Foundations · Networking 10122 min read

Networking: how a request reaches a server

The internet sounds like deep magic, but it’s really just labelled messages being passed from one machine to the next, and you already use every idea behind it.

From your mentor

Don’t try to memorise the OSI model on day one. Learn what an address, a port, and a name resolve to, then trace one request end to end. Do that once and every cloud diagram you’ll ever see suddenly reads like plain English.

The network is just messages with addresses on them, and you already understand addresses.

In 10 minutes you’ll see how a name becomes a number, how a number finds a machine, and how a machine knows which app you wanted. You do NOT need subnet math or the OSI model memorised yet.

Pick your way in, same idea, 5 doors

Every computer has a house number (its IP address). Apps on it live behind numbered doors (ports). And because nobody remembers house numbers, there’s a phone book (DNS) that turns google.com into the number. That’s the whole thing.

Next: the one mental model that makes everything else click.
01

It’s messages with addresses, not magic

The network does one thing forever: take a chunk of data, label it with where it’s going, and hand it to the next machine that’s closer. Everything else is detail on top of that.

In plain English

Picture posting a letter. You don’t know the route it takes or which trucks carry it. You write an address, drop it in the box, and trust each step to move it one hop closer. A packet is that letter, and the internet is the postal service, no single computer knows the whole path.

A request gets split into small packets. Each packet carries a source and destination address, gets passed router to router until it arrives, and is reassembled at the other end. If some go missing, they’re re-sent. You never see any of this, you just see the page load.

Layer you’ll actually meetIts jobIn one request
IPAddress & route packets to a machineFind the host at 93.184.216.34
TCPReliable, ordered delivery between two appsDon’t lose or scramble the bytes
TLSEncrypt the conversationNobody on the path can read it
HTTPThe actual request & responseGET /index.html → 200 OK

Why “layers” is the whole trick

Each layer only worries about its own job and trusts the one below it. HTTP doesn’t care how packets are routed; IP doesn’t care what’s inside them. That separation is exactly why you can learn one piece at a time without holding the entire internet in your head.
02

IP addresses & subnets: where machines live

An IP address is a machine’s location on the network. A subnet is a neighbourhood of addresses that belong together. You only need to read them, not do mental math.

An IPv4 address looks like 192.168.1.42, four numbers (0–255) that together name one network interface. Some ranges are private (only valid inside your own network) and the rest are public (reachable across the internet).

RangeTypeWhere you see it
10.0.0.0 – 10.255.255.255Private (10/8)Cloud VPCs, big internal networks
172.16.0.0 – 172.31.255.255Private (172.16/12)Docker default networks
192.168.0.0 – 192.168.255.255Private (192.168/16)Home & office Wi-Fi
127.0.0.1Loopback“This machine”, aka localhost
Everything elsePublicReal servers on the internet

CIDR /24 in one sentence

10.0.1.0/24 means “the first 24 bits are fixed, the last 8 are free”, so it’s the 256 addresses from 10.0.1.0 to 10.0.1.255. Bigger number after the slash means a smaller, tighter range. That’s 90% of the CIDR you need to read a cloud diagram.
?

Worth pondering

Private addresses can’t be reached from the internet directly, that’s a feature. Your laptop on 192.168.x.x reaches the world through your router doing NAT(translating your private address to one shared public one). Cloud does the exact same trick with a NAT gateway.
03

Ports: many doors on one machine

One server runs many apps. The IP address finds the machine; the port number says which app you wanted. Same building, numbered doors.

A port is a number from 0 to 65535. When a packet arrives at a machine, the port tells the OS which listening program should receive it. A web server listens on 443; your local dev server might be on 3000.

PortServiceYou’ll meet it as
22SSHHow you log into a server
80HTTPPlain web traffic (redirects to 443)
443HTTPSEncrypted web traffic, the default today
53DNSName lookups
5432 / 3306Postgres / MySQLDatabase connections
3000 / 8080Dev serversYour app running locally
terminal
# what's listening on this machine, and on which port?
$ ss -ltnp # listening TCP sockets + the owning process nc -zv example.com 443 # can I reach door 443 over there?
State Recv-Q Local Address:Port Process LISTEN 0 127.0.0.1:5432 users:(("postgres")) LISTEN 0 0.0.0.0:443 users:(("nginx"))
man page: nc

0.0.0.0 vs 127.0.0.1 is a real security line

Listening on 127.0.0.1 means “only this machine can connect”. Listening on 0.0.0.0 means “anyone who can reach my IP can connect”. Binding a database to 0.0.0.0 with a weak password is one of the most common ways servers get owned.
04

DNS: turning names into numbers

Nobody types IP addresses. DNS is the internet’s phone book: give it a name, it gives you the address to actually connect to.

