Blog
Practical writing on AI engineering, infrastructure, backend systems, and production lessons learned.
Category
154 posts found
Archive
Browse the archive page by page for a faster, cleaner reading experience.
147 posts total
AWS IAM: Policy Evaluation, Trust Boundaries, and Why Your Permissions Are Being Denied
•3 min read•Cloud InfrastructureIAM denials are rarely mysterious once you understand the evaluation order. This post covers how AWS evaluates a request through identity-based policies, resource-based policies, SCPs, and permission boundaries — and where most production mistakes happen.
awsiamsecurityKubeconfig and EKS Authentication: How aws eks get-token Works
•2 min read•Cloud InfrastructureKubeconfig connects kubectl to your cluster. For EKS, authentication runs through AWS STS — kubectl calls aws eks get-token to get a short-lived STS presigned URL that Kubernetes validates. Understanding this chain explains every 'Unauthorized' error you'll encounter.
awsekskubernetesiamTerraform Plan File: resource_changes, resource_drift, and Machine-Readable Output
•2 min read•Cloud Infrastructureterraform plan -out=plan.tfplan saves a binary plan file that terraform apply consumes without re-planning. Converting it to JSON (terraform show -json) exposes resource_changes, resource_drift, prior_state, and validation checks — useful for CI/CD policy gates, audit logging, and understanding why Terraform wants to make a change.
infrastructure-as-codeterraformfind: Searching Files by Name, Type, Size, and Time
•1 min read•Systems & Networkingfind traverses a directory tree and matches files by name, type, size, modification time, permissions, and more. -exec runs a command on matches: -exec cmd {} \; runs one command per file; -exec cmd {} + batches all matches into one command invocation. Combining predicates with -and, -or, and -not builds precise queries.
shellfindlinuxAffiliate Tracking Cookies: CJ Affiliate, Rakuten, and Last-Click Attribution
•2 min read•Web DevelopmentAffiliate networks (CJ Affiliate, Rakuten/Impact) track purchases using URL parameters and cookies. When you click an affiliate link, the merchant stores a cjevent or ranSiteID cookie tied to the publisher's ID. At checkout, the merchant reads that cookie and credits the commission. Last-click attribution means the most recent affiliate link click wins — later clicks overwrite earlier cookies.
cookieshttpaffiliate-trackingCORS with S3 and Localhost: Browser Enforcement, Null Origin, and Preflight
•2 min read•Web DevelopmentCORS is enforced by browsers, not servers — curl and backend code bypass it entirely. S3 CORS configuration requires exact origin matching: localhost:5173 is a different origin from localhost:3000. Opening HTML from file:// sets origin=null, which never matches any AllowedOrigins entry. The test for whether CORS is the problem: if JS can see the HTTP status code (403, 404), CORS is not blocking the request.
securityawss3corsGo context.Context: Cancellation, Timeouts, and Why the First Argument Matters
•3 min read•Programmingcontext.Context is not just convention. It is the mechanism that prevents goroutine leaks, propagates deadlines across service boundaries, and gives callers control over work they started.
programminggoconcurrencycontextAPI Gateway Endpoint Types: Regional, Edge-Optimized, and Private
•2 min read•Cloud InfrastructureAPI Gateway offers three endpoint types. Regional deploys to one AWS region — add your own CloudFront distribution for global CDN control. Edge-optimized routes through AWS CloudFront edge locations automatically — useful for geographically dispersed clients without a custom CDN. Private is accessible only from within a VPC via an Interface VPC Endpoint — no public internet exposure.
awsapi-gatewayAPI Gateway Custom Domains: Why You Can't CNAME Directly to the Execute-API URL
•3 min read•Cloud InfrastructureAPI Gateway's default execute-api URL carries AWS's TLS certificate, not yours. Custom domains work through a CloudFront distribution where API Gateway enforces SNI-based routing — which is why accessing the CloudFront URL directly returns 403 or 404.
awsapi-gatewayroute53tlsAPI Gateway Header Forwarding: Why Your Backend Sees the Wrong Host
•2 min read•Cloud InfrastructureAPI Gateway rewrites the Host header to the integration endpoint by default. If your backend depends on the original hostname for routing or virtual hosting, you need to forward it explicitly — and x-forwarded-for has restrictions that will trip you up.
awsapi-gatewayalbHTTP API vs REST API in API Gateway: Differences and When to Use Each
•2 min read•Cloud InfrastructureHTTP API is the newer, cheaper, faster API Gateway product (~70% cost reduction vs REST API). It supports JWT authorizers natively, automatic CORS, $default route, and WebSocket. REST API supports usage plans, API keys, request/response transformation, WAF integration, and per-method caching. Choose HTTP API for simple Lambda proxies and JWT auth; REST API when you need request transformation, API keys, or fine-grained throttling per route.
