feat(lab-02): complete Phase 3 - Network & VPC lab

Implement Lab 02 with Docker bridge networks simulating VPC/Subnets. Test Infrastructure (RED phase): - 6 bash test scripts for network creation, isolation, INF-02 compliance - Fail-fast orchestration with run-all-tests.sh - Quick validation script for development Documentation (Diátaxis framework): - 3 tutorials: VPC creation, container deployment, isolation verification - 4 how-to guides: create network, inspect config, test isolation, cleanup - 3 reference docs: Docker network commands, Compose syntax, VPC mapping - 1 explanation: Docker ↔ VPC parallels (PARA-01/02/03/04) Infrastructure (GREEN phase): - docker-compose.yml with VPC networks (10.0.1.0/24, 10.0.2.0/24) - 5 services: web, app, db, test-public, test-private - INF-02 compliant: 127.0.0.1 bindings only, no 0.0.0.0 - Private network with --internal flag - Multi-homed app container (public + private networks) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-25 17:26:35 +01:00
parent d4c4f7d717
commit 5b2c8c37aa
22 changed files with 3988 additions and 12 deletions
--- a/labs/lab-02-network/explanation/docker-network-vpc-parallels.md
+++ b/labs/lab-02-network/explanation/docker-network-vpc-parallels.md
@@ -0,0 +1,309 @@
+# Explanation: Parallelismi tra Docker Network e VPC Cloud
+
+In questo documento esploreremo come le reti Docker bridge simulano le VPC (Virtual Private Cloud) dei provider cloud. Comprendere questi parallelismi ti permettera di applicare le conoscenze acquisite localmente agli ambienti cloud reali.
+
+## Cos'è una VPC?
+
+**VPC (Virtual Private Cloud)** e una rete virtuale isolata nel cloud che:
+- **Isola le risorse**: Container/VM in VPC non comunicano con quelli fuori
+- **Definisce spazi IP**: Usa CIDR blocks (es. 10.0.0.0/16) per indirizzamento
+- **Segmenta in subnet**: Divide VPC in subnet (pubbliche/private) per organizzazione
+- **Controlla il routing**: Gateway, route tables, NAT per accesso internet
+
+AWS VPC, Azure VNet, Google Cloud VPC sono tutti basati sullo stesso concetto fondamentale.
+
+---
+
+## Il Parallelismo Fondamentale
+
+### Bridge Network = VPC
+
+| Locale | Cloud AWS |
+|--------|-----------|
+| `docker network create` | `aws ec2 create-vpc` |
+| Bridge network `lab02-vpc-public` | VPC `vpc-12345678` |
+| Subnet `10.0.1.0/24` | Subnet `subnet-abc123` |
+| Driver `bridge` | VPC本身 (implicito) |
+| `docker network ls` | `aws ec2 describe-vpcs` |
+
+**Similitudine:** Entrambi forniscono isolamento di rete e segmentazione IP.
+
+**Differenza:** VPC cloud supporta multi-AZ, multi-region; Docker bridge e single-host.
+
+### Subnet CIDR Blocks = Subnet Cloud
+
+| Locale | Cloud AWS |
+|--------|-----------|
+| `--subnet 10.0.1.0/24` | `--cidr-block 10.0.1.0/24` |
+| `--gateway 10.0.1.1` | Gateway predefinito subnet AWS |
+| `10.0.1.0/24` (254 host) | `10.0.1.0/24` (254 host) |
+| `10.0.0.0/16` (VPC completa) | `10.0.0.0/16` (VPC completa) |
+
+**Spiegazione:**
+- **CIDR Block**: Range di indirizzi IP (es. /24 = 254 host, /16 = 65534 host)
+- **Gateway**: Primo indirizzo usable della subnet (es. 10.0.1.1)
+- **Subnet pubblica**: Con route verso internet (Docker: senza `--internal`)
+- **Subnet privata**: Senza route verso internet (Docker: con `--internal`)
+
+### `--internal` Flag = Private Subnet (no IGW)
+
+| Locale | Cloud AWS |
+|--------|-----------|
+| `--internal` flag | No route to Internet Gateway |
+| Container non puo raggiungere internet | Instance in private subnet senza NAT |
+| Container non accessibile da host | Instance senza public IP |
+| DNS funziona solo internamente | DNS via Route 53 private |
+
+**Esempio Pratico:**
+
+```bash
+# Locale: Creare subnet privata
+docker network create --driver bridge \
+  --subnet 10.0.2.0/24 \
+  --internal \
+  lab02-vpc-private
+
+# Cloud Equivalente
+aws ec2 create-subnet \
+  --vpc-id vpc-12345 \
