Is this a video course?

No. This is an interactive, slide-based learning platform. Each lesson has rich text, animated diagrams, live code editors, and quizzes. You learn by reading, interacting, and doing, not by watching videos passively.

How long do I have access?

Forever. Both pricing tiers are one-time payments with lifetime access. This includes all current 766 lessons and any future content we add.

What level of experience do I need?

None. We start from absolute basics like 'What is latency?' and build up to distributed consensus protocols. The Foundation level assumes zero prior knowledge of system design.

How much does the system design course cost?

5 US dollars for lifetime access globally, or 299 Indian rupees for lifetime access in India. One-time payment, no subscription, no hidden fees. 11 lessons are free with no signup required.

What technologies are covered?

Everything from DNS and load balancers to Kubernetes, Kafka, distributed databases, consensus protocols, stream processing, security architecture, and observability. We cover principles and real-world implementations used at Netflix, Google, Amazon, Uber, Stripe, and more.

Is this useful for system design interview preparation?

Yes. The lessons are structured around the exact topics asked in system design interviews at FAANG and top-tier companies. Interactive diagrams help you practice whiteboard-style explanations. Covers everything from URL shortener design to distributed payment systems.

How is this different from ByteByteGo or Educative?

766 interactive lessons (4x more than most competitors), 16 different diagram types that build step by step, real production examples from Netflix, Google, Amazon, Uber, and Stripe, and lifetime access for a one-time payment of 5 dollars instead of annual subscriptions costing 100 to 200 dollars per year.

What is the difference between a VPC and a subnet?

A VPC is your entire private network inside a cloud provider, defined by a large address range like 10.0.0.0/16. A subnet is a slice of that range, such as 10.0.1.0/24, with its own routing and access rules. You typically split a VPC into public subnets for internet-facing things and private subnets for databases and internal services that should never be reachable from outside.

When should I use serverless instead of regular servers?

Use serverless when your workload is event-driven or spiky and you would otherwise pay for idle capacity, such as background jobs, webhooks, or APIs with uneven traffic. Avoid it for latency-sensitive paths where cold starts hurt, for long-running processes, or for workloads that need fine control over the runtime. The deciding factors are how steady your traffic is and how much the cold-start penalty matters to your users.

What is the difference between regions and availability zones?

A region is a geographic area, like one in Europe and one in Asia, used to place your service near users and to isolate large-scale failures. An availability zone is one of several isolated datacenters inside a single region. Spreading across availability zones protects you from a single datacenter failure, while spreading across regions protects you from a whole-region outage and reduces latency for distant users, at higher cost and complexity.

Why do I need a bastion host or jump server?

A bastion host is a single hardened machine that administrators connect through to reach servers in private subnets. Instead of exposing SSH on every server to the internet, you expose only the bastion, lock it down tightly, and audit one entry point. It dramatically shrinks your attack surface and gives you a single place to log and control administrative access.

VPN, Direct Connect, or VPC Peering for connecting networks?

Use VPC Peering for a simple one-to-one link between two cloud networks. Use a Site-to-Site VPN to connect your datacenter to the cloud over the encrypted public internet when cost matters more than consistent latency. Use Direct Connect when you need a dedicated private line with predictable performance, usually for production traffic between a datacenter and the cloud. Once you have many networks to join, a Transit Gateway replaces a mess of peerings with a central hub.

What causes a cold start and how do I reduce it?

A cold start happens when a serverless function has been idle and the provider has to spin up a fresh runtime before handling the request, adding latency to that first call. You reduce it by keeping warm instances ready, using provisioned concurrency, choosing lighter runtimes, and trimming your dependencies so the startup is faster. For truly latency-sensitive endpoints, keeping a small warm pool is the standard fix.

intermediate

Cloud Infrastructure

Every product you ship runs on somebody's infrastructure. The question is how much of it you own and how much you rent. Cloud infrastructure is the layer between your code and the physical machines in a datacenter: the network your traffic flows through, the boundaries that keep strangers out, the regions that decide how far a request has to travel, and the service models that determine whether you manage a server or never see one. Get this layer wrong and you pay for it in outages, security incidents, and surprise bills. A single misconfigured route table or an overly broad security group has taken down companies that had perfect application code.

This category walks the full stack from the ground up. You start with how addressing and routing actually work (static and dynamic IP, IPv4 vs IPv6, DHCP, CIDR, subnets, NAT), build into private cloud networks (VPC, internet gateways, NAT gateways, regions, availability zones), then move through the service models that define modern cloud (IaaS, PaaS, SaaS, serverless, FaaS), the access and perimeter patterns that keep production safe (bastion hosts, DMZ, network segmentation), and the connectivity and performance topics that tie multiple environments together (VPC peering, Transit Gateway, Direct Connect, Private Link, QUIC, service mesh). By the end you can read an architecture diagram and know exactly where every packet goes and why.

Cloud Infrastructure: the landscape

What Cloud Infrastructure Actually Is

Cloud infrastructure is the set of networking, compute, and connectivity primitives a provider gives you so you do not have to buy and rack physical hardware. At the bottom sits the network. Before anything else makes sense you need to understand how machines find each other, which is why this category begins with IP addressing. A Static IP never changes and is what you point a domain or a firewall rule at. A Dynamic IP is handed out and reclaimed automatically, usually by DHCP, which is fine for laptops and bad for servers other systems must reach reliably. CIDR notation (the /24 you keep seeing) is how you describe a block of addresses, and Subnets are how you slice that block into smaller zones with different rules.

