Overview

The internet is a global network of networks — a web of interconnected computers, routers, and data centres that communicate using a common set of standardised protocols. No single organisation owns the internet; it is a collaboration between Internet Service Providers (ISPs), governments, universities, and companies, all agreeing to follow the same rules so their networks can interoperate.

Data travels across the internet as packets — small, fixed-size chunks. A file or web page is split into many packets, each routed independently across the network and reassembled at the destination. This packet-switched model is resilient: if one route is congested or broken, packets find an alternative path.

TCP/IP Protocol Stack

The internet is built on a layered architecture. Each layer solves a specific problem and relies on the layer below it. The TCP/IP model has four layers:

flowchart TB
    subgraph client [Client]
        direction TB
        ca[Application\nHTTP GET /]
        ct[Transport\nTCP segment]
        ci[Internet\nIP packet]
        cl[Link\nEthernet frame]
        ca --> ct --> ci --> cl
    end
    subgraph server [Server]
        direction BT
        sa[Application\nHTTP 200 OK]
        st[Transport\nTCP segment]
        si[Internet\nIP packet]
        sl[Link\nEthernet frame]
        sl --> si --> st --> sa
    end
    cl -->|"physical medium\n(cable / Wi-Fi / fibre)"| sl

When you open https://example.com, the browser hands an HTTP request to the Application layer, TCP wraps it in a segment with source and destination ports, IP wraps that in a packet with source and destination IP addresses, and Ethernet frames it for the local network. Each router along the way strips and re-adds the Link layer frame, using the IP layer to decide the next hop.

IP Addresses

Every device on a network is identified by an IP address — a number that tells routers where to deliver packets. IP addresses have two parts: a network prefix (identifies the network) and a host identifier (identifies the specific device within that network).

IPv4

IPv4 uses 32-bit addresses written in dotted-decimal notation — four octets separated by dots:

192  . 168  .   1  .  42
 ↑       ↑      ↑      ↑
8 bits  8 bits 8 bits  8 bits   →  total 32 bits

CIDR notation (Classless Inter-Domain Routing) appends a prefix length to express a range: 192.168.1.0/24 means the first 24 bits identify the network, leaving 8 bits for hosts — 256 addresses (192.168.1.0 through 192.168.1.255).

IPv4 provides 2³² ≈ 4.3 billion unique addresses. This seemed enormous in 1981 — it was not. The explosive growth of the internet, smartphones, IoT devices, and cloud servers exhausted the global IPv4 pool. Regional registries issued their last unallocated blocks between 2011 and 2019⁷.

IPv6

IPv6 uses 128-bit addresses written in eight groups of four hexadecimal digits:

2001:0db8:85a3:0000:0000:8a2e:0370:7334

Consecutive groups of zeros can be compressed: 2001:db8:85a3::8a2e:370:7334.

IPv6 provides 2¹²⁸ ≈ 3.4 × 10³⁸ addresses — enough for every grain of sand on Earth to have its own address. Despite this, IPv4 remains dominant because the transition requires updating every network device, operating system, and application.

DNS — Domain Name System

Humans remember names; computers route packets using IP addresses. DNS is the distributed database that translates domain names into IP addresses⁸.

sequenceDiagram
    participant B as Browser
    participant R as Recursive Resolver\n(ISP / 8.8.8.8)
    participant Rt as Root Nameserver
    participant T as TLD Nameserver\n(.com)
    participant A as Authoritative NS\n(example.com)

    B->>R: What is the IP of example.com?
    R->>Rt: Who handles .com?
    Rt-->>R: TLD NS address
    R->>T: Who handles example.com?
    T-->>R: Authoritative NS address
    R->>A: What is the IP of example.com?
    A-->>R: 93.184.216.34  (TTL: 3600s)
    R-->>B: 93.184.216.34  (cached for TTL)

The resolver caches the answer for the TTL (Time to Live) duration, so most lookups resolve in milliseconds from cache.

Common DNS record types

Ports

An IP address identifies a host; a port identifies a specific process on that host. Together, IP:port (called a socket address) uniquely identifies a communication endpoint on the network.

Ports are 16-bit numbers (0–65535) divided into three ranges:

Well-known ports

When a browser connects to https://example.com, it connects to 93.184.216.34:443. The operating system assigns an ephemeral port (e.g., 52413) on the client side, so the full connection is client_ip:52413 ↔ 93.184.216.34:443.