+  --cidr-block 10.0.2.0/24 \
+  --availability-zone us-east-1a
+# (Nessun Internet Gateway route = privata di default)
+```
+
+### Container = EC2 Instance
+
+| Locale | Cloud AWS |
+|--------|-----------|
+| Container `lab02-web` | EC2 instance `i-abc123` |
+| IP `10.0.1.10` nella rete | Private IP `10.0.1.10` nella subnet |
+| Container in multipli reti | Instance con multipli ENI |
+| `docker run` | `aws ec2 run-instances` |
+
+---
+
+## Esempio Pratico: Architettura Multi-Tier
+
+### Scenario Locale (Docker Compose)
+
+```yaml
+services:
+  # Web tier - public subnet
+  web:
+    image: nginx:alpine
+    networks:
+      - vpc-public
+    ports:
+      - "127.0.0.1:8080:80"  # INF-02 compliant
+
+  # Application tier - multi-homed
+  app:
+    image: myapp:latest
+    networks:
+      - vpc-public   # Accessibile da web
+      - vpc-private  # Puo raggiungere db
+
+  # Database tier - private subnet
+  db:
+    image: postgres:16
+    networks:
+      - vpc-private   # Solo app ci arriva
+    # Nessuna porta esposta
+```
+
+### Scenario Cloud AWS (Equivalente)
+
+```bash
+# 1. Crea VPC
+VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query 'Vpc.VpcId' --output text)
+
+# 2. Crea Internet Gateway
+IGW_ID=$(aws ec2 create-internet-gateway --query 'InternetGateway.InternetGatewayId' --output text)
+aws ec2 attach-internet-gateway --vpc-id $VPC_ID --internet-gateway-id $IGW_ID
+
+# 3. Crea Public Subnet
+PUBLIC_SUBNET=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --availability-zone us-east-1a --query 'Subnet.SubnetId' --output text)
+
+# 4. Crea Private Subnet (no IGW route)
+PRIVATE_SUBNET=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.2.0/24 --availability-zone us-east-1a --query 'Subnet.SubnetId' --output text)
+
+# 5. Crea Security Groups
+WEB_SG=$(aws ec2 create-security-group --group-name web-sg --description "Web tier" --vpc-id $VPC_ID)
+DB_SG=$(aws ec2 create-security-group --group-name db-sg --description "DB tier" --vpc-id $VPC_ID)
+
+# 6. Lancio istanze
+aws ec2 run-instances --image-id ami-12345 --instance-type t3.micro --subnet-id $PUBLIC_SUBNET --security-group-ids $WEB_SG
+aws ec2 run-instances --image-id ami-67890 --instance-type t3.micro --subnet-id $PRIVATE_SUBNET --security-group-ids $DB_SG
+```
+
+**Parallelismo Chiave:**
+- **Web tier**: Subnet pubblica, Security Group con porta 80 aperta
+- **Database tier**: Subnet privata, Security Group senza accesso esterno
+- **App tier**: Entrambe le subnet (simulato da container multi-homed)
+
+---
+
+## Comandi Equivalenti: Quick Reference
+
+| Operazione | Locale (Docker) | Cloud (AWS) |
+|------------|------------------|-------------|
+| **Crea rete** | `docker network create --driver bridge --subnet 10.0.1.0/24 vpc-main` | `aws ec2 create-vpc --cidr-block 10.0.0.0/16` |
+| **Aggiungi subnet** | `--subnet 10.0.1.0/24` | `aws ec2 create-subnet --vpc-id VPC_ID --cidr-block 10.0.1.0/24` |
+| **Lista reti** | `docker network ls` | `aws ec2 describe-vpcs` |
+| **Ispeziona rete** | `docker network inspect vpc-main` | `aws ec2 describe-vpcs --vpc-ids VPC_ID` |
+| **Collega a rete** | `docker network connect vpc-main container` | `aws ec2 attach-network-interface --network-interface-id ENI_ID --instance-id INSTANCE_ID` |
+| **Rimuovi rete** | `docker network rm vpc-main` | `aws ec2 delete-vpc --vpc-id VPC_ID` |
+| **Container in rete** | `docker run --network vpc-main nginx` | `aws ec2 run-instances --subnet-id SUBNET_ID` |
+
+---
+
+## Differenze tra Locale e Cloud
+
+### 1. Scope e Scalabilita
+
+| Aspetto | Locale | Cloud |
+|---------|--------|-------|
+| Host scope | Singolo host | Multi-AZ, multi-region |
+| Isolamento | Kernel namespaces | VPC isolation + AZ fisica |
+| Scalabilita | Limitato a host | Scale orizzontale across AZ |
+
+**Implicazione:** Nel cloud, puoi espandere VPC across Availability Zone. Localmente, limitato al singolo host.
