Blog
Practical writing on AI engineering, infrastructure, backend systems, and production lessons learned.
Category
154 posts found
Archive
Browse the archive page by page for a faster, cleaner reading experience.
147 posts total
Elastic Network Interfaces: ENI Limits, awsvpc Mode, and Trunk ENIs
•3 min read•Cloud InfrastructureAn ENI is a virtual NIC attached to an EC2 instance. In awsvpc mode, each ECS task and EKS pod gets its own ENI — but per-instance ENI limits constrain how many tasks can run per host. Trunk ENIs (branch ENIs) work around this limit for ECS and EKS at scale. Secondary ENIs enable multi-homed instances and appliance patterns.
awsvpcecseksVPC Gateways: Internet Gateway, NAT Gateway, and Route Table Mechanics
•2 min read•Cloud InfrastructureAn Internet Gateway enables bidirectional internet access for public subnets. A NAT Gateway gives private subnet resources outbound internet access without exposing them to inbound connections. Both require route table entries to function. Understanding the routing rules prevents common 'no internet' debugging sessions.
awsvpcVPC Route Tables: How AWS Routing Works and Common Misconfigurations
•3 min read•Cloud InfrastructureRoute tables determine where traffic goes in a VPC. The most-specific-route-wins rule, the local route you can't delete, and the subnet association model have practical consequences that trip up most engineers the first time.
awsvpcroutingVPC Endpoints: Interface, Gateway, and Keeping Traffic Off the Public Internet
•2 min read•Cloud InfrastructureVPC endpoints let resources in private subnets reach AWS services without internet access. Gateway endpoints (S3 and DynamoDB) are free and route-table-based. Interface endpoints (everything else) deploy ENIs in your subnets and cost money. Choosing the wrong endpoint type or skipping private DNS causes unexpected public internet routing.
awsvpcprivatelinkVPC Peering: Non-Transitive Routing and When to Use Transit Gateway Instead
•3 min read•Cloud InfrastructureVPC peering connects two VPCs directly. It does not connect three. Understanding the non-transitive routing constraint — and the CIDR overlap failure mode — saves hours of debugging when your network doesn't behave as expected.
awsvpctransit gatewayVPC CIDR Planning: Overlapping Ranges, Peering Constraints, and RFC 1918
•2 min read•Cloud InfrastructureOverlapping VPC CIDRs block peering, Transit Gateway attachments, and VPN connections. AWS allows overlapping ranges at creation time — the conflict surfaces when you try to connect VPCs later. Planning CIDR blocks upfront around RFC 1918 address space prevents address conflicts from becoming an infrastructure migration.
awsvpcAWS WAF SQL Injection Rules: field_to_match, Text Transformations, and Rule Groups
•2 min read•Cloud InfrastructureAWS WAF SQLi rules inspect request fields and block injection attempts before they reach your application. The field_to_match choice determines coverage: query string catches URL parameter attacks, body catches POST payload attacks. Text transformations decode obfuscated payloads before inspection. Missing either leaves gaps that attackers exploit.
awswafsecuritySkipping CircleCI Pipelines: [ci skip], Conditional Workflows, and Pipeline Parameters
•1 min read•Cloud InfrastructureCircleCI triggers a pipeline on every push by default. [ci skip] or [skip ci] in the commit message prevents that run. For finer control — skipping based on changed files, branch, or tag — conditional workflows and pipeline parameters let you run only the jobs relevant to what changed.
ci-cdcircleciCircleCI Caching: Keys, Invalidation, and Dependency Layer Strategy
•2 min read•Cloud InfrastructureCircleCI caching stores build dependencies between runs to avoid repeated downloads. Cache keys control when the cache is invalidated. A bad key strategy either never invalidates (stale dependencies) or always invalidates (no speedup). The correct pattern layers file checksums and fallback keys to balance freshness and hit rate.
ci-cdcircleciDebugging Dependencies in CircleCI: Patching node_modules, SSH Access, and Dependency Pinning
•1 min read•Cloud InfrastructureWhen a CI failure comes from third-party library behavior you can't reproduce locally, you need to inspect the environment directly. CircleCI supports SSH access to debug jobs, and test-time patches via sed or patch files let you instrument dependencies without modifying them permanently. Understanding when each approach is appropriate prevents wasted debugging time.
ci-cdcircleciCircleCI Workspaces: Passing Build Artifacts Between Jobs
•2 min read•Cloud InfrastructureWorkspaces let CircleCI jobs share files within a single workflow. A build job compiles binaries and persists them to the workspace; downstream test and deploy jobs attach the workspace and use the same artifacts. Workspaces are mutable within the workflow but don't persist across runs — use caching for that.
ci-cdcircleciGitHub Actions Caching: What to Cache and What Not To
•2 min read•Cloud InfrastructureThe actions/cache action can cut CI times dramatically for dependency-heavy pipelines. The cache key strategy determines whether you get cache hits or stale builds — and the difference between caching node_modules vs the npm cache registry is not obvious.
