Architecture Glossary (Alphabetical)

About this article

This article is the terminology reference for the series “Architecture Crash Course for the Generative-AI Era.” Each article also adds 1-line explanations to first-mentioned terms, so no need to return here every time. Use as an index when wanting an overall overview or searching for related articles.

Due to volume, searching via browser search (Ctrl+F / Cmd+F) is efficient.

flowchart LR
    USE([Reading article<br/>term unclear]) --> CHECK{1-line explanation<br/>in each article?}
    CHECK -->|yes| INLINE[Understand via<br/>parenthetical in body]
    CHECK -->|no or overview| ALPHA[Search from<br/>alphabetical A-Z]
    INLINE --> CONTINUE([Continue article])
    ALPHA --> RELATED[Related-article links<br/>for deeper dive]
    RELATED --> CONTINUE
    classDef start fill:#fef3c7,stroke:#d97706;
    classDef inline fill:#dbeafe,stroke:#2563eb;
    classDef ref fill:#fae8ff,stroke:#a21caf;
    class USE start;
    class INLINE,CONTINUE inline;
    class ALPHA,RELATED ref;

Overview articles per category

Alphabetical (A-Z)

A

• A11y - Abbreviation of Accessibility, written A11y because there are 11 letters between “a” and “y.” Refers to the state where everyone, including users with visual, auditory, or motor-function constraints, can use the Web. Representative elements are screen-reader support, keyboard-only operability, sufficient contrast ratio, and image alt text. Subject to legal regulations like the US ADA and European EAA, requiring consideration from the initial design stage on corporate sites
• ABAC - Attribute-Based Access Control. The model dynamically judging authorization by combining multiple attributes like user’s department, role, location, time of day, and resource confidentiality classification. Declaratively writes policies in XACML or OPA (Rego), handling complex conditions hard for RBAC to express (“only referenceable from HQ IP during business hours” etc.). Highly flexible but heavy in policy design and operational load - often narrowing application scope
• ACID - Acronym of Atomicity, Consistency, Isolation, Durability. The 4 properties of integrity guarantee provided by RDBs, premise for handling “data that absolutely mustn’t be off” like bank balances and inventory. Means strong guarantees of treating multiple updates as one unit (all succeed or all fail), not affecting each other even with concurrent execution, and not disappearing on crash post-commit
• AD - Active Directory. Microsoft’s internal-ID / auth foundation, integrating user / group / PC / Group Policy management of Windows domains. Standardly adopted in many Japanese companies’ on-premises environments, with the recent mainstream being hybrid composition co-using cloud version Azure AD (now Microsoft Entra ID). Becomes the foundation of SSO / MFA / conditional access
• ADM - Architecture Development Method. The phased approach of 8 phases A-H defined by TOGAF, the representative EA framework. Proceeds company-wide IT transformation in the order of vision definition → business / data / app / tech architecture design → migration plan → implementation governance. Heavy and large-enterprise-oriented, but the thinking helps mid-size projects too
• ADR - Architecture Decision Record. The custom of briefly documenting “why that design was chosen” with one file per decision, generally placed in Git repos as Markdown. To prevent the accident “why is this like this?” half a year later, leaves the decision, background, considered alternatives, and tradeoffs. Lets you trace decision premises on reconsideration
• APM - Application Performance Monitoring. Tools visualizing application response time, throughput, error rate, and where it’s slow on request paths. Representative examples are Datadog APM, New Relic, Dynatrace, AWS X-Ray. Integrally provides distributed tracing, code-level profiling, and exception aggregation, dramatically shortening time to root-cause identification on performance trouble
• AuthN / AuthZ - Abbreviations of Authentication (confirming “who you are”) and Authorization (judging “what you may do”). Often confused but separate concepts: authentication confirms identity via password/MFA/passkey etc., authorization judges permissions via RBAC/ABAC. Easier to organize as OAuth = authorization, OIDC = authentication

