_virtual_network" "spoke_prod" {
-  name                = "spoke-prod-vnet"
-  location            = var.location
-  resource_group_name = azurerm_resource_group.network.name
-  address_space       = ["10.1.0.0/16"]
-
-  subnet {
-    name           = "ApplicationSubnet"
-    address_prefix = "10.1.0.0/24"
-  }
-
-  subnet {
-    name           = "DatabaseSubnet"
-    address_prefix = "10.1.1.0/24"
-  }
-}
-
-# VNet Peering: Hub to Spoke
-resource "azurerm_virtual_network_peering" "hub_to_spoke" {
-  name                         = "hub-to-spoke-prod"
-  resource_group_name          = azurerm_resource_group.network.name
-  virtual_network_name         = azurerm_virtual_network.hub.name
-  remote_virtual_network_id    = azurerm_virtual_network.spoke_prod.id
-  allow_virtual_network_access = true
-  allow_forwarded_traffic      = true
-  allow_gateway_transit        = true
-}
-
-# VNet Peering: Spoke to Hub
-resource "azurerm_virtual_network_peering" "spoke_to_hub" {
-  name                         = "spoke-prod-to-hub"
-  resource_group_name          = azurerm_resource_group.network.name
-  virtual_network_name         = azurerm_virtual_network.spoke_prod.name
-  remote_virtual_network_id    = azurerm_virtual_network.hub.id
-  allow_virtual_network_access = true
-  allow_forwarded_traffic      = true
-  use_remote_gateways          = true
-}
-
-# Network Security Group
-resource "azurerm_network_security_group" "app" {
-  name                = "app-nsg"
-  location            = var.location
-  resource_group_name = azurerm_resource_group.network.name
-
-  security_rule {
-    name                       = "allow-https"
-    priority                   = 100
-    direction                  = "Inbound"
-    access                     = "Allow"
-    protocol                   = "Tcp"
-    source_port_range          = "*"
-    destination_port_range     = "443"
-    source_address_prefix      = "*"
-    destination_address_prefix = "*"
-  }
-
-  security_rule {
-    name                       = "allow-app-tier"
-    priority                   = 200
-    direction                  = "Inbound"
-    access                     = "Allow"
-    protocol                   = "Tcp"
-    source_port_range          = "*"
-    destination_port_range     = "8080"
-    source_address_prefix      = "10.1.0.0/24"
-    destination_address_prefix = "*"
-  }
-}
-```
-
-### GCP VPC Network
-
-**Global VPC with Regional Subnets:**
-```hcl
-# VPC network (global)
-resource "google_compute_network" "main" {
-  name                    = "production-network"
-  auto_create_subnetworks = false
-  routing_mode            = "GLOBAL"
-}
-
-# Subnet in us-central1
-resource "google_compute_subnetwork" "us_central" {
-  name          = "us-central-subnet"
-  ip_cidr_range = "10.0.0.0/20"
-  region        = "us-central1"
-  network       = google_compute_network.main.id
-
-  secondary_ip_range {
-    range_name    = "pods"
-    ip_cidr_range = "10.1.0.0/16"
-  }
-
-  secondary_ip_range {
-    range_name    = "services"
-    ip_cidr_range = "10.2.0.0/20"
-  }
-
-  log_config {
-    aggregation_interval = "INTERVAL_5_SEC"
-    flow_sampling        = 0.5
-    metadata             = "INCLUDE_ALL_METADATA"
-  }
-}
-
-# Cloud Router for NAT
-resource "google_compute_router" "nat_router" {
-  name    = "nat-router"
-  region  = "us-central1"
-  network = google_compute_network.main.id
-
-  bgp {
-    asn = 64514
-  }
-}
-
-# Cloud NAT
-resource "google_compute_router_nat" "nat" {
-  name                               = "nat-gateway"
-  router                             = google_compute_router.nat_router.name
-  region                             = "us-central1"
-  nat_ip_allocate_option             = "AUTO_ONLY"
-  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
-
-  log_config {
-    enable = true
-    filter = "ERRORS_ONLY"
-  }
-}
-
-# Firewall rules
-resource "google_compute_firewall" "allow_internal" {
-  name    = "allow-internal"
-  network = google_compute_network.main.name
-
-  allow {
-    protocol = "tcp"
-    ports    = ["0-65535"]
-  }
-
-  allow {
-    protocol = "udp"
