This Glossary provides definitions for terms related to common software, networking, cloud computing, or the Internet. For words and phrases directly associated with Aviatrix products, features, or terminology, please see the Aviatrix Glossary.
The practice of simplifying the experience of a software product for the user by hiding unnecessary details and complexity. Abstraction makes software more accessible and attractive by enabling users to configure the product further without needing to work with programming languages or other technical information.
The design or organization of a system, including its components, processes, environment, and general principles.
A method of data mining/monitoring that examines behavior or incidents that differ from normal patterns. In network security, Anomaly Detection can help search for malware, viruses, hackers, or network failures or errors.
API (Application Programming Interface)¶
APIs enable systems and applications to exchange data – for example, for a data analysis tool to extract salary data from an accounting program. This data exchange is designed to automate large and complex data transfers securely.
APIs often work two ways (each system sending and receiving information). See webhook.
Availability Zone (AZ)¶
AWS (Amazon Web Services)¶
The practice of designing technology and systems that require minimal work for human beings – for example, automating report creation can simplify accountants’ jobs by removing a simple, repetitive task from their workloads. Cloud automation enables IT teams and developers to create, modify, and tear down resources on the cloud automatically.
Microsoft Azure is Microsoft’s CSP (Cloud Service Provider) offering, a cloud computing service operated by Microsoft for application management via Microsoft-managed data center. Azure is behind Amazon’s service, AWS, in terms of industry leadership, but is increasing its market share.
BGP (Border Gateway Protocol)¶
The dynamic routing protocol, or set of rules for directing traffic, for the Internet. BGP maximizes efficiency. It acts as the postal service of the Internet.
In computer networking, the Blast Radius is the area affected by an error, security failure, disruption, or other major problem; the maximum impact that might be sustained in the event of a system failure. Companies try to minimize the Blast Radius of each system or program to minimize damage per incident.
In software, brownfield development is building new systems or software where there are already existing codes or legacy components. See greenfield.
CIDR (Classless Inter-Domain Routing)¶
Also known as supernetting. CIDR allocates Internet Protocol (IP) addresses by creating unique and detailed addresses for networks and devices. A CIDR is the range of IP addresses a network uses. CIDR’s class system improves the efficiency of allocating IP (Internet Protocol) Addresses by using prefixes of varying lengths (variable-length subnet masking (VLSM)).
Classless Inter-Domain Routing (CIDR) is a range of IP addresses a network uses. A CIDR address looks like a normal IP address, except that it ends with a slash followed by a number. The number after the slash represents the number of addresses in the range.
Cloud computing is the delivery of computing services—including servers, storage, databases, networking, software, analytics, and intelligence—you can access over the Internet, instead of managing a physical server yourself.
Software components such as folders, websites, and files that exist virtually, not physically.
CPU (Central Processing Unit)¶
The “brain” of almost any device, from a computer to a thermostat. CPUs process and execute instructions to make these devices work.
CSP (Cloud Service Provider)¶
A company that sells cloud services: servers, components, platforms, and infrastructure. Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI) are all examples of CSPs.
A physical location where companies store important data and applications. These centers are designed to network these resources to customers. Data centers can include switches, routers, firewalls, storage systems, servers, and controllers. Each data center creates its own Availability Zone.
Day 2 Operations¶
(For IT personnel or DevOps Engineers): The ability to observe the state of cloud networks across providers and respond to change without disruption, or maintaining the overall stability and health of your platform in production.
Software engineers “deploy” software systems or updates to make them available to users. A single “deployment” is usually smaller and less significant than a full product release: it implements updates and improvements.
A software engineer whose role includes development (creating, updating, and improving software) and operations (the processes, steps, and methods required to run software cycles). DevOps Engineers improve the efficiency and effectiveness of the release cycle. In some companies, they are known as “IT for engineers,” or highly-qualified IT personnel who have the expertise to address complex coding and networking issues.
A two-factor authentication service that provides extra security for user accounts.