On top of addressing sits the transport story. The OSI Model and the TCP/IP Stack are the mental maps for where each protocol lives, and they explain why a load balancer at layer 4 behaves differently from one at layer 7. TCP gives you ordered, reliable delivery; UDP trades reliability for speed, which is why it underpins video and gaming. NAT (Network Address Translation) is the trick that lets many private machines share one public address, and understanding it removes most of the confusion around why an instance can reach the internet but the internet cannot reach it.

Once the fundamentals click, the cloud-specific pieces are just managed versions of them. A VPC is your own private network inside the provider. An Internet Gateway connects that network to the public internet, a NAT Gateway lets private machines make outbound calls without being exposed, and an Elastic IP is a static public address you control across instance restarts. IPAM is how large organizations track all of these addresses before they collide.

The Service Models: How Much Do You Want to Manage

The deepest decision in cloud is how much of the stack you operate yourself, and that is what the as-a-service models describe. IaaS (Infrastructure as a Service) gives you raw virtual machines and networks; you control the operating system and everything above it, and you carry the operational weight that comes with that. PaaS (Platform as a Service) hands you a runtime where you deploy code and the provider handles patching, scaling, and the machines underneath. SaaS (Software as a Service) is finished software you simply log into. CaaS (Containers as a Service) and DBaaS (Database as a Service) are the same idea applied to containers and databases specifically.

Serverless pushes this further. With FaaS (Functions as a Service) you ship a single function and the provider runs it only when an event fires, scaling from zero to thousands of concurrent executions and back to nothing. BaaS (Backend as a Service) gives you ready-made auth, storage, and APIs so a frontend team can ship without a backend. The appeal is real: you pay for execution, not idle capacity, and you never patch a server.

The trade-off has a name, and it is Cold Start. When a function has been idle, the first invocation pays a startup penalty while the runtime spins up, which can add hundreds of milliseconds to a request. Warm Instances are the mitigation: keeping a pool ready so latency-sensitive paths never hit a cold start. The rule of thumb across these models is straightforward. Choose the highest level of abstraction that still meets your latency, control, and cost requirements, and drop down a level only when a concrete constraint forces you to.

Connectivity, Perimeter, and the Trade-offs That Matter

Real systems are never one network. You have production and staging, an on-premise datacenter, partner accounts, and edge locations, and they all need controlled paths between them. VPC Peering is the simplest: a direct one-to-one link between two networks. It stops scaling well once you have many networks, which is when Transit Gateway earns its place as a central hub that connects dozens of VPCs and on-prem links without a tangle of point-to-point connections. For the link to your own datacenter you choose between a VPN over the public internet (cheaper, encrypted, variable latency) and Direct Connect, a dedicated private line that costs more but delivers consistent performance. Private Link exposes a single service privately without opening up a whole network, which is how you let a partner reach one API and nothing else.

The perimeter topics decide who gets in. A DMZ is the buffer zone where internet-facing services live, separated from your internal systems. A Bastion Host or Jump Server is the single hardened door through which administrators reach private machines, so you audit one entry point instead of exposing SSH on everything. Network Segmentation is the broader discipline of splitting your network so a breach in one zone cannot spread to the rest. These are not optional polish; segmentation is what turns a single compromised box into a contained incident rather than a company-ending one.

The last group is about distance and speed. Regions are geographic clusters of datacenters, and Availability Zones are the isolated locations inside a region that let you survive a single datacenter failure. Spreading across zones buys you resilience; spreading across regions buys you both resilience and lower latency for distant users, at the cost of complexity and data-transfer fees. Edge Computing and Fog Computing push compute closer to users and devices to cut that latency further. On the wire, QUIC and TCP Optimization reduce round trips, WebRTC enables real-time peer connections, and a Service Mesh adds retries, encryption, and observability between your services without changing application code.

How Real Companies Run This

Netflix runs across multiple regions and availability zones precisely so that losing one datacenter, or even one region, does not take the service down, and they famously break their own infrastructure on purpose to prove the failover works. Their architecture leans on VPCs, careful segmentation, and edge placement so a stream starts fast no matter where you are.

Most large enterprises connect their datacenter to the cloud with Direct Connect for the predictable, low-latency private path it gives, then fall back to a Site-to-Site VPN as an encrypted backup. Banks and healthcare companies lean hard on network segmentation, DMZs, and bastion hosts because regulators require that a breach in one zone cannot reach patient or financial data in another. Fast-moving startups go the other direction and live on serverless and PaaS so a tiny team can ship without an operations group, accepting cold starts and provider lock-in as the price of speed.

The pattern underneath all of it is the same. Companies match the level of control to the actual constraint. They use the most managed option that still meets their latency, compliance, and cost needs, and they spend their scarce engineering attention on the boundaries between systems, because that is where both the outages and the breaches happen.

Frequently asked questions

Learn Cloud Infrastructure the interactive way

All 45 lessons with step by step diagrams, runnable code, and quizzes. One payment of ₹299 in India or $5 worldwide. Lifetime access, no subscription.

Cloud Infrastructure

What Cloud Infrastructure Actually Is

The Service Models: How Much Do You Want to Manage

Connectivity, Perimeter, and the Trade-offs That Matter

How Real Companies Run This

Frequently asked questions

Cloud Infrastructure

What Cloud Infrastructure Actually Is

The Service Models: How Much Do You Want to Manage

Connectivity, Perimeter, and the Trade-offs That Matter

How Real Companies Run This

All 45 lessons in Cloud Infrastructure

Frequently asked questions

Learn Cloud Infrastructure the interactive way

Cloud Infrastructure

What Cloud Infrastructure Actually Is

The Service Models: How Much Do You Want to Manage

Connectivity, Perimeter, and the Trade-offs That Matter

How Real Companies Run This

All 45 lessons in Cloud Infrastructure

Frequently asked questions

Learn Cloud Infrastructure the interactive way