-    ports    = ["0-65535"]
-  }
-
-  allow {
-    protocol = "icmp"
-  }
-
-  source_ranges = ["10.0.0.0/8"]
-}
-```
-
-## Network Connectivity Patterns
-
-### VPC Peering vs Transit Gateway
-
-**VPC Peering (AWS):**
-```hcl
-# Peer two VPCs
-resource "aws_vpc_peering_connection" "peer" {
-  vpc_id      = aws_vpc.vpc1.id
-  peer_vpc_id = aws_vpc.vpc2.id
-  auto_accept = true
-
-  tags = {
-    Name = "vpc1-to-vpc2"
-  }
-}
-
-# Add routes in VPC1 route tables
-resource "aws_route" "vpc1_to_vpc2" {
-  route_table_id            = aws_route_table.vpc1_private.id
-  destination_cidr_block    = aws_vpc.vpc2.cidr_block
-  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
-}
-
-# Add routes in VPC2 route tables
-resource "aws_route" "vpc2_to_vpc1" {
-  route_table_id            = aws_route_table.vpc2_private.id
-  destination_cidr_block    = aws_vpc.vpc1.cidr_block
-  vpc_peering_connection_id = aws_vpc_peering_connection.peer.id
-}
-```
-
-**Transit Gateway (Hub-and-Spoke):**
-```hcl
-# Transit Gateway
-resource "aws_ec2_transit_gateway" "main" {
-  description                     = "Central transit hub"
-  default_route_table_association = "enable"
-  default_route_table_propagation = "enable"
-  dns_support                     = "enable"
-  vpn_ecmp_support               = "enable"
-
-  tags = {
-    Name = "main-tgw"
-  }
-}
-
-# Attach VPCs to Transit Gateway
-resource "aws_ec2_transit_gateway_vpc_attachment" "vpc1" {
-  subnet_ids         = aws_subnet.vpc1_private[*].id
-  transit_gateway_id = aws_ec2_transit_gateway.main.id
-  vpc_id             = aws_vpc.vpc1.id
-
-  tags = {
-    Name = "vpc1-attachment"
-  }
-}
-
-resource "aws_ec2_transit_gateway_vpc_attachment" "vpc2" {
-  subnet_ids         = aws_subnet.vpc2_private[*].id
-  transit_gateway_id = aws_ec2_transit_gateway.main.id
-  vpc_id             = aws_vpc.vpc2.id
-
-  tags = {
-    Name = "vpc2-attachment"
-  }
-}
-
-# Routes to Transit Gateway
-resource "aws_route" "vpc1_to_tgw" {
-  route_table_id         = aws_route_table.vpc1_private.id
-  destination_cidr_block = "0.0.0.0/0"
-  transit_gateway_id     = aws_ec2_transit_gateway.main.id
-}
-```
-
-### Private Link / Private Endpoint
-
-**AWS PrivateLink:**
-```hcl
-# VPC Endpoint for AWS services (Gateway endpoint)
-resource "aws_vpc_endpoint" "s3" {
-  vpc_id       = aws_vpc.main.id
-  service_name = "com.amazonaws.${var.region}.s3"
-
-  route_table_ids = aws_route_table.private[*].id
-
-  tags = {
-    Name = "s3-gateway-endpoint"
-  }
-}
-
-# Interface endpoint for other AWS services
-resource "aws_vpc_endpoint" "ecr_api" {
-  vpc_id              = aws_vpc.main.id
-  service_name        = "com.amazonaws.${var.region}.ecr.api"
-  vpc_endpoint_type   = "Interface"
-  subnet_ids          = aws_subnet.private_app[*].id
-  security_group_ids  = [aws_security_group.vpc_endpoints.id]
-  private_dns_enabled = true
-
-  tags = {
-    Name = "ecr-api-endpoint"
-  }
-}
-
-# PrivateLink for your own service
-resource "aws_vpc_endpoint_service" "api" {
-  acceptance_required        = false
-  network_load_balancer_arns = [aws_lb.api.arn]
-
-  tags = {
-    Name = "api-privatelink-service"
-  }
-}
-```
-
-**Azure Private Endpoint:**
-```hcl
-resource "azurerm_private_endpoint" "storage" {
-  name                = "storage-private-endpoint"
-  location            = var.location
-  resource_group_name = azurerm_resource_group.main.name
-  subnet_id           = azurerm_subnet.private.id
-
-  private_service_connection {
-    name                           = "storage-privateserviceconnection"
-    private_connection_resource_id = azurerm_storage_account.main.id
-    is_manual_connection           = false
-    subresource_names              = ["blob"]
-  }
-
-  private_dns_zone_group {
-    name                 = "default"
-    private_dns_zone_ids = [azurerm_private_dns_zone.blob.id]
-  }
-}
-
-resource "azurerm_private_dns_zone" "blob" {
-  name                = "privatelink.blob.core.windows.net"
-  resource_group_name = azurerm_resource_group.main.name
-}
-```
-
-## Load Balancing
-
-### AWS Application Load Balancer
-
-```hcl