B

• BA / DA / AA / TA - Business / Data / Application / Technology Architecture’s 4 layers, the standard structuring viewpoints of Enterprise Architecture (EA). The thinking aligning from top to bottom: business processes (BA) → handled data (DA) → realizing apps (AA) → running foundation (TA). Clearly defined in frameworks like TOGAF, becoming common language when drawing the company-wide IT map
• BASE - Acronym of Basically Available, Soft state, Eventual consistency. The distributed-NoSQL consistency model opposite to ACID, prioritizing availability and scalability while tolerating temporary inconsistency. The thinking widely adopted in the generation of Amazon DynamoDB and Cassandra
• BCP - Business Continuity Plan. The plan pre-deciding which operations to recover in what order to where on operational stops from earthquakes, cyber attacks, or large-scale failures. Define RPO (allowed data loss) and RTO (allowed stoppage) per operation, designing as set with backup strategies, DR-site composition, and alternative procedures
• BFF - Backend for Frontend. The thin server layer placed dedicated to frontend, aggregating and shaping data fetched from multiple microservices into screen-optimized form. When mobile apps and Web need different data shapes, placing dedicated BFFs for each optimizes without polluting the main API. Good chemistry with GraphQL and tRPC
• Blue/Green deploy - The release method of separately preparing a standby environment (Green) of the same composition as production (Blue), deploying the new version to the Green side and then switching routing all at once. On problems, just return routing for instant rollback, and downtime can theoretically be zero. The cost is needing 2x infrastructure temporarily
• Bounded Context - The core concept of DDD (Domain-Driven Design), referring to the boundary where specific terms / models have consistent meaning. For example, treating “customer” as different things in sales vs billing context. Also used as the criterion for microservice-splitting units, becoming a compass preventing inappropriate splitting
• BPMN - Business Process Model and Notation. The international-standard notation (formulated by OMG) expressing business processes with symbols of start, end, task, branch, parallel, etc. Widely used in business systems and workflow design as the common language for business and dev sides confirming requirements while seeing the same diagrams