When you visit example.com, your machine asks a resolver “what’s the IP?”. The answer is cached for a while (its TTL), so the next visit skips the lookup. The most common records are A (name → IPv4) and CNAME (name → another name).

terminal
# resolve a name yourself, the way your browser does
$ dig +short example.com # just the IP address(es) dig example.com # the full answer, with TTL dig +short www.github.com CNAME # follow the alias chain
93.184.216.34
man page: dig
RecordMapsUse it for
Aname → IPv4 addressPoint a domain at a server
AAAAname → IPv6 addressSame, for IPv6
CNAMEname → another nameAlias www to your app, or to a CDN
MXname → mail serverWhere email for the domain goes
TXTname → free textDomain verification, SPF/DKIM

Careful here

“It’s always DNS” is a tired joke because it’s usually true. A change looks broken for everyone, then fixes itself an hour later, that’s a TTL expiring as old answers age out of caches. When something works for you but not a colleague, suspect DNS caching before you suspect the app.
05

The journey: what happens when you hit enter

This is the question every interview asks in some form. Trace one request from the address bar to bytes coming back, and you’ve tied every idea above together.

You type https://example.com and press enter. Six things happen in well under a second, in this order:

StepWhat happensWhich idea
1. ResolveBrowser asks DNS for the IP of example.comDNS
2. ConnectOpens a TCP connection to that IP on port 443IP + ports + TCP
3. SecureTLS handshake: agree on encryption, check the certTLS
4. RequestSends an HTTP GET / with headersHTTP
5. RespondServer returns a status code + the page bytesHTTP
6. RenderBrowser parses HTML, fetches CSS/JS, repeats 1–5All of it
terminal
# watch all of it: DNS, TCP, TLS, and the HTTP exchange in one command
$ curl -v https://example.com
* Connected to example.com (93.184.216.34) port 443 * TLS handshake, TLSv1.3 > GET / HTTP/2 > Host: example.com < HTTP/2 200 < content-type: text/html; charset=UTF-8
man page: curl

Read an HTTP status code at a glance

2xx worked, 3xx go somewhere else (redirect), 4xx you got it wrong (404 not found, 401/403 not allowed), 5xx the server broke. The first digit tells you who to blame.
06

Exposing a service: the climb from “open to the world”

The networking equivalent of chmod 777 is binding to 0.0.0.0 and opening every port. It makes the error go away, then becomes the breach. Let’s climb it properly.

The moment a service can’t be reached, the tempting fix is to open everything: bind to 0.0.0.0, allow 0.0.0.0/0 in the firewall, every port. It works instantly, and it’s exactly how databases end up on the public internet.

firewallthe climb
  1. Rung 0 · Naive

    Open to the whole world (0.0.0.0/0, all ports)

    The connection fails, so you bind the service to 0.0.0.0 and open the firewall to every source on every port. It connects. Problem “solved”.

    Now anyone on the internet can reach your database, your admin panel, your SSH. Scanners find an exposed port within minutes. This is the single most common cause of leaked data, not clever hacking, just a service left wide open.
  2. Better

    Only the ports you need, from known sources

    Open 443 to the world for the website, but restrict 22 (SSH) and 5432 (database) to your own IP or your VPC’s range. Everything else stays closed by default.

    The public reaches only what’s meant to be public. Management and data ports are invisible to the internet, so the attack surface shrinks from “everything” to “the one door that has to be open”.
  3. Best practice today

    Least privilege: private by default, reach in deliberately

    Keep the database with no public address at all; reach it only from the app’s private subnet. Put the website behind a load balancer, and access servers through a bastion or SSM, not open SSH.

    Nothing is exposed unless there’s a specific reason. A compromised front-end can’t even see the database’s address, let alone connect. This is exactly how a well-built cloud VPC is laid out.

Nice, that’s the win

Notice this is the same shape as the chmod 777 climb from the Linux lesson. “Open it all to make the error vanish”, then “open only what’s needed”, then “closed by default, opened on purpose”. Least privilege is one idea, you’ll meet it in files, networks, and IAM.

A security group is just a firewall with a friendlier name

In the cloud you won’t edit iptables by hand. You’ll write rules like “allow TCP 443 from anywhere, allow 5432 only from the app tier”. Same three rungs, same least-privilege goal, nicer UI.
07

Interview angle

Networking is assumed for every cloud, DevOps, and backend role. Expect the “what happens when you type a URL” walk-through and rapid-fire basics on DNS, ports, and private vs public.

Interview angle

Walk me through what happens, end to end, when you type a URL and press enter.

How to answer it

They’re testing whether you hold a clear mental model, not trivia. Move in order and name the idea at each step: resolve, connect, secure, request, respond, render. Calm and sequenced beats fast and scattered.

  1. 1DNS resolution: the browser resolves the hostname to an IP (checking caches first, then a resolver), returning an A/AAAA record.
  2. 2TCP connection: it opens a connection to that IP on port 443 (the three-way handshake: SYN, SYN-ACK, ACK).
  3. 3TLS handshake: client and server agree on encryption and the server presents a certificate the browser validates.
  4. 4HTTP request: the browser sends GET / with headers like Host and Accept.
  5. 5Response: the server returns a status code (ideally 200) plus the response body.
  6. 6Render: the browser parses HTML and fires more requests for CSS, JS, and images, repeating the cycle.

