network-engineering

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Network Engineering

网络工程

Comprehensive network engineering skill covering network design, troubleshooting, load balancing, DNS, and network security.

全面的网络工程技能，涵盖网络设计、故障排查、负载均衡、DNS与网络安全。

When to Use This Skill

适用场景

Designing network topologies
Troubleshooting connectivity issues
Configuring load balancers
DNS configuration and troubleshooting
SSL/TLS setup and debugging
Network security implementation
Performance optimization
CDN configuration

设计网络拓扑
调试连接问题
配置负载均衡器
DNS配置与故障排查
SSL/TLS设置与调试
实施网络安全
性能优化
CDN配置

Network Architecture

网络架构

OSI Model Reference

OSI模型参考

Layer	Name	Protocols	Troubleshooting
7	Application	HTTP, DNS, SMTP	curl, browser tools
6	Presentation	SSL/TLS	openssl
5	Session	NetBIOS	-
4	Transport	TCP, UDP	netstat, ss
3	Network	IP, ICMP	ping, traceroute
2	Data Link	Ethernet	arp
1	Physical	-	cable tester

层级	名称	协议	故障排查工具
7	应用层	HTTP, DNS, SMTP	curl、浏览器工具
6	表示层	SSL/TLS	openssl
5	会话层	NetBIOS	-
4	传输层	TCP, UDP	netstat, ss
3	网络层	IP, ICMP	ping, traceroute
2	数据链路层	Ethernet	arp
1	物理层	-	线缆测试仪

VPC/Network Design

VPC/网络设计

Subnet Strategy:

VPC CIDR: 10.0.0.0/16 (65,536 IPs)

Public Subnets (internet-facing):
  - 10.0.1.0/24 (AZ-a) - Load balancers, bastion
  - 10.0.2.0/24 (AZ-b)
  - 10.0.3.0/24 (AZ-c)

Private Subnets (application tier):
  - 10.0.11.0/24 (AZ-a) - App servers
  - 10.0.12.0/24 (AZ-b)
  - 10.0.13.0/24 (AZ-c)

Database Subnets (isolated):
  - 10.0.21.0/24 (AZ-a) - Databases only
  - 10.0.22.0/24 (AZ-b)
  - 10.0.23.0/24 (AZ-c)

Traffic Flow:

Internet → Load Balancer (public) → App (private) → DB (isolated)
NAT Gateway for private subnet outbound
VPC Endpoints for AWS services

子网策略：

VPC CIDR: 10.0.0.0/16 (65,536 IPs)

Public Subnets (internet-facing):
  - 10.0.1.0/24 (AZ-a) - Load balancers, bastion
  - 10.0.2.0/24 (AZ-b)
  - 10.0.3.0/24 (AZ-c)

Private Subnets (application tier):
  - 10.0.11.0/24 (AZ-a) - App servers
  - 10.0.12.0/24 (AZ-b)
  - 10.0.13.0/24 (AZ-c)

Database Subnets (isolated):
  - 10.0.21.0/24 (AZ-a) - Databases only
  - 10.0.22.0/24 (AZ-b)
  - 10.0.23.0/24 (AZ-c)

流量流向：

互联网 → 负载均衡器（公网）→ 应用（私有子网）→ 数据库（隔离子网）
NAT Gateway用于私有子网出站流量
VPC Endpoints用于AWS服务

Load Balancing

负载均衡

Load Balancer Types

负载均衡器类型

Type	Layer	Use Case
Application (ALB)	7	HTTP/HTTPS, path routing
Network (NLB)	4	TCP/UDP, static IP, high performance
Classic	4/7	Legacy
Gateway	3	Third-party appliances

类型	层级	适用场景
Application (ALB)	7	HTTP/HTTPS、路径路由
Network (NLB)	4	TCP/UDP、静态IP、高性能场景
Classic	4/7	遗留系统
Gateway	3	第三方设备

Health Checks

健康检查

yaml

undefined

yaml

undefined

ALB Health Check

health_check: path: /health protocol: HTTP port: 8080 interval: 30 timeout: 5 healthy_threshold: 2 unhealthy_threshold: 3 matcher: "200-299"

undefined

health_check: path: /health protocol: HTTP port: 8080 interval: 30 timeout: 5 healthy_threshold: 2 unhealthy_threshold: 3 matcher: "200-299"

undefined

Routing Strategies

路由策略

Round Robin: Equal distribution
Least Connections: Route to least busy
IP Hash: Sticky sessions by client IP
Weighted: Percentage-based distribution
Path-based: Route by URL path
Host-based: Route by hostname

轮询（Round Robin）：均等分配流量
最少连接（Least Connections）：路由至最空闲的节点
IP哈希（IP Hash）：基于客户端IP实现会话保持
加权（Weighted）：基于百分比分配流量
基于路径（Path-based）：按URL路径路由
基于主机名（Host-based）：按主机名路由