C

• CAP theorem - The theorem by Eric Brewer that distributed systems can’t simultaneously satisfy 3 of Consistency, Availability, and Partition-tolerance. Since network partition is unavoidable in real environments, reality is tradeoff selection of “CP-leaning” or “AP-leaning.” Premise knowledge for NoSQL selection and distributed-DB design
• CDC - Change Data Capture. The technology real-time-extracting changes (INSERT/UPDATE/DELETE) from DB transaction logs and streaming to other systems. Debezium, AWS DMS, and Fivetran HVR are representatives, used in DWH integration, cache invalidation, and inter-microservice data sync. The strength is propagating changes without changing app side
• CDN - Content Delivery Network. The mechanism delivering content from edge servers placed worldwide at points near users, realizing latency reduction and origin-server load reduction. CloudFront, Cloudflare, Akamai, Fastly are representatives. Beyond static files, also used for API caching, WAF, and edge-function execution foundations
• CI / CD - Continuous Integration and Continuous Delivery / Deployment. CI is activity of “early-detecting broken state” by auto-running build and tests on every push, CD points to auto-delivery to staging and production beyond that. GitHub Actions, GitLab CI, CircleCI, Jenkins are representative tools - the de facto for modern development
• CIO / CDO / CTO / CISO - Chief Information / Data / Technology / Information Security Officer. Management-level IT-related roles - CIO oversees in-house IT, CDO oversees data strategy, CTO oversees tech strategy / product tech, CISO oversees information security. Boundaries vary by organization: in some companies the CTO holds final architecture responsibility, in others a separate Chief Architect is appointed
• Clean Architecture - The architecture pattern proposed by Robert C. Martin (Uncle Bob) controlling dependency direction toward the inner domain layer. Places entities and use cases in inner concentric circles and UI/DB/framework outside, thoroughly enforcing the rule that outside depends on inside. Strong on framework swap and test ease, but easily becomes excessive for the scale at hand - apply where it fits
• CNCF - Cloud Native Computing Foundation. Industry organization under Linux Foundation, handling standardization and ecosystem cultivation of cloud-native technologies like Kubernetes, Prometheus, Envoy, etcd, and Helm. Manages projects in stages of Sandbox → Incubating → Graduated, also referenced as a tech-selection-reliability indicator
• Conway’s Law - The empirical rule by Melvin Conway: “Organizations designing systems produce designs reflecting the organization’s communication structure as is.” Refers to the phenomenon where 3-team builds produce 3-layer-structure systems - the inverse “reverse Conway strategy” of changing the org to match desired architecture has also been proposed
• CORS - Cross-Origin Resource Sharing. The browser security mechanism preflight-controlling JS requests between different origins (protocol + domain + port). Without server-side explicit permission via headers like Access-Control-Allow-Origin, rejected. One of the representative trip-up troubles in frontend dev
• CQRS - Command Query Responsibility Segregation. The design pattern separating models / storage between writes (Command) and reads (Query). By making the read side a denormalized read model, reference performance is optimized - often used combined with Event Sourcing. Complexity increases, so the iron rule is applying only to truly-needed aggregates
• CSP - Content Security Policy. The HTTP response header making browsers restrict scripts / styles / image sources. The defense largely suppressing XSS impact, listing allowed sources like script-src 'self'. Misconfiguration blocks legitimate scripts and breaks screens, so phased introduction in report mode is standard
• CSR - Client Side Rendering. The method where servers return near-empty HTML and JS bundles, with browser-side JS execution composing screens. SPA in React or Vue is representative - the experiential speed of page transitions is fast, but initial display, SEO, and display-start slowness on low-spec devices are weaknesses
• CSRF - Cross-Site Request Forgery. The attack of luring logged-in users to trap sites and having them perform unintended operations (transfers, password changes, etc.). Standard countermeasures: embed CSRF tokens, SameSite Cookie, Origin/Referer verification. Required for Web apps with form submissions
• CVE / CVSS - CVE is Common Vulnerabilities and Exposures, the system assigning each vulnerability a global ID like CVE-2024-XXXX. CVSS is Common Vulnerability Scoring System, the evaluation criterion numerically expressing severity from 0.0 to 10.0. Foundational terms widely used in vulnerability-management tools and news

D

• DAG - Directed Acyclic Graph. Graph structure where arrows (dependency direction) flow one-way without cycles. Frequent in scenes handling “dependencies with order” like Airflow job workflows, distributed-trace span structures, and build-tool dependency resolution - basic data structure
• DAST - Dynamic Application Security Testing. The method actually running apps and sending HTTP requests externally to detect vulnerabilities. OWASP ZAP, Burp Suite, and Nikto are representative tools, complementing runtime issues missed by SAST (static analysis). Basic to periodically run against staging rather than production
• DDD - Domain-Driven Design. The design philosophy treating business knowledge (domain) as first-class citizen of code, based on Eric Evans’s same-name book. Combines tactical patterns of Ubiquitous Language (common terminology between business and dev), Bounded Context, Aggregate, Repository. Shows true value in complex business systems
• DDoS - Distributed Denial of Service. The attack sending requests en masse from many devices (botnet) to drive services to stoppage. Standard is absorbing via CDN / WAF / dedicated mitigation services (AWS Shield, Cloudflare) - bandwidth / PPS so massive that app-side scaling alone can’t handle
• DNS - Domain Name System. The distributed directory service converting domain names to IP addresses. Performs name resolution in hierarchical structure (root → TLD → authoritative server) with TTL caching. The basic knowledge where “DNS changes don’t reflect” is mostly resolved by understanding TTL and cache
• Docker - The representative tool generalizing container virtualization, bundling applications and dependent libraries / OS settings into one image for distribution. The revolutionary technology resolving “works in my env but not production,” now the foundation of Kubernetes and modern infrastructure. Dockerfile, Compose, and registries are basic concepts
• DR - Disaster Recovery. All efforts to recover data and systems from fatal events like earthquakes, large-scale failures, and data-center loss. While BCP is the whole-business continuity plan, DR focuses on IT. Multi-region composition, periodic failover drills, and RTO/RPO setting are central
• DWH - Data Warehouse. The foundation integrating and accumulating data extracted from business systems into analyzable form. Google BigQuery, Snowflake, Amazon Redshift, and Databricks are representatives, accelerating large-scale aggregation via columnar storage and distributed execution. Foundation for BI tools, reports, and data science