DNS (Domain Name System)¶
The Domain Name System translates the domain names that are easier for human to remember, such as www.example.com, to the IP (Internet Protocol) addresses that distinguish devices, websites, and other Internet entities from each other. DNS removes the need for people to remember complex numeric or alphanumeric IP addresses such as 314.837.1.2. Some websites compare DNS to a phonebook for the Internet.
DPI (Deep Packet Inspection)¶
A type of network packet filtering in which a firewall examines the content of data packets to search for potential security threats. DPI differs from conventional packet filtering in that conventional filtering only examined the header information of each packet, not the contents (like reading the Subject line of an email but not the body).
nDPI is an open-source library for DPI.
ECMP (Equal Cost Multiple Path)¶
A networking feature that enables firewalls to use up to four routes to the same destination that have the same cost. ECMP improves the efficiency and flexibility of a network.
Edge (in networking)¶
The security boundary where a local or private network connects to a third-party network.
The exit of an entity or network boundary; outbound communication from instances in your VPC to the Internet. See ingress.
In AWS, an egress can be centralized or distributed. A centralized egress ensures all traffic that is destined for a particular IP address goes through a single VPC in which egress policy enforcement can take place before a connection is allowed to exit. A distributed egress means there would be a gateway in every VPC, and each of those gateways needs egress control.
EIP (Enterprise Integration Patterns OR Enterprise Information Portal)¶
Enterprise Integration Patterns are a catalog of design patterns for integrating both new and existing software.
- These design patterns provide solutions to known problems that recur in software.
- Enterprise Information Portal is a knowledge base or resource and networking platform for enterprise employees, partners, or vendors.
Encryption is a process that uses digital keys to encode various components—text, files, databases, passwords, applications, or network packets. Encrypted data needs to be decrypted before it can be read.
ESNI (Encrypted Server Name Indication)¶
A tool that keeps your software browsing private by masking the websites you are visiting. ESNI is a part of the TLS (Transport Layer Security) protocol. See TLS.
A hardware or software device that acts as a wall or barrier between an internal network (such as a personal home’s system) and the Internet. Firewalls examine traffic in and out of the system and determine whether to allow it or not. More sophisticated firewalls examine the traffic and its source to detect malware, viruses, hackers, or unsafe destinations.
There are four types of firewalls:
- Stateless – A stateless firewall examines the header of each data packet, the destination address, and the source to determine whether to let traffic through via preset rules.
- Stateful – A stateful firewall closely examines all data packets and their characteristics to determine whether to let traffic through.
- Next-generation (Next-gen or NG) – A next-generation firewall uses the scrutiny of a stateful firewall with additional features such as integrated intrusion prevention, leveraging threat intelligence feeds, advanced malware detection, and application and user control.
- L4-Layer – Works at the transport level and examines traffic without inspecting or decrypting data packets.
- L7-Layer – Works at the application level and examines the contents of traffic.
A type of networking design in which each node in the system has a circuit that connects it to every other node. While full mesh does make multiple redundant connections, this design keeps traffic going even if one node fails.
Full-mesh design is useful in systems which are intransitive: A connects to B and B connects to C, but A cannot interact with C.
FQDN (Fully Qualified Domain Name)¶
The full domain name for a website, including the hostname, second-level domain name and TLD (Top-Level Domain) name, separated with periods and ending with a period, such as www.aviatrix.com.
FTP (File Transfer Protocol)¶
The protocol, set of rules, or language that computers on a network use to transfer files. In FTP, files are transferred through an FTP server or site.
Gateway (in cloud networking)¶
A hardware or software appliance that acts as a bridge or tunnel between local networks and cloud networks. A gateway connects and translates between these systems to enable them to communicate.
GCP (Google Cloud Platform)¶
GRE (Generic Routing Encapsulation)¶
A tunneling protocol that enables data packets that are incompatible with the protocols of a network to travel through the network. GRE enables these data packets to travel through the network by encapsulating them in protocols that do fit the network’s settings. GRE is an alternative to IPSec tunneling.