Green flags

  • Names DNS, TCP, TLS, and HTTP as distinct layers
  • Mentions caching and TTL, and the handshake
  • Can say where it commonly breaks (DNS, closed port, cert, 5xx)

Red flags

  • Jumps straight to “the server sends the page” with nothing in between
  • Confuses an IP address with a domain name
  • Thinks HTTPS is a different protocol rather than HTTP over TLS

Q.Private vs public IP address?

A.A private IP is only valid inside a local network; a public IP is routable across the internet. Private hosts reach out via NAT.

Private (10/8, 172.16/12, 192.168/16)
Public
Reused in every network; not internet-routable
Globally unique; reachable directly
Needs NAT to reach the world
No translation needed

They’re checking: That you understand why cloud VPCs use private ranges and a NAT gateway.

Q.TCP vs UDP?

A.TCP is reliable and ordered (it retransmits lost data); UDP is fire-and-forget, lower latency, no guarantees.

TCP
UDP
Handshake, ordering, retransmits
No handshake, may drop or reorder
Web, SSH, databases
DNS, video calls, games, streaming

They’re checking: That you pick the protocol from the requirement, not by reflex.

Q.What does DNS actually return, and why can changes lag?

A.DNS maps a name to records (commonly an A record → IP). Changes lag because answers are cached until their TTL expires.

  • Resolvers cache answers to avoid asking every time; the TTL sets how long.
  • Lower the TTL before a planned migration so the cutover propagates fast.

They’re checking: That you reach for TTL/caching when a DNS change “isn’t taking”.

Q.Port 80 vs 443?

A.80 is plain HTTP; 443 is HTTPS (HTTP over TLS). Modern sites serve 443 and redirect 80 to it.

80 (HTTP)
443 (HTTPS)
Unencrypted, readable on the path
Encrypted via TLS, with a certificate
Kept only to redirect → 443
The real entry point today

They’re checking: That you know HTTPS is HTTP wrapped in TLS, not a separate protocol.

Q.A service is unreachable. How do you debug the network path?

A.Work outward in order: name, then route, then port, then firewall.

  • dig the name, does it resolve to the IP you expect?
  • ping / traceroute the IP, does the host even respond and where do packets stop?
  • nc -zv host port, is the specific port open?
  • Then check the firewall / security group and whether the app is bound to 0.0.0.0 vs 127.0.0.1.

They’re checking: That you isolate the layer instead of randomly restarting things.

08

Your turn, in your own terminal

No server or account needed. You’ll resolve a name, knock on a port, and watch a full HTTPS request happen against a public site. About 15 minutes, and it turns reading into instinct.

Now do it in your own account

~15 min $0, all read-only against public sites

Open a terminal and work through these in order. Every command reads the public internet; nothing changes anything, so it’s completely safe to run.

Before you start

2 to have ready

A terminal: macOS Terminal, any Linux shell, or Windows WSL (Ubuntu).

echo $SHELL

The tools dig, curl, and nc. Most ship by default; on Debian/Ubuntu, sudo apt install dnsutils netcat-openbsd if missing.

curl --version && dig -v
  1. 1

    Resolve a name to an IP address, the way your browser silently does.

    Free tier

    Your terminal

    aws cli
    $ dig +short example.com
    man page: dig

    You should see: one or more IP addresses, e.g. 93.184.216.34.

  2. 2

    Knock on the HTTPS door of that host and confirm it’s open.

    Free tier

    Your terminal

    aws cli
    $ nc -zv example.com 443
    man page: nc

    You should see: “succeeded” or “open”, port 443 is listening.

  3. 3

    Watch the full journey: DNS, TCP, TLS, and the HTTP exchange.

    Free tier

    Your terminal

    aws cli
    $ curl -v https://example.com 2>&1 | head -20
    man page: curl

    You should see: lines for Connected, TLS handshake, > GET /, then < HTTP/2 200.

  4. 4

    See the route your packets take across the internet, hop by hop.

    Free tier

    Your terminal

    aws cli
    $ traceroute example.com   # macOS/Linux (tracert on Windows)

    You should see: a numbered list of routers between you and the destination.

  5. 5

    Look at what’s listening on your own machine, and on which ports.

    Free tier

    Your terminal

    aws cli
    $ ss -ltn   # or: lsof -i -P | grep LISTEN

    You should see: a list of local listening ports, note which are 127.0.0.1 vs 0.0.0.0.

Last step: tear it down

Once you’ve seen it work, remove everything so nothing keeps billing.

Nothing to clean up, every command was read-only against public services.

If you installed dnsutils/netcat just for this, you can leave them, they’re tiny and useful.

Next up

Next, into the cloud

Put these foundations to work on a real cloud provider, starting with getting into AWS safely.