DEV Community

Cover image for Solved: Quality of engineers is really going down
Darian Vance
Darian Vance

Posted on • Originally published at wp.me

Solved: Quality of engineers is really going down

#devops #programming #tutorial #cloud

🚀 Executive Summary

TL;DR: Junior engineers often misdiagnose network connectivity issues, mistaking firewall or security group restrictions for general ‘network problems.’ The core solution involves understanding the Principle of Least Privilege and implementing precise firewall rules, with senior engineers providing crucial mentorship on these fundamentals.

🎯 Key Takeaways

  • The ‘Principle of Least Privilege’ dictates that systems should deny all traffic by default, requiring explicit allow rules via firewalls (e.g., iptables, AWS Security Groups).
  • Most ‘network’ connectivity problems between applications and databases stem from misconfigured or missing firewall/security group rules, not inherent network failures.
  • A quick diagnostic involves temporarily opening the target port to 0.0.0.0/0 to confirm firewall blockage, but this rule must be immediately reverted due to severe security risks.
  • The correct, production-ready solution is to create specific firewall rules, ideally using Security Group IDs in cloud environments for dynamic access control, or specific private IP addresses.
  • Addressing the perceived decline in engineer quality requires senior engineers to mentor juniors on foundational networking and security principles, rather than simply blaming their lack of knowledge.

Are junior engineers getting worse, or are we failing to teach the fundamentals? A senior engineer breaks down the most common “It’s the network!” problem and how to actually fix it, saving everyone a 2 AM PagerDuty call.

Is Engineer Quality Really Dropping? Or Are We Forgetting the Basics?

It was 2 AM. PagerDuty was screaming its demonic little head off. The on-call junior, bless his heart, swore the primary database on prod-db-01 was down. He’d checked the monitoring, he’d tried to connect, nothing. I rolled out of bed, logged in, and ran a simple psql command from my bastion host. The database was fine, humming along, happy as a clam. The problem? His new microservice deployment had a new IP, and nobody updated the database’s security group. The app was screaming into the void, and the database was dutifully ignoring it, just like it was designed to. This isn’t a rare story. It’s the kind of thing that makes senior engineers grumpy and fuels Reddit threads about the “declining quality of engineers.”

It’s Not the Network, It’s You(r Firewall)

Look, I get it. In the cloud era, the “network” is a nebulous concept. It’s all APIs and virtual constructs. But underneath all that abstraction, the old rules still apply. The most important one is the Principle of Least Privilege. By default, servers should reject all incoming traffic. We explicitly grant access only to the things that absolutely need it. This is why we have firewalls, whether it’s iptables on a Linux box, Windows Firewall, or an AWS Security Group.

The core issue I see time and time again is a fundamental misunderstanding of this principle. The default state is “denied.” Your application can’t connect because you haven’t explicitly created a rule to allow it. It’s not broken; it’s working exactly as intended. The system is secure by default, and you need to poke a very specific, intentional hole in it.

Okay, How Do I Fix It Without Waking Me Up?

When your app can’t talk to your database, don’t just throw your hands up and blame “the network.” Follow a logical process. 9 times out of 10, it’s a firewall or security group rule. Here are the three ways to tackle it, from quick-and-dirty to the proper, production-ready fix.

Solution 1: The “Is This Thing On?” Test

This is your first diagnostic step. The goal is to prove, definitively, that the problem is a network access rule. We do this by temporarily opening the port to the entire internet. I cannot stress the word “temporarily” enough. This is like leaving your front door wide open while you check if the doorbell works.

On a traditional Linux server, you might do this:

# Assuming Postgres on port 5432 and using UFW
sudo ufw allow 5432/tcp
Enter fullscreen mode Exit fullscreen mode

In AWS, this means adding an Inbound Rule to the database’s Security Group with the source set to 0.0.0.0/0. If your application suddenly connects, you’ve found your culprit. It was the firewall all along. Now, immediately undo this change.

Warning: Never, ever, under any circumstances, leave a rule like this in place on a production system. Especially not for a database. This is a five-minute diagnostic tool, not a solution. Leaving a database open to the world is how you end up on the news.

Solution 2: The “Grown-Up” Rule

This is the permanent, correct fix. You need to create a specific rule that allows your application server, and *only* your application server, to talk to the database on the required port.

The best way to do this in a cloud environment like AWS is to use Security Group IDs as your source. Instead of an IP address, you tell the database’s security group (db-prod-sg) to accept traffic from the application’s security group (app-prod-web-sg). This is dynamic and scalable; if you launch ten more app servers in that group, they automatically get access.

Here’s what that looks like in a tool like Terraform:

resource "aws_security_group_rule" "allow_app_to_db" {
  type                     = "ingress"
  from_port                = 5432
  to_port                  = 5432
  protocol                 = "tcp"
  source_security_group_id = "sg-012345abcdef123" # ID of your app's SG
  security_group_id        = "sg-fedcba543210fedc" # ID of your DB's SG
  description              = "Allow Postgres traffic from App SG"
}
Enter fullscreen mode Exit fullscreen mode

If you’re not using security groups, you’d use the specific private IP address of the application server (e.g., 10.10.1.50/32). This is less flexible but still secure.

Solution 3: The “I Give Up” (Don’t Actually Do This)

I’m including this for completeness and as a cautionary tale. This is the “nuclear option.” It involves completely disabling the firewall. On a Linux server, this would be a command like sudo ufw disable. In the cloud, it’s creating a rule that allows ALL traffic from ALL sources (0.0.0.0/0) on ALL ports.

Why is this a terrible idea? You’ve just connected every single port on your server—your SSH, your database, your app admin endpoints, everything—to the entire global internet. Automated scanners will find it and start hammering it within minutes. It’s not a question of *if* you’ll be compromised, but *when*.

Pro Tip: The only time this is even remotely acceptable is on a brand new, non-production, completely isolated virtual machine that you’re about to delete anyway, just to rule out a fundamentally broken firewall daemon. Doing this in any shared or persistent environment is a fireable offense in my book.

This Isn’t About ‘Quality’, It’s About Mentorship

So, is the quality of engineers going down? I don’t think so. The landscape is just more complex. Abstractions like the cloud hide the foundational layers. New engineers aren’t “worse,” they’ve just never been forced to learn how a TCP handshake works or what a stateful firewall does. Blaming them is easy. The real job of a senior engineer isn’t to complain on Reddit—it’s to sit down with that junior, explain *why* the firewall blocked them, and show them how to build the right rule. That’s how we actually raise the bar.

Darian Vance

👉 Read the original article on TechResolve.blog

☕ Support my work

If this article helped you, you can buy me a coffee:

👉 https://buymeacoffee.com/darianvance

Top comments (0)