In software, greenfield development is building new, with no pre-existing structures or code. See brownfield.
HA (High Availability)¶
A network, server array, or other system designed to provide uninterrupted service by managing service failures and planned downtime.
Hub and Spoke Distribution Model¶
A network distribution model shaped like a hub with spokes, like a bicycle wheel. This topology includes a hub or central network zone that manages ingress and egress (entrances and exits) between spokes, on-premise networks, and the Internet.
A Hub and Spoke Distribution Model can help companies save costs, but it does have a risk: if the hub fails, so does the entire system.
IaaS (Infrastructure as a Service)¶
A cloud computing service that includes compute, storage, and networking services that customers can access. Users can rent virtual machines of different configurations, on demand, for the time required. IaaS is often on-demand and pay-as-you-go. IaaS is one of the cloud computing service types along with PaaS (Platform as a Service) and SaaS (Software as a Service).
IAM (Identity and Access Management)¶
Processes, policy, and technologies to help manage digital identities. IAM frameworks enable IT personnel to make sure users in their organizations can safely and securely access systems and data they should be able to access and unauthorized users cannot access the system.
ICMP (Internet Control Message Protocol)¶
Network devices such as routers uses this protocol to communicate problems with data transmission ― whether data travels fast enough in a network.
IDA (Intrusion Detection System)¶
A system that monitors a network for suspicious activity or malware.
IDaaS (Identity as a Service)¶
A subscription service for IAM (Identity and Access Management). IDaaS helps ensure that authorized users can access systems while still keeping those systems secure. Okta and OneLogin are examples of IDaaS companies.
In-Band Management is the ability to administer a network via the LAN. See Out of Band (OOB).
The components or assets that make up a system. Architecture is the actual design of the system.
Traffic that enters a network. See egress. Firewalls examine ingress traffic for potential malware or other unauthorized access. A firewall permits instances to receive traffic from the Internet or specified IPv4/IPV6 CIDR ranges.
Investment Cost (in cloud networking)¶
The time, expertise, opportunity cost, and engineering effort required to adopt cloud.
IOS (iPhone Operating System)¶
The operating system for Apple devices such as the iPhone and Apple TV.
IoT (Internet of Things)¶
Physical objects or “things” that have software and other technology that connects them to the Internet. Internet of Things (IoT) connects and manages billions of devices.
IP (Internet Protocol) Address¶
A numeric or alphanumeric address assigned to every device connected to the Internet, from smartphones to computers. See CIDR to learn about how IP addresses are allocated or DNS to learn more about how IP addresses are translated to more-memorable domain names.
As the Internet grows bigger and more and more devices, systems, and machines become a part of it, more versions of assigning IP addresses appear. The Internet Engineering Task Force (IETF) created the sixth version, IPv6, in 1998.
IPS (Intrusion Prevention System)¶
A network security tool that blocks, reports, or blocks threats or intruders in a system.
IPsec (Internal Protocol Security)¶
A set of security protocols for IP (Internet Protocol) networks that are used together to set up encrypted connections between devices.
LAN (Local Area Network)¶
A group of two or more connected computers in one small geographic area, usually within the same building or campus. LANs can be connected across larger distances by WANs (Wide Area Networks).
The time it takes for a data packet to transfer across a network. Network administrators and IT personnel try to minimize latency as much as possible.
LDAP (Lightweight Direct Access Protocol)¶
A standard communications protocol used to read and write data to and from an Active Directory.
Line rate Gbps¶
The speed at which your router communicates with equipment at the other end of the line, measured in gigabytes per second.
MCNA (Multi-Cloud Networking Architecture)¶
Architecture that stores and supports multiple cloud computing and storage systems, both public (like Amazon Web Services (AWS)) and private. Multi-Cloud Networking Architecture gives companies greater security, flexibility, and opportunity to use multiple cloud systems instead of being dependent on one or trying to manage data and users across multiple separate systems.