-# Application Load Balancer
-resource "aws_lb" "main" {
-  name               = "app-alb"
-  internal           = false
-  load_balancer_type = "application"
-  security_groups    = [aws_security_group.alb.id]
-  subnets            = aws_subnet.public[*].id
-
-  enable_deletion_protection = true
-  enable_http2              = true
-  enable_cross_zone_load_balancing = true
-
-  access_logs {
-    bucket  = aws_s3_bucket.lb_logs.id
-    enabled = true
-  }
-
-  tags = {
-    Name = "production-alb"
-  }
-}
-
-# Target group
-resource "aws_lb_target_group" "app" {
-  name     = "app-tg"
-  port     = 8080
-  protocol = "HTTP"
-  vpc_id   = aws_vpc.main.id
-
-  health_check {
-    enabled             = true
-    healthy_threshold   = 2
-    unhealthy_threshold = 2
-    timeout             = 5
-    interval            = 30
-    path                = "/health"
-    matcher             = "200"
-  }
-
-  deregistration_delay = 30
-
-  tags = {
-    Name = "app-target-group"
-  }
-}
-
-# HTTPS listener
-resource "aws_lb_listener" "https" {
-  load_balancer_arn = aws_lb.main.arn
-  port              = "443"
-  protocol          = "HTTPS"
-  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
-  certificate_arn   = aws_acm_certificate.main.arn
-
-  default_action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.app.arn
-  }
-}
-
-# HTTP to HTTPS redirect
-resource "aws_lb_listener" "http" {
-  load_balancer_arn = aws_lb.main.arn
-  port              = "80"
-  protocol          = "HTTP"
-
-  default_action {
-    type = "redirect"
-
-    redirect {
-      port        = "443"
-      protocol    = "HTTPS"
-      status_code = "HTTP_301"
-    }
-  }
-}
-
-# Listener rule for path-based routing
-resource "aws_lb_listener_rule" "api" {
-  listener_arn = aws_lb_listener.https.arn
-  priority     = 100
-
-  action {
-    type             = "forward"
-    target_group_arn = aws_lb_target_group.api.arn
-  }
-
-  condition {
-    path_pattern {
-      values = ["/api/*"]
-    }
-  }
-}
-```
-
-### GCP Load Balancer
-
-```hcl
-# Backend service
-resource "google_compute_backend_service" "default" {
-  name                  = "app-backend"
-  protocol              = "HTTP"
-  port_name             = "http"
-  timeout_sec           = 30
-  load_balancing_scheme = "EXTERNAL"
-
-  backend {
-    group           = google_compute_instance_group_manager.app.instance_group
-    balancing_mode  = "UTILIZATION"
-    capacity_scaler = 1.0
-  }
-
-  health_checks = [google_compute_health_check.default.id]
-
-  log_config {
-    enable      = true
-    sample_rate = 1.0
-  }
-}
-
-# Health check
-resource "google_compute_health_check" "default" {
-  name               = "app-health-check"
-  check_interval_sec = 5
-  timeout_sec        = 5
-
-  http_health_check {
-    port         = 8080
-    request_path = "/health"
-  }
-}
-
-# URL map
-resource "google_compute_url_map" "default" {
-  name            = "app-url-map"
-  default_service = google_compute_backend_service.default.id
-
-  host_rule {
-    hosts        = ["api.example.com"]
-    path_matcher = "api"
-  }
-
-  path_matcher {
-    name            = "api"
-    default_service = google_compute_backend_service.api.id
-
-    path_rule {
-      paths   = ["/v1/*"]
-      service = google_compute_backend_service.v1.id
-    }
-
-    path_rule {
-      paths   = ["/v2/*"]
-      service = google_compute_backend_service.v2.id
-    }
-  }
-}
-
-# HTTPS proxy
-resource "google_compute_target_https_proxy" "default" {
-  name             = "app-https-proxy"
-  url_map          = google_compute_url_map.default.id
-  ssl_certificates = [google_compute_ssl_certificate.default.id]
-}
-
-# Forwarding rule
-resource "google_compute_global_forwarding_rule" "default" {
-  name                  = "app-forwarding-rule"
-  ip_protocol           = "TCP"
-  load_balancing_scheme = "EXTERNAL"
-  port_range            = "443"
-  target                = google_compute_target_https_proxy.default.id
-  ip_address            = google_compute_global_address.default.id
-}
-```
-
-## DNS Strategies
-
-### Route 53 (AWS)
-
-**Failover Routing:**
-```hcl
