A network engineer describes routing between organisations: "We peer directly with three major ISPs at an internet exchange. For everyone else, we pay a transit provider who carries our traffic to the rest of the internet. The key difference: peering is settlement-free and bilateral — we exchange only each other's routes. Transit gives us full internet reachability in exchange for a fee." What is the difference between peering and transit in the context of BGP and autonomous systems?
BGP (Border Gateway Protocol): the routing protocol of the internet; runs between autonomous systems (ASes). Autonomous system (AS): a network under a single administrative domain with a unique ASN (Autonomous System Number) assigned by a Regional Internet Registry (ARIN, RIPE, APNIC). Route advertisement: the process by which a BGP speaker announces a prefix (e.g. 203.0.113.0/24) to a peer, making it reachable through that AS. Peering: a bilateral, typically settlement-free BGP session between two networks. Each side advertises only its own prefixes and customers — not the full internet table. Usually established at an IXP (Internet Exchange Point). Transit: a paid BGP relationship where a provider advertises the customer's prefixes to the internet AND provides the customer with the full internet routing table. The customer pays for the upstream connectivity. In conversation: "We bought transit from two providers for redundancy and peer at LINX to reach UK networks cheaply — that's how we keep latency low for British users."
2 / 5
Fill in the blank with the correct term.
A network architect explains a routing design: "We run the same /32 prefix from six different points of presence around the world — London, Frankfurt, New York, Singapore, Tokyo, and Sydney. Each PoP announces the same IP address via BGP. Users automatically connect to the nearest PoP because routers on the internet prefer the shortest AS-PATH. This technique is called ________, and it's how Cloudflare and major CDNs operate their infrastructure."
Anycast: a routing technique where the same IP address is announced from multiple geographic locations. The internet's BGP routing naturally directs users to the topologically nearest instance. How it works: each PoP runs BGP and advertises the same prefix (e.g. 192.0.2.1/32). Routers select the shortest AS-PATH to that prefix — which corresponds to the geographically nearest PoP. Anycast use cases: DNS root servers (all 13 root server "names" are anycast — thousands of physical servers globally), CDN edge nodes, DDoS mitigation (absorb attacks across many locations), Google's 8.8.8.8 DNS, Cloudflare's 1.1.1.1. Contrast: Unicast — one sender, one receiver (normal traffic). Multicast — one sender, multiple specific receivers (streaming). Broadcast — one sender, all receivers on a segment. In conversation: "After we rolled out anycast for our API, average latency dropped from 180ms to 22ms for Asian users — they now hit our Singapore PoP instead of routing to London."
3 / 5
A cloud architect explains traffic flow patterns in a microservices deployment: "Most of our network policy work now focuses on east-west traffic — service-to-service calls within the cluster. North-south is relatively simple: a load balancer, TLS termination, and some WAF rules. But east-west is where we apply microsegmentation — every service has a network policy that explicitly allows only the connections it needs. Anything not explicitly permitted is denied by default." What does east-west vs north-south traffic mean, and what is microsegmentation?
East-west traffic: lateral traffic between workloads within the same data centre, cluster, or cloud environment. Example: a web service calling an auth service calling a database. Dominates in microservices architectures — a single user request may trigger dozens of internal service calls. North-south traffic: traffic entering or exiting the data centre — from the internet to a load balancer, or from a server to an external API. Traditionally, security focused on north-south (perimeter defence). Microsegmentation: applying fine-grained network policies at the workload level rather than at the network perimeter. Each workload (container, VM) has an explicit allowlist of permitted connections. Unauthorised lateral movement is blocked even within the "trusted" internal network. Implementation: Kubernetes NetworkPolicy, Cilium, Calico, NSX-T, Illumio. Why it matters: in a traditional flat network, if an attacker compromises one server, they can reach all other servers. Microsegmentation limits the blast radius. Related concept: Zero-trust network — no implicit trust based on network location; every connection is authenticated and authorised. "Never trust, always verify." In conversation: "After the pen test showed lateral movement risk, we added microsegmentation — now even if a pod is compromised, it can only reach the three services it actually needs."