+
+### 2. Routing Avanzato
+
+| Aspetto | Locale | Cloud |
+|---------|--------|-------|
+| Internet access | NAT/port mapping through host | Internet Gateway, NAT Gateway |
+| Inter-VPC | Docker network connect | VPC Peering, Transit Gateway |
+| DNS resolution | Embedded Docker DNS | Route 53, private zones |
+| Firewall | No firewall (bridge isolation) | Security Groups, NACLs |
+
+**Esempio Cloud (non possibile localmente):**
+```json
+{
+  "RouteTable": {
+    "10.0.0.0/16": "local",
+    "0.0.0.0/0": "igw-123456",  // Internet Gateway
+    "192.168.0.0/16": "vpc-peering-abc"
+  }
+}
+```
+
+### 3. Alta Disponibilita
+
+| Aspetto | Locale | Cloud |
+|---------|--------|-------|
+| Multi-AZ | Non disponibile | Subnets in multiple AZs |
+| Failover | Host failure = all down | AZ failure = other AZs continue |
+| Load balancing | Docker Swarm (limitato) | Elastic Load Balancer |
+
+### 4. Gestione IP
+
+| Aspetto | Locale | Cloud |
+|---------|--------|-------|
+| IP allocation | Automatico da bridge IPAM | EC2 automatico o Elastic IP |
+| DNS registration | Automatico (embedded DNS) | Route 53 A records |
+| Private DNS | `.docker` network | Route 53 private hosted zones |
+
+---
+
+## Best Practices Cloud (Applicabili Localmente)
+
+### 1. Usa Subnet per Livello
+
+**Cloud:** Web tier in public, Database tier in private
+**Locale:** Stesso pattern con reti Docker
+
+```yaml
+services:
+  web:
+    networks: [vpc-public]
+  db:
+    networks: [vpc-private]
+```
+
+### 2. Non Esporre Servizi Privati
+
+**Cloud:** Nessun Internet Gateway per private subnets
+**Locale:** `--internal` flag + nessuna porta pubblicata
+
+```yaml
+services:
+  db:
+    networks:
+      vpc-private:
+        internal: true
+    # Nessuna sezione ports
+```
+
+### 3. USA CIDR Non Overlapping
+
+**Cloud:** Subnet VPC non si sovrappongono
+**Locale:** Stesso - usa CIDR diversi per ogni rete
+
+```bash
+docker network create --subnet 10.0.1.0/24 net1
+docker network create --subnet 10.0.2.0/24 net2  # Diversa da net1
+```
+
+### 4. Naming Consistente
+
+**Cloud:** `prod-app-public-1a`, `prod-db-private-1b`
+**Locale:** Usa pattern simile per chiarezza
+
+```bash
+docker network create lab02-vpc-public
+docker network create lab02-vpc-private
+```
+
+---
+
+## Limitazioni di Docker vs Cloud
+
+### Cosa Manca in Docker
+
+| Funzionalita Cloud | Docker Alternativa | Gap |
+|-------------------|-------------------|-----|
+| Multi-AZ | Multi-host Swarm | Completamente diverso |
+| VPC Peering | `docker network connect` | Funge ma non peering VPC |
+| NAT Gateway | Port mapping `127.0.0.1:PORT` | Solo singolo host |
+| Network ACLs | Non disponibile | Nessun controllo granulare |
+| VPC Flow Logs | Non disponibile | No logging rete |
+| VPN Gateway | Non disponibile | Nessuna VPN |
+
+### Quando Docker e Sufficiente
+
+Docker networks sono perfetti per:
+- Sviluppo locale di architetture cloud
+- Testing isolamento multi-tier
+- Simulare VPC topology prima di deployment
+- Learning e prototipazione
+
+Usa cloud AWS/Azure/GCP per:
+- Produzione multi-AZ
+- Alta disponibilita
+- Networking avanzato (VPN, Direct Connect, etc.)
+
+---
+
+## Conclusione
+
+Le reti Docker bridge seguono gli stessi principi fondamentali delle VPC cloud: isolamento, segmentazione IP, e controllo dell'accesso. I concetti che hai imparato localmente si applicano direttamente ad AWS VPC, Azure VNet, e Google Cloud VPC.
+
+Quando lavorerai con VPC cloud, ricorda:
+- **Docker Bridge Network** = **VPC** (rete isolata)
+- **Subnet (--subnet CIDR)** = **Subnet Cloud** (segmento IP)
+- **`--internal` flag** = **Private Subnet** (no route a internet)
+- **Container in network** = **EC2 in subnet** (entita nella rete)
+- **`docker network connect`** = **Attach Network Interface** (collegamento rete)
+
+Comprendendo questi parallelismi, sarai in grado di progettare architetture cloud sicure usando le competenze acquisite localmente.
+
+---
+
+## Approfondimenti
+
+- [AWS VPC Documentation](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html)
+- [AWS VPC Best Practices](https://docs.aws.amazon.com/vpc/latest/userguide/best-practices.html)
+- [Tutorial: Creare Reti VPC](../tutorial/01-create-vpc-networks.md)
+- [Reference: VPC Mapping](../reference/vpc-network-mapping.md)