-resource "aws_route53_health_check" "primary" {
-  fqdn              = "primary.example.com"
-  port              = 443
-  type              = "HTTPS"
-  resource_path     = "/health"
-  failure_threshold = 3
-  request_interval  = 30
-
-  tags = {
-    Name = "primary-health-check"
-  }
-}
-
-resource "aws_route53_record" "primary" {
-  zone_id = aws_route53_zone.main.zone_id
-  name    = "api.example.com"
-  type    = "A"
-
-  failover_routing_policy {
-    type = "PRIMARY"
-  }
-
-  set_identifier  = "primary"
-  health_check_id = aws_route53_health_check.primary.id
-
-  alias {
-    name                   = aws_lb.primary.dns_name
-    zone_id                = aws_lb.primary.zone_id
-    evaluate_target_health = true
-  }
-}
-
-resource "aws_route53_record" "secondary" {
-  zone_id = aws_route53_zone.main.zone_id
-  name    = "api.example.com"
-  type    = "A"
-
-  failover_routing_policy {
-    type = "SECONDARY"
-  }
-
-  set_identifier = "secondary"
-
-  alias {
-    name                   = aws_lb.secondary.dns_name
-    zone_id                = aws_lb.secondary.zone_id
-    evaluate_target_health = true
-  }
-}
-```
-
-**Geolocation Routing:**
-```hcl
-resource "aws_route53_record" "us" {
-  zone_id = aws_route53_zone.main.zone_id
-  name    = "www.example.com"
-  type    = "A"
-
-  geolocation_routing_policy {
-    country = "US"
-  }
-
-  set_identifier = "us-customers"
-
-  alias {
-    name                   = aws_lb.us_east.dns_name
-    zone_id                = aws_lb.us_east.zone_id
-    evaluate_target_health = true
-  }
-}
-
-resource "aws_route53_record" "eu" {
-  zone_id = aws_route53_zone.main.zone_id
-  name    = "www.example.com"
-  type    = "A"
-
-  geolocation_routing_policy {
-    continent = "EU"
-  }
-
-  set_identifier = "eu-customers"
-
-  alias {
-    name                   = aws_lb.eu_west.dns_name
-    zone_id                = aws_lb.eu_west.zone_id
-    evaluate_target_health = true
-  }
-}
-```
-
-## CDN Configuration
-
-### CloudFront (AWS)
-
-```hcl
-resource "aws_cloudfront_distribution" "main" {
-  enabled             = true
-  is_ipv6_enabled     = true
-  comment             = "Production CDN"
-  default_root_object = "index.html"
-  price_class         = "PriceClass_All"
-
-  origin {
-    domain_name = aws_lb.main.dns_name
-    origin_id   = "alb"
-
-    custom_origin_config {
-      http_port              = 80
-      https_port             = 443
-      origin_protocol_policy = "https-only"
-      origin_ssl_protocols   = ["TLSv1.2"]
-    }
-
-    custom_header {
-      name  = "X-Custom-Header"
-      value = "CloudFront"
-    }
-  }
-
-  origin {
-    domain_name = aws_s3_bucket.static.bucket_regional_domain_name
-    origin_id   = "s3"
-
-    s3_origin_config {
-      origin_access_identity = aws_cloudfront_origin_access_identity.main.cloudfront_access_identity_path
-    }
-  }
-
-  default_cache_behavior {
-    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
-    cached_methods   = ["GET", "HEAD"]
-    target_origin_id = "alb"
-
-    forwarded_values {
-      query_string = true
-      headers      = ["Host", "Authorization"]
-
-      cookies {
-        forward = "all"
-      }
-    }
-
-    viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 3600
-    max_ttl                = 86400
-    compress               = true
-  }
-
-  ordered_cache_behavior {
-    path_pattern     = "/static/*"
-    allowed_methods  = ["GET", "HEAD"]
-    cached_methods   = ["GET", "HEAD"]
-    target_origin_id = "s3"
-
-    forwarded_values {
-      query_string = false
-      cookies {
-        forward = "none"
-      }
-    }
-
-    viewer_protocol_policy = "redirect-to-https"
-    min_ttl                = 0
-    default_ttl            = 86400
-    max_ttl                = 31536000
-    compress               = true
-  }
-
-  restrictions {
-    geo_restriction {
-      restriction_type = "none"
-    }
-  }
-
-  viewer_certificate {
-    acm_certificate_arn      = aws_acm_certificate.main.arn
-    ssl_support_method       = "sni-only"
-    minimum_protocol_version = "TLSv1.2_2021"
-  }
-