Transport Protocols

The Transport layer offers two fundamentally different delivery models:

sequenceDiagram
    participant C as Client
    participant S as Server
    C->>S: SYN (sequence number = x)
    S-->>C: SYN-ACK (sequence = y, ack = x+1)
    C->>S: ACK (ack = y+1)
    Note over C,S: Connection established — data transfer begins

Public Networks

A public IP address is a globally unique address assigned by a Regional Internet Registry (RIR) and routable on the internet. Any server you want to reach from the public internet must have a public IP — or be reachable through one via NAT.

Packets cross the internet by hopping between routers. Each router knows only the next hop toward the destination — a partial map stored in a routing table. The BGP (Border Gateway Protocol) is the inter-domain routing protocol that lets ISPs exchange these maps and collectively know how to reach every public address block on the internet⁹.

flowchart LR
    client["Client\n203.0.113.5"]
    r1["ISP Router\nBrazil"]
    r2["Backbone\nRouter"]
    r3["ISP Router\nUSA"]
    server["Server\n93.184.216.34\nexample.com"]

    client -->|"hop 1"| r1
    r1 -->|"hop 2"| r2
    r2 -->|"hop 3"| r3
    r3 -->|"hop 4"| server

Each hop takes 1–30 ms depending on physical distance and congestion. A transatlantic round-trip typically adds 80–120 ms of latency just from the speed of light in fibre.

Private Networks

A private network is a network that is not directly reachable from the public internet. Devices within it communicate freely with each other, but external hosts cannot initiate connections to private addresses.

RFC 1918 private ranges

Three IPv4 address ranges are permanently reserved for private use². No public internet routing is ever established for them:

NAT — Network Address Translation

NAT allows an entire private network to share a single public IP address. The NAT device (router or firewall) maintains a translation table mapping each outbound connection to an ephemeral public port.

sequenceDiagram
    participant D as Device\n192.168.1.10:52413
    participant N as NAT Router\nPublic: 203.0.113.1
    participant S as Server\n93.184.216.34:443

    D->>N: src=192.168.1.10:52413\ndst=93.184.216.34:443
    Note over N: Record mapping:\n192.168.1.10:52413 ↔ 203.0.113.1:61000
    N->>S: src=203.0.113.1:61000\ndst=93.184.216.34:443
    S-->>N: src=93.184.216.34:443\ndst=203.0.113.1:61000
    Note over N: Look up table:\n61000 → 192.168.1.10:52413
    N-->>D: src=93.184.216.34:443\ndst=192.168.1.10:52413

The server never sees the device's private address — it only sees the router's public IP. The router tracks which internal device owns each outbound connection by mapping the ephemeral port.

Private networks in Docker

Docker uses the private network model to isolate containers. Each Compose project gets its own virtual network — a software-defined subnet, typically in the 172.x.x.x range.

flowchart LR
    subgraph host [Docker Host — 203.0.113.1 public]
        subgraph net ["Docker Network 172.20.0.0/16"]
            nginx["nginx\n172.20.0.2:80"]
            gateway["gateway\n172.20.0.3:8080"]
            db["postgres\n172.20.0.4:5432"]
            nginx --> gateway
            gateway --> db
        end
    end
    internet[Internet] -->|"port 80\npublished"| nginx
    internet -.-x|"no direct access"| gateway
    internet -.-x|"no direct access"| db

Only nginx has a ports: mapping in compose.yaml and is reachable from outside the host. gateway and db are inside the private Docker network — they communicate with each other by service name but are invisible to the internet.

Special Addresses

Loopback

127.0.0.0/8 — packets sent to this range never leave the host. 127.0.0.1 (localhost) is the conventional address for testing local servers. The operating system short-circuits loopback traffic in kernel, never touching network hardware.

Link-local (APIPA)

169.254.0.0/16 — automatically assigned when a device cannot reach a DHCP server. These addresses only work for direct communication between two devices on the same physical link. Seeing 169.254.x.x on a machine almost always means DHCP has failed.

Reserved IPv4 Addresses ⁴

General Reserved IPv4 Addresses

Private IPv4 Ranges (RFC 1918) ²