feat(lab-02): complete Phase 3 - Network & VPC lab

Implement Lab 02 with Docker bridge networks simulating VPC/Subnets.

Test Infrastructure (RED phase):
- 6 bash test scripts for network creation, isolation, INF-02 compliance
- Fail-fast orchestration with run-all-tests.sh
- Quick validation script for development

Documentation (Diátaxis framework):
- 3 tutorials: VPC creation, container deployment, isolation verification
- 4 how-to guides: create network, inspect config, test isolation, cleanup
- 3 reference docs: Docker network commands, Compose syntax, VPC mapping
- 1 explanation: Docker ↔ VPC parallels (PARA-01/02/03/04)

Infrastructure (GREEN phase):
- docker-compose.yml with VPC networks (10.0.1.0/24, 10.0.2.0/24)
- 5 services: web, app, db, test-public, test-private
- INF-02 compliant: 127.0.0.1 bindings only, no 0.0.0.0
- Private network with --internal flag
- Multi-homed app container (public + private networks)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

labs/lab-02-network/reference/vpc-network-mapping.md

@@ -0,0 +1,125 @@
+# Reference: Mapping VPC Docker Network
+
+Tabella di riferimento rapido per i parallelismi tra reti Docker e VPC cloud.
+
+## Tabella Parallelismi Principali
+
+| Concetto Docker | AWS VPC Equivalente | Descrizione |
+|-----------------|---------------------|-------------|
+| Bridge Network | VPC | Rete virtuale isolata |
+| Subnet (10.0.x.0/24) | Subnet CIDR | Segmento IP all'interno VPC |
+| Container | EC2 Instance | Entita di calcolo nella rete |
+| `--internal` flag | Private Subnet (no IGW) | Isolamento da internet |
+| `--gateway` | Subnet Gateway | Gateway predefinito subnet |
+| DNS embedded | Route 53 Resolver | Risoluzione nomi |
+| `docker network connect` | Attach Network Interface | Collegamento a rete |
+| Port mapping (`8080:80`) | Security Group + NAT | Regole accesso + NAT |
+
+## Comandi a Confronto
+
+### Creazione VPC/Subnet
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `docker network create --driver bridge --subnet 10.0.1.0/24 vpc-main` | `aws ec2 create-vpc --cidr-block 10.0.0.0/16` |
+| `--subnet 10.0.1.0/24 --gateway 10.0.1.1` | `aws ec2 create-subnet --vpc-id VPC_ID --cidr-block 10.0.1.0/24` |
+| `--internal` | No route to Internet Gateway |
+
+### Gestione Reti
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `docker network ls` | `aws ec2 describe-vpcs` |
+| `docker network inspect vpc-main` | `aws ec2 describe-vpcs --vpc-ids VPC_ID` |
+| `docker network rm vpc-main` | `aws ec2 delete-vpc --vpc-id VPC_ID` |
+
+### Container in Rete
+
+| Operazione Locale | Comando AWS |
+|-------------------|-------------|
+| `docker run --network vpc-main nginx` | `aws ec2 run-instances --subnet-id SUBNET_ID` |
+| `docker network connect vpc-main container` | `aws ec2 attach-network-interface` |
+| `docker network disconnect vpc-main container` | `aws ec2 detach-network-interface` |
+
+## CIDR Blocks Standard
+
+| Tipo Locale | Cloud CIDR | Uso |
+|-------------|------------|-----|
+| `10.0.0.0/16` | `10.0.0.0/16` | VPC principale |
+| `10.0.1.0/24` | `10.0.1.0/24` | Public subnet (1a) |
+| `10.0.2.0/24` | `10.0.2.0/24` | Private subnet (1a) |
+| `10.0.3.0/24` | `10.0.3.0/24` | Private subnet (1b) |
+| `10.0.4.0/24` | `10.0.4.0/24` | Public subnet (1b) |
+
+## Nomenclatura Cloud (PARA-02)
+
+### Pattern di Naming
+
+```
+[Rolle]-[Ambiente]-[Tipo]-[Zona]
+
+Esempi:
+  lab02-vpc-public       (VPC pubblica lab)
+  lab02-vpc-private      (VPC privata lab)
+  prod-vpc-main          (VPC produzione)
+  dev-app-public-1a       (Public subnet dev, AZ 1a)
+```
+
+### Tag Docker Networks
+
+```bash
+# Aggiungi metadata alle reti
+docker network create \
+  --label env=development \
+  --label tier=frontend \
+  --label owner=lab02 \
+  frontend-network
+```
+
+## Security Groups ↔ Docker Isolation
+
+| Security Group AWS | Docker Equivalente |
+|--------------------|---------------------|
+| All traffic from SG | Containers in same network |
+| No ingress rules | `--internal` network |
+| Specific port allow | Port mapping `127.0.0.1:PORT:CONTAINER` |
+| SG reference type | Multi-network container |
+
+## Routing AWS ↔ Docker Bridge
+
+| AWS Route | Docker Bridge |
+|-----------|---------------|
+| Internet Gateway | Container host routing |
+| NAT Gateway | Container port mapping |
+| VPC Peering | `docker network connect` (shared) |
+| Transit Gateway | Multi-network container (router) |
+
+## Limitazioni
+
+| Aspetto | Docker Locale | AWS Cloud |
+|---------|---------------|-----------|
+| Host scope | Singolo host | Multi-AZ, multi-region |
+| External access | NAT/Port mapping | Internet Gateway, NAT Gateway |
+| DNS resolution | Embedded DNS | Route 53 |
+| Network ACL | Non disponibile | Network ACLs disponibili |
+| Flow logs | Non disponibile | VPC Flow Logs disponibili |
+
+## Comandi Utili
+
+```bash
+# Verifica subnet di una rete
+docker network inspect vpc-public --format '{{range .IPAM.Config}}{{.Subnet}}{{end}}'
+
+# Trova container per IP
+docker ps -q | xargs docker inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}{{.Name}}'
+
+# Simula VPC topology multi-tier
+docker network create --subnet 10.0.1.0/24 public
+docker network create --subnet 10.0.2.0/24 private
+docker network create --subnet 10.0.3.0/24 data
+```
+
+## Vedi Anche
+
+- [Explanation: Docker VPC Parallels](../explanation/docker-network-vpc-parallels.md)
+- [How-To: Create Custom Network](../how-to-guides/create-custom-network.md)