E

• EA - Enterprise Architecture. The activity systematically organizing the company’s IT assets, business processes, data, and tech foundations and aligning with management strategy. Expressed in 4 layers of BA/DA/AA/TA, with TOGAF, Zachman, and FEA as representative frameworks. The foundation for mid-long-term IT investment decisions
• EDA - Event-Driven Architecture. The structure of inter-service loose-coupled linkage via event (facts like “order confirmed”) publish/subscribe rather than direct calls. Premise messaging foundations like Kafka, Kinesis, and Pub/Sub. Excellent in scalability and fault tolerance, but debugging and consistency assurance are difficult
• ELT - Extract, Load, Transform. The method loading data into DWH first then transforming - the era’s flow of leveraging cloud-DWH compute power. With dbt (Data Build Tool) spread, SQL-based Transform standardized. The thinking shifted from ETL era’s “organize before loading” to “load first, organize later”
• ETL - Extract, Transform, Load. The traditional method integrating in order of extracting from data sources → transforming → loading to DWH. The style of building jobs in dedicated ETL tools (Informatica, Talend, Pentaho), the mainstream of on-prem DWH era. Still active in legacy DB integration
• Eval (LLM Eval) - The technique quantitatively/qualitatively evaluating LLM output quality. The LLMOps standard of building into CI to auto-detect output degradation on prompt changes or model swaps. Combines BLEU, ROUGE, LLM-as-a-judge, and manual review, turning regression-detection and continuous-improvement cycles
• Eventual Consistency - The distributed-system consistency model temporarily allowing data inconsistency but always converging given enough time. The realistic answer widely adopted in NoSQL and CDN caches, excellent in scale and availability vs strong consistency. Suited for requirements like “delayed instant reflection of product reviews by seconds is OK”

F

• FaaS - Function as a Service. The cloud service uploading code per function, executed only on request and billed on usage. AWS Lambda, Google Cloud Functions, Azure Functions are representatives. No server management needed, suited for low-traffic APIs / event processing / batches, but with cold-start and long-execution constraints
• Feature Flag - The mechanism dynamically toggling features without code deploys. With dedicated services like LaunchDarkly and Split.io, realizes A/B tests, phased rollouts, “preview release to specific customers only” etc. Good chemistry with trunk-based development (direct main commits), enabling operations of merging unfinished features to production without showing users
• FIDO2 / WebAuthn - The phishing-resistant public-key-based auth standard formulated by FIDO Alliance and W3C. The mechanism storing private keys inside devices and registering only public keys server-side, becoming the technology foundation of Passkey. Password leaks and man-in-the-middle attacks principally don’t hold
• FinOps - Financial Operations. The culture and practice of continuously optimizing cloud cost as operational work, not “aggregating after using up.” Tag-based cost allocation, leveraging Reserved Instance / Savings Plan, and unused-resource inventory - engineers, finance, and management cooperate. FinOps Foundation organizing the body of knowledge