awsapi-gatewayAPI Gateway Payload Limits: The 10MB Ceiling and What To Do When You Hit It
•2 min read•Cloud InfrastructureAPI Gateway enforces a hard 10MB payload limit on both requests and responses. Exceeding it returns a 413 or silently truncates responses. Large file transfers need a different architecture — presigned URLs, multipart uploads, or streaming — not bigger payloads.
awsapi-gateways3lambdaHTTP to HTTPS Redirection for API Gateway: Why CloudFront Is Required
•2 min read•Cloud InfrastructureAPI Gateway regional endpoints only listen on port 443. HTTP requests to port 80 get ERR_CONNECTION_REFUSED because nothing responds. CloudFront solves this by listening on both ports and redirecting HTTP to HTTPS before the request reaches API Gateway.
awsapi-gatewaycloudfronttlsCloudFront: How CDN Caching and Edge Logic Actually Work
•3 min read•Cloud InfrastructureCloudFront reduces latency by serving content from the edge location nearest to the user. Understanding distributions, cache behaviors, origin access control, and Lambda@Edge makes the difference between a CDN that helps and one that causes stale content bugs.
awscloudfrontcdnedgeCloudFront Beyond Caching: Signed URLs, Geo-Restriction, Origin Shield, and Real-Time Logs
•3 min read•Cloud InfrastructureCloudFront's caching and CDN basics are well-documented. The less-obvious features — signed URLs for private content, geographic access controls, Origin Shield for reducing origin load, and real-time log streaming — are where production configurations diverge from tutorials.
awscloudfrontsecurityCloudFront Response Headers Policies: Security Headers, SEO Tags, and CORS
•2 min read•Cloud InfrastructureCloudFront response headers policies let you add, modify, or remove HTTP headers on every response — without changing your origin. Security headers (HSTS, CSP, X-Frame-Options), SEO directives, and CORS headers are all configurable centrally, with or without CloudFront Functions.
awscloudfrontsecuritycorsECS Cluster Autoscaling: How Capacity Providers Scale EC2 Infrastructure
•3 min read•Cloud InfrastructureECS cluster autoscaling uses capacity providers to manage EC2 instance count based on task resource needs. Understanding the CapacityProviderReservation metric, target tracking, and the interaction between service scaling and cluster scaling prevents the scaling lag that causes task placement failures.
awsecsautoscalingcapacity-providersECS on EC2: Container Instances, the ECS Agent, and What You're Responsible For
•3 min read•Cloud InfrastructureECS EC2 launch type runs your containers on EC2 instances you manage. The ECS agent bridges EC2 and the ECS control plane. You control instance sizing, patching, cluster capacity, and task placement — which is both the power and the overhead compared to Fargate.
awsecsec2ECS Task Placement: Binpack, Spread, and When Each Costs You
•3 min read•Cloud InfrastructureECS placement strategies are a cost vs. reliability dial. Choosing wrong means either wasted EC2 spend or higher blast radius during host failures.
awsecsplacementterraformECS Fargate: Task Networking, vCPU/Memory Combinations, and What Serverless Actually Means Here
•3 min read•Cloud InfrastructureFargate runs ECS tasks on AWS-managed infrastructure. You specify vCPU and memory, not instance types. Every task gets its own network interface. The operational simplicity has real cost tradeoffs — at scale, EC2 with Reserved Instances is significantly cheaper.
awsecsfargateRunning Stateful Workloads on ECS: Patterns and Hard Limits
•3 min read•Cloud InfrastructureECS has no StatefulSet equivalent. This post covers the three patterns that work, when each breaks, and when you should stop fighting the platform.
awsecsstatefulefsECS Network Modes: When to Use awsvpc, bridge, and host
•4 min read•Cloud InfrastructureECS offers four network modes. awsvpc is the right default for almost everything — but understanding why, and when the others apply, prevents subtle security and performance mistakes.
awsecsvpcEFS: Throughput Modes, Access Points, and the EKS CSI Driver
•3 min read•Cloud InfrastructureEFS provides shared POSIX file storage that multiple instances and containers can mount simultaneously. Throughput mode selection (Bursting vs Elastic vs Provisioned) is the most common production performance decision. The EFS CSI driver enables dynamic persistent volume provisioning in EKS.
awsefseksstorageEKS Cluster Architecture: Control Plane, Node Groups, and Endpoint Access Modes
•3 min read•Cloud InfrastructureEKS manages the Kubernetes control plane. You manage the data plane — the nodes that run your workloads. Node group type (managed, self-managed, Fargate) and cluster endpoint access mode (public, private, or both) are the first architectural decisions that shape everything downstream.
awsekskubernetes