The ability to treat the many network capabilities provided by Cloud Service Providers (CSPs) as one. A Multi-Cloud Networking solution achieves agility when it replaces the unique language of each individual cloud with more general terminology.
MFA (Multi-Factor Authentication)¶
An identification method that requires users to provide at least two “factors” (such as a username & password and a phone number) to log into a system or account. MFA increases the overall security of a system. See IAM.
NAT (Network Address Translation)¶
A security process that enables a local or private network to connect to the Internet but prevents Internet entities from connecting with the local network.
- NAT translates the IP addresses of the local network to their IP (Internet Protocol) addresses that enable them to connect with resources on the Internet.
- NAT can also mask a group of resources in the private network behind a single IP address so they cannot be distinguished from each other, providing extra security. This second function is sometimes called “NAT-ing” or “natting.”
NACL (Networking and Cryptography Library OR Network Access Control List)¶
The acronym NACL has two possible meanings in networking software:
- NaCL (“salt”) is a software library of resources for building cryptographic tools.
#. NACL (Network Access Control List) is part of the security layer for AWS (Amazon Web Services). This NACL is a layer of security that acts as a firewall for controlling traffic in and out of a subnet. Native (in software) Software or data formats designed to run on a specific operating system, such as an iPhone or Android. Companies have to decide whether to build native apps and software for each platform (which are more expensive to create and maintain) or use cross-platform software (which is easier to create and maintain but may not have the same quality or speed in each platform).
A collection of connected devices and software than share data. The biggest network is the Internet itself.
The danger of assuming that something in software, networking, or the Internet in general cannot change because it has not changed. For example, in the Y2K scare of the 1990s, engineers worried that the Internet would stop working when the date changed from “19__” to “20__.” Ossification prevents software from upgrading, adapting, or improving over time.
A holistic view of Cloud Network assets and Key Performance Indicators (KPIs) or important metrics. Network visibility technology provides deep insights into everything within and moving through customer’s enterprise network.
NLB (Network Load Balancing)¶
A technique that shares a resource over multiple network channels to divide a sending payload over components or segments. There are two types of Load Balancing: Layer 4 or Layer 7.
On-prem or on-premise¶
Software that is deployed or delivered on-premise: the servers, network connections, and other components are on the company’s property. Off-promise software such as cloud networking software can be accessed remotely.
On-premise software gives companies complete control over their software resources, but they are far more expensive to maintain.
OCI (Oracle Cloud Infrastructure)¶
OOB (Out of Band)¶
Activity outside a defined telecommunications frequency band, or, metaphorically, outside some other kind of activity. OOB provides a secure dedicated alternate access method into an IT network infrastructure to administer connected devices and IT assets without using the corporate LAN. See In-Band Management.
PaaS (Platform as a Service)¶
PBR (Policy-Based Routing)¶
A technique used in computer networks for forwarding and routing data according to pre-written policies or filter. PBR improves the efficiency of a network.
The process of free data sharing between two providers, services, or other Internet entities. Peering is one option other than transit or customer network traffic, where one network pays for access.
Ping is a program that helps you test the connectivity and speed between IP (Internet Protocol)-networked devices, such as your computer and the Internet. You can “ping” a website or device to test the latency or speed of the connection.
A set of rules for formatting and processing data in networking. Protocols enable computers to communicate with one another.
A hardware or software device that connects a local network to the Internet. Routers can combine the functions of hubs, modems, or switches.
In computer networking, a routing table is a data file often formatted as a table. A routing table contains a set of rules that determines where data packets from an Internet Protocol (IP) address should be routed.
SaaS (Software as a Service)¶
SAML (Security Assertion Markup Language)¶
SAML enables SSO (Single Sign-On), which enables a user to access multiple web applications using a single set of login credentials. SAML exchanges information between an identity provider (idP) who verifies the user’s identity, and each web application they can access. See SSO.