G

• GDPR - General Data Protection Regulation. The regulation defining obligations when handling personal data of EU residents, applying to companies outside EU too (extra-territorial application). Key points: consent acquisition, data-export restrictions, right to be forgotten, 72-hour breach notification - violations carry fines up to 4% of global annual revenue. Required for Japanese companies’ EU-targeted services
• Grafana - Grafana Labs’s OSS dashboard, connecting to many data sources like Prometheus, Loki, Tempo, CloudWatch, and Datadog, integrally visualizing metrics, logs, and traces. Sits at the core of monitoring operations with alert features, template variables, and dashboard sharing - the de facto standard at SRE/DevOps sites
• GraphQL - The query-language-based API standard from Facebook (Meta), letting client side specify and fetch only needed fields in 1 request. Resolves REST’s “over-fetching / under-fetching” issue, while N+1 queries and cache-design difficulty are unique challenges. Apollo, Relay, Hasura, Hot Chocolate ecosystems are rich
• gRPC - Google’s high-performance RPC protocol communicating in binary format (Protobuf) over HTTP/2. Multi-language auto-code-generation, streaming, and bidirectional communication supported, widely adopted for inter-microservice internal communication. Direct browser calls go via grpc-web

H

• Helm - The package manager templating Kubernetes application definitions (YAML group) and distributing / installing / version-managing as packages (Charts). The Kubernetes equivalent of “apt on Linux” - deploys complex composition standard packages with helm install. Value override and rollback features become essential in production
• HSTS - HTTP Strict Transport Security. The HTTP response header declaring to browsers “henceforth always connect to this domain via HTTPS.” Once received, HTTP access is browser-side auto-HTTPS-ized during cache period, reducing man-in-the-middle attack risk. But misconfiguration blocks all access - safe to phase in with short max-age
• HTTP / HTTPS - Hypertext Transfer Protocol. Web communication standard protocol - HTTPS is HTTP encrypted with TLS. Evolved HTTP/1.1 → HTTP/2 (multiplexing) → HTTP/3 (QUIC-based, UDP), each with different performance characteristics. Modern era effectively requires HTTPS
• Hydration - The processing where browser-side JS execution promotes static HTML sent via SSR to “interactive state.” Used in SSR frameworks like React, Vue, and Svelte - slow JS load / execution causes “visible but unpressable” time. To mitigate, techniques like Partial Hydration, Islands Architecture, and RSC have emerged

I

• IaaS - Infrastructure as a Service. The cloud service providing infrastructure resources like virtual machines, storage, and network via API. AWS EC2, Google Compute Engine, Azure Virtual Machines are representatives. With OS upward as user responsibility, max flexibility but also large operational load
• IaC - Infrastructure as Code. The technique defining infrastructure composition as code (declarative or procedural), Git-managing and review-/auto-applying. Terraform, AWS CloudFormation, Pulumi, Ansible are representatives, the standard approach escaping “manual built, no one can reproduce.” Disaster-recovery / environment-replication accuracy improves dramatically
• IAM - Identity and Access Management. The whole mechanism centrally managing IDs / permissions in organizations. In cloud context, points to foundations defining who (principal) can perform what operations (action) on what (resource) like AWS IAM, Azure RBAC, GCP IAM
• IDaaS - Identity as a Service. The service providing auth/authorization foundation as SaaS - Auth0, Okta, Microsoft Entra ID, Firebase Authentication are representatives. SSO, MFA, social login, SCIM provisioning etc. usable without self-implementation - “don’t self-build auth foundations” is the modern iron rule
• IDS / IPS - Intrusion Detection / Prevention System. The network security devices detecting (IDS) or detecting + blocking (IPS) unauthorized intrusions. Operating signature-based, anomaly-detection-based etc., with the recent mainstream being SIEM linkage integrated with EDR/XDR. In cloud, replacing with managed types like AWS GuardDuty and Azure Defender
• IdP - Identity Provider. The central service handling auth singularly, passing auth results to each service (Service Provider) via SAML or OIDC. The core of SSO, with Microsoft Entra ID and Google Workspace often used internally, Google and Apple in consumer
• Idempotency - The property where the same operation, executed any number of times, settles to the same state. In HTTP, PUT/DELETE are idempotent, POST is not. In modern times where distributed systems and network resends are premised, the safe step is to make idempotency keys required in API design - Stripe API’s Idempotency-Key header is the prime example
• IPA - Information-technology Promotion Agency. The Japanese Ministry of Economy, Trade and Industry-affiliated public agency, operating information-processing-engineer exams, formulating non-functional-requirement grades and secure-development guides, and collecting vulnerability info (JVN). Hub of Japan’s IT policy / standardization
• ISR - Incremental Static Regeneration. The Next.js-originated rendering method, regenerating SSG-generated static HTML on request or after time elapse in background. Realizes SSG-SSR best-of-both for use cases of “build-time generating all pages is heavy but pages are many”