ci-cdgithub actionsnpmdockerGitHub Actions Deployments: Environments, Active Status, and Protection Rules
•2 min read•Cloud InfrastructureGitHub Deployments track what's live in each environment. Only one deployment can be 'active' per environment — the last successful deployment. When multiple PRs deploy to the same environment, only the most recent one holds 'active' status, which blocks other PRs from meeting deployment-based branch protection rules.
ci-cdgithub actionsDocker Networking: Hostname vs Container Name, Port Mapping, and Bridge Networks
•2 min read•Cloud InfrastructureDocker container networking has several layers: hostname (what the container thinks it's called), container name (how Docker identifies it), and network aliases (how other containers reach it). Port mapping exposes container ports to the host. Dynamic port mapping (host port 0) lets the OS assign available ports — required for ECS bridge mode with multiple tasks per host.
dockercontainersdnsDocker ENTRYPOINT vs CMD: Exec Form, Shell Form, and PID 1 Behavior
•1 min read•Cloud InfrastructureENTRYPOINT sets the executable. CMD provides default arguments. Together they define what runs when a container starts. Using shell form instead of exec form wraps the process in /bin/sh -c, making it a child of sh rather than PID 1 — which breaks signal handling, graceful shutdown, and SIGTERM from Docker stop.
dockercontainersshellARC: Adaptive Replacement Cache with Ghost Lists
•2 min read•Databases & StorageARC maintains four lists (T1, T2, B1, B2) to adaptively balance between recency (LRU-like) and frequency (LFU-like). Ghost lists B1 and B2 track recently evicted pages, allowing ARC to learn from cache misses and adjust its partitioning parameter p. ZFS uses ARC as its default page cache algorithm.
cachingeviction-policydata-structuresFIFO Caching: When Insertion Order Is the Right Policy
•3 min read•Databases & StorageFIFO evicts the oldest-inserted item regardless of how recently or frequently it was accessed. That's usually a weakness, but for streaming buffers, network queues, and scenarios where items are consumed exactly once, FIFO's predictable eviction order is a feature, not a bug.
cachingfifoLFU Caching: Frequency Buckets, the Cold Start Problem, and When to Choose It Over LRU
•3 min read•Databases & StorageLFU evicts the least frequently accessed item, not the least recently accessed one. The difference matters for stable, long-lived access patterns where popularity is a better predictor than recency. The challenge is implementing it efficiently and handling new items that haven't had time to build frequency.
cachinglfulruLRU-K: Evicting Based on K-th Most Recent Access for Scan Resistance
•2 min read•Databases & StorageLRU-K evicts the item whose K-th most recent access is oldest, rather than the item whose single most recent access is oldest. This makes it resistant to sequential scan poisoning: a page accessed only once has an 'infinite' K-th access time and is evicted before pages that have been accessed K times. PostgreSQL uses LRU-2 in its buffer manager.
cachingeviction-policydata-structuresLRU Cache: HashMap + Doubly Linked List, Cache Thrashing, and Production Issues
•1 min read•Databases & StorageLRU evicts the least recently used item on cache full. The O(1) implementation combines a hashmap (O(1) lookup) with a doubly linked list (O(1) reorder). Cache thrashing occurs when the working set exceeds cache size — every access is a miss. Sequential scan workloads poison LRU by filling it with data that's never reaccessed.
cachingeviction-policydata-structuresMRU Cache: Most Recently Used Eviction for Sequential Access Patterns
•1 min read•Databases & StorageMost Recently Used (MRU) evicts the item accessed most recently, the opposite of LRU. This seems counterintuitive but is correct for sequential scans, media streaming, and transaction logs where items are accessed once and then never needed again. In those workloads, LRU fails by holding recently-scanned data that has no future value.
cachingeviction-policydata-structuresRedis Ziplist: The Internal Encoding That Keeps Small Collections Compact
•2 min read•Databases & StorageRedis doesn't always use the data structure you'd expect. Small hashes, lists, and sorted sets use ziplist — a contiguous memory layout that avoids pointer overhead. Understanding the thresholds and the conversion trigger helps you tune memory usage without surprises.
cachingredisinternalsmemoryBrowser Caching: Cache-Control, ETag, and Stale-While-Revalidate
•2 min read•Databases & StorageCache-Control headers control how browsers and CDNs cache responses. max-age=N serves from cache without a network request. no-cache revalidates with the server on every request (using ETag/Last-Modified). no-store never caches. stale-while-revalidate serves stale content immediately while revalidating in background. Immutable assets (hashed filenames) should use max-age=31536000, immutable.
cachinghttpbrowserElasticsearch Bool Query: must vs filter, Caching, and Scoring
•1 min read•Databases & StorageBool queries combine must, filter, should, and must_not clauses. must clauses contribute to relevance scoring; filter clauses don't — but filters are cached by Elasticsearch and execute faster. Misusing must for exact-match conditions wastes scoring computation and bypasses the filter cache.
searchelasticsearch