SD-WAN (Software-Defined Wide Area Network)¶
(Software-defined Wide Area Network) A software-defined wide area network (SD-WAN) connects local area networks (LANs) across large distances using controlling software that works with a variety of networking hardware.= and it is more flexible WAN architecture that can take advantage of multiple hardware platforms and connectivity option. See LAN (Local Area Network).
A method of structuring software architecture that separates certain subnets into mini-networks that work independently of each other. Segmentation is important for performance, monitoring, and security.
Single pane of glass¶
A software term that refers to a management tool that creates a single, unified view out of multiple data sources or interfaces. A single pane of glass gives you a comprehensive view and ability to manage complex and multi-layered systems.
SNAT (Source Network Address Translation)¶
SNI (Server Name Indication)¶
An extension of the TLS (Transport Layer Security) protocol that helps clients reach the correct website. SNI allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address.
SSH (Secure Shell or Secure Socket Shell)¶
A method for secure remote login from one computer to another.
SSL (Secure Sockets Layer)¶
A protocol that provides privacy, authentication, and integrity to Internet communications. SSL eventually evolved into Transport Layer Security (TLS).
SSO (Single Sign-On)¶
Single Sign-On, a method of access and authentication which enables one user to access multiple web applications through one set of login credentials. SSO is a compromise between security (ensuring that both the user’s profile and each web account is password-protected) and ease-of-use (removing the requirement for users to memorize dozens of individual usernames and passwords).
A division of an Internet Protocol (IP) network into segments. Dividing networks into subnets helps each smaller network run more efficiently and be more secure. The simplest subnet is a point-to-point subnet which connects two devices.
The leading open-source threat detection engine. Suricata combines Intrusion Detection (IDS), Intrusion Prevention (IPS), and other tools to prevent attacks.
In networking, to “terminate” can mean to end or break a connection or to provide an endpoint for the connection.
An Infrastructure as Code (IaC) tool that enables you to build, maintain, change, and replicate infrastructure.
A type of computer system that is full set up and ready to use. A user should be able to metaphorically turn a key to start using the system’s hardware and software.
TCP (Transmission Control Protocol)¶
A standard for establishing and continuing network conversations or data exchanges between applications. TCP works with Internet Protocol (IP). See Internet Protocol (IP) Address.
TLS (Transport Layer Security)¶
A cryptographic protocol that provides end-to-end security for exchanging data over the Internet. TLS is the successor to SSL.
UDP (User Datagram Protocol)¶
A communications protocol that helps minimize latency (the time it takes to exchange data) and secure connections between Internet applications. UDP is a very common protocol for voice and video traffic.
Rate of innovation and ability to deliver new products to market.
VM (Virtual Machine)¶
A computer resource with its own operating system and functions that can run alongside similar resources (other Virtual Machines) on the same physical host machine. Computer networks connect Virtual Machines to other devices and Internet resources.
VPN (Virtual Private Network)¶
A network that creates a secure connection between multiple devices and the Internet using encryption. Companies will often have their own VPNs that act as sheltered spaces for their employees and contractors to work in. See VPN Tunnel.
VPN (Virtual Private Network) Tunnel¶
An encrypted link between your personal device(s) such as laptops or phones and an outside network. VPN Tunnels are secure connections. See VPN.
A software construct (such as a suite) which provides its services only for its own users. AWS is an example of a walled garden service: you must subscribe in order to use its resources.
WAN (Wide Area Network)¶
A network that connects devices and resources over a large geographic area. A WAN can connect multiple LANs (Local Area Networks). Note that now, Aviatrix uses the term “CloudN” instead of “CloudWAN.”
A lightweight API (Application Program Interface) that enables a one-way connection to share data. See API.
Zero Trust Model¶
A security framework that assumes there is no traditional network edge and requires all users to be authenticated and validated to enter a system. “Zero trust” means that this framework does not assume any user or application is automatically trustworthy.