-  web_acl_id = aws_wafv2_web_acl.main.arn
-
-  tags = {
-    Environment = "production"
-  }
-}
-```
-
-## Network Security
-
-### Security Groups (AWS)
-
-```hcl
-# ALB security group
-resource "aws_security_group" "alb" {
-  name        = "alb-sg"
-  description = "Security group for Application Load Balancer"
-  vpc_id      = aws_vpc.main.id
-
-  ingress {
-    description = "HTTPS from internet"
-    from_port   = 443
-    to_port     = 443
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  ingress {
-    description = "HTTP from internet"
-    from_port   = 80
-    to_port     = 80
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  egress {
-    description = "All outbound"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "alb-security-group"
-  }
-}
-
-# Application security group
-resource "aws_security_group" "app" {
-  name        = "app-sg"
-  description = "Security group for application tier"
-  vpc_id      = aws_vpc.main.id
-
-  ingress {
-    description     = "HTTP from ALB"
-    from_port       = 8080
-    to_port         = 8080
-    protocol        = "tcp"
-    security_groups = [aws_security_group.alb.id]
-  }
-
-  egress {
-    description = "All outbound"
-    from_port   = 0
-    to_port     = 0
-    protocol    = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-
-  tags = {
-    Name = "app-security-group"
-  }
-}
-
-# Database security group
-resource "aws_security_group" "db" {
-  name        = "db-sg"
-  description = "Security group for database tier"
-  vpc_id      = aws_vpc.main.id
-
-  ingress {
-    description     = "PostgreSQL from app tier"
-    from_port       = 5432
-    to_port         = 5432
-    protocol        = "tcp"
-    security_groups = [aws_security_group.app.id]
-  }
-
-  tags = {
-    Name = "db-security-group"
-  }
-}
-```
-
-### Network ACLs
-
-```hcl
-resource "aws_network_acl" "public" {
-  vpc_id     = aws_vpc.main.id
-  subnet_ids = aws_subnet.public[*].id
-
-  # Allow inbound HTTP
-  ingress {
-    protocol   = "tcp"
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    from_port  = 80
-    to_port    = 80
-  }
-
-  # Allow inbound HTTPS
-  ingress {
-    protocol   = "tcp"
-    rule_no    = 110
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    from_port  = 443
-    to_port    = 443
-  }
-
-  # Allow return traffic
-  ingress {
-    protocol   = "tcp"
-    rule_no    = 120
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    from_port  = 1024
-    to_port    = 65535
-  }
-
-  # Allow all outbound
-  egress {
-    protocol   = "-1"
-    rule_no    = 100
-    action     = "allow"
-    cidr_block = "0.0.0.0/0"
-    from_port  = 0
-    to_port    = 0
-  }
-
-  tags = {
-    Name = "public-nacl"
-  }
-}
-```
-
-## Best Practices
-
-1. **VPC Design:**
-   - Use multiple availability zones for high availability
-   - Separate subnets by tier (public, app, database)
-   - Reserve IP space for future growth
-   - Enable VPC Flow Logs for security monitoring
-
-2. **Network Connectivity:**
-   - Use Transit Gateway for complex hub-and-spoke topologies
-   - VPC peering for simple point-to-point connections
-   - PrivateLink for service-to-service communication
-   - Avoid overlapping CIDR ranges
-
-3. **Security:**
-   - Apply principle of least privilege
-   - Use security groups as virtual firewalls
-   - Network ACLs for subnet-level controls
-   - Enable encryption in transit
-   - Regular security audits
-
-4. **Load Balancing:**
-   - Use health checks for automatic failover
-   - Enable access logs for troubleshooting
-   - Configure SSL/TLS termination at load balancer
-   - Implement WAF for application protection
-
-5. **DNS:**
-   - Use health checks for failover routing
-   - Geolocation routing for global applications
-   - TTL management for flexibility
-   - DNSSEC for enhanced security
-
-## Anti-Patterns
-
-- Single AZ deployment (no redundancy)
-- Overly permissive security groups
-- No network segmentation
-- Missing health checks on load balancers
-- Hard-coded IPs instead of DNS
-- No VPC Flow Logs
-- Public subnets for databases
-- Missing encryption in transit