4 / 5
Match the term to its correct definition.
A DevOps engineer explains a networking technology used in their Kubernetes cluster: "We use eBPF for networking — it's transformed how we handle network policy, load balancing, and observability. Instead of maintaining iptables rules that grow linearly with every new service, eBPF programs attach directly to kernel hooks and process packets at wire speed. Cilium, our CNI, uses eBPF to enforce network policy, do kube-proxy replacement, and generate per-flow metrics — all without kernel modules or sidecars." What is eBPF networking?
eBPF (extended Berkeley Packet Filter): a Linux kernel technology that allows sandboxed programmes to run inside the kernel in response to events (network packets, system calls, tracepoints). Originally used for packet filtering (tcpdump), eBPF is now used for: networking (packet processing, load balancing, NAT), security (runtime security enforcement), and observability (per-flow metrics, tracing). eBPF networking in Kubernetes: Cilium — a Kubernetes CNI (Container Network Interface) built entirely on eBPF. Replaces iptables for kube-proxy, enforces Kubernetes NetworkPolicy (and more), provides Hubble for network observability. Benefits over iptables: iptables rules are evaluated sequentially — performance degrades linearly with rule count. eBPF uses hash maps — O(1) lookups regardless of policy size. XDP (eXpress Data Path): eBPF programs that run at the earliest point in the network receive path — before the kernel allocates an sk_buff. Used for DDoS mitigation and very high-speed packet processing. BPF maps: shared data structures between eBPF programs and user space. CO-RE (Compile Once, Run Everywhere): modern eBPF programs compile with BTF type information and run across different kernel versions. In conversation: "Switching from kube-proxy to Cilium eBPF cut our service latency p99 by 40% — no more 50,000 iptables rules to traverse on every packet."
5 / 5
A senior engineer explains a data centre networking design: "We use VXLAN as our overlay. ECMP distributes traffic across our spine-leaf fabric — every leaf-to-spine path has equal cost, so traffic is automatically load-balanced. For the underlay we run OSPF, but the overlay control plane uses BGP EVPN. SDN gives us centralised control: we define the network policy once in the controller and it's pushed to all switches. The controller abstracts the physical topology — we configure logical networks, not individual switches." What is SDN (Software-Defined Networking) and what is ECMP?
SDN (Software-Defined Networking): an architecture that decouples the control plane (where routing/forwarding decisions are made) from the data plane (where packets are actually forwarded). In traditional networking, both planes run on the same device. SDN centralises the control plane in a software controller. Benefits: centralised visibility, programmable network behaviour, faster provisioning, consistent policy. Implementations: OpenFlow (original SDN protocol), VMware NSX-T, Cisco ACI, OpenDaylight. In Kubernetes: the CNI plugin (Cilium, Calico, Flannel) is effectively the SDN layer. ECMP (Equal-Cost Multi-Path): a routing strategy that distributes traffic across multiple paths when more than one path has equal routing metric/cost. In a spine-leaf fabric: every leaf switch connects to every spine switch. All leaf-to-spine paths cost the same — ECMP load-balances across all of them, fully utilising all uplinks. Hash-based: ECMP uses a hash of packet headers (src/dst IP, ports) to consistently send flows over the same path (avoids packet reordering). Overlay network: a logical network built on top of a physical network using encapsulation. VXLAN and Geneve are the dominant overlay protocols in data centres and Kubernetes. Geneve (Generic Network Virtualisation Encapsulation): a more flexible overlay protocol than VXLAN, with extensible metadata headers. Used by Open vSwitch and some cloud providers. In conversation: "The spine-leaf design with ECMP means we get 4x bandwidth between any two servers — and if one spine fails, traffic automatically rebalances across the remaining three."