DNS

Record Types

记录类型

Type	Purpose	Example
A	IPv4 address	`example.com → 192.0.2.1`
AAAA	IPv6 address	`example.com → 2001:db8::1`
CNAME	Alias	`www → example.com`
MX	Mail server	`example.com → mail.example.com`
TXT	Arbitrary text	SPF, DKIM, verification
NS	Name server	DNS delegation
SRV	Service location	`_sip._tcp.example.com`
CAA	Certificate authority	Restrict CA issuance

类型	用途	示例
A	IPv4地址映射	`example.com → 192.0.2.1`
AAAA	IPv6地址映射	`example.com → 2001:db8::1`
CNAME	别名映射	`www → example.com`
MX	邮件服务器	`example.com → mail.example.com`
TXT	任意文本记录	SPF、DKIM、验证信息
NS	域名服务器	DNS委托
SRV	服务定位	`_sip._tcp.example.com`
CAA	证书颁发机构	限制CA证书颁发

DNS Debugging

DNS调试

bash

undefined

bash

undefined

Query specific record type

dig example.com A dig example.com MX dig example.com TXT

Query specific DNS server

dig @8.8.8.8 example.com

Trace DNS resolution

dig +trace example.com

Check propagation

dig +short example.com @{dns-server}

undefined

dig +short example.com @{dns-server}

undefined

TTL Strategy

TTL策略

Record Type	Recommended TTL
Static content	86400 (1 day)
Dynamic content	300 (5 min)
Failover records	60 (1 min)
Pre-migration	Lower to 60

记录类型	推荐TTL值
静态内容	86400（1天）
动态内容	300（5分钟）
故障转移记录	60（1分钟）
迁移前	降低至60

SSL/TLS

Certificate Types

证书类型

Type	Validation	Use Case
DV	Domain ownership	Basic sites
OV	Organization verified	Business sites
EV	Extended validation	High-trust sites
Wildcard	*.domain.com	Multiple subdomains
SAN	Multi-domain	Multiple specific domains

类型	验证级别	适用场景
DV	域名所有权验证	基础站点
OV	组织验证	商业站点
EV	扩展验证	高信任站点
Wildcard	*.domain.com	多子域名场景
SAN	多域名	多个特定域名场景

TLS Configuration

TLS配置

Recommended Settings:

TLS 1.2 and 1.3 only
Strong cipher suites (AEAD)
HSTS enabled
OCSP stapling
Certificate transparency

推荐设置：

仅启用TLS 1.2和1.3
使用强加密套件（AEAD）
启用HSTS
启用OCSP stapling
启用证书透明度

Debugging SSL

SSL调试

bash

undefined

bash

undefined

Check certificate

openssl s_client -connect example.com:443 -servername example.com

Check certificate chain

openssl s_client -connect example.com:443 -showcerts

Check expiration

echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

Test TLS versions

openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3

undefined

openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3

undefined

Troubleshooting

故障排查

Connectivity Checklist

连接性检查清单

Physical/Cloud layer: Is the instance running?
Security groups: Are ports open?
NACLs: Are subnets allowing traffic?
Route tables: Is routing correct?
DNS: Does name resolve?
Application: Is service listening?

物理/云层面：实例是否正常运行？
安全组：端口是否开放？
NACLs：子网是否允许流量通过？
路由表：路由是否正确？
DNS：域名是否能解析？
应用：服务是否在监听端口？

Common Commands

常用命令

bash

undefined

bash

undefined

Check if port is listening

netstat -tlnp | grep :80 ss -tlnp | grep :80

Test TCP connectivity

nc -zv hostname 443 telnet hostname 443

Check routes

ip route traceroute hostname mtr hostname

DNS resolution

nslookup hostname dig hostname host hostname

Network interfaces

ip addr ifconfig

Active connections

netstat -an ss -tuln

undefined

netstat -an ss -tuln

undefined

Performance Debugging

性能调试

bash

undefined

bash

undefined

Bandwidth test

iperf3 -c server-ip

Latency analysis

ping -c 100 hostname | tail -1

MTU issues

ping -M do -s 1472 hostname

Packet capture

tcpdump -i eth0 port 443

undefined

tcpdump -i eth0 port 443

undefined

Reference Files

参考文件

references/troubleshooting.md
- Detailed troubleshooting workflows

references/troubleshooting.md
- 详细故障排查流程

Integration with Other Skills

与其他技能的集成

cloud-infrastructure - For cloud networking
security-engineering - For network security
performance - For network optimization

cloud-infrastructure - 用于云网络管理
security-engineering - 用于网络安全
performance - 用于网络优化