J

• JWT - JSON Web Token. The token format concatenating header / payload / signature in 3 parts with ., widely used in stateless auth without server-side session info. Authenticity verifiable just by signature verification, but with the property that issued tokens can’t be revoked (hard to invalidate) - standard to keep expiration short and combine with refresh tokens

K

• Kafka - LinkedIn-originated high-throughput distributed messaging foundation. With append-only log structure for topics, stably processes millions of messages per second. Widely adopted as the core of event-driven architecture, streaming processing, and data integration, with managed services like Confluent and AWS MSK
• Kubernetes / K8s - The orchestration platform for running containers at scale (Google OSS-ed from Borg). Auto-mates placement, scaling, self-healing, and service discovery, managing all in declarative composition (YAML). CNCF Graduated project, the de facto standard for cloud-native
• KVS - Key-Value Store. The basic NoSQL form specialized for fast value retrieval from keys. Redis, Memcached, Amazon DynamoDB, etcd are representatives - wide uses including cache, session management, real-time aggregation, and distributed locks. Bad at complex queries, normally used alongside RDB

L

• LLM - Large Language Model. Neural networks trained on massive text - Claude, GPT, Gemini, Llama are representatives. Foundation tech realizing general-purpose natural-language processing of chat response, summarization, code generation, function calls etc. - center of generative-AI-era architecture
• LLMOps - Process / tool group for operating LLMs. Includes prompt management, versioning, evaluation (Eval), monitoring, cost management, prompt-injection countermeasures, etc. Evolution of MLOps, with tools like LangSmith, Helicone, and PromptLayer rising
• LCP / INP / CLS - Google-defined Core Web Vitals 3 metrics. LCP (Largest Contentful Paint) is largest-element display time, INP (Interaction to Next Paint) is responsiveness to user operations (FID successor), CLS (Cumulative Layout Shift) is layout stability. Built into SEO ranking factors too, the evaluation axis for frontend optimization

M

• MDM - Master Data Management. The technique or product integrally managing master data scattered in multiple systems like customers, products, and orgs. Improves company-wide data quality with deduplication, name unification, and unified ID assignment, organizing premises for BI analytics and operational efficiency. Informatica MDM, Reltio, SAP MDG are representatives
• MFA - Multi-Factor Authentication. The auth method combining 2+ of “knowledge (password),” “possession (phone, token),” “biometric (fingerprint, face).” Means like SMS, TOTP apps, WebAuthn - SMS weak to SIM-swap attacks, so WebAuthn family recommended
• mTLS - Mutual TLS. The communication method where client and server present certificates mutually to authenticate each other - upper concept of one-way TLS (server cert only). Widely used in service mesh (Istio, Linkerd) and zero-trust internal communication, enabling designs not premising “safe because internal network”
• MTBF / MTTR - Mean Time Between Failures and Mean Time To Repair / Recovery. The former represents “how long until next failure,” the latter “how long to come back after breaking” - reliability metrics. With relation availability ≈ MTBF / (MTBF + MTTR), the basic formula of SLA design
• MVC / MVVM - Classic patterns separating UI and business logic. MVC (Model-View-Controller) used in Web frameworks generally, MVVM (Model-View-ViewModel) in data-binding family like WPF, SwiftUI, Vue. In modern React / SPA, replaced by Flux/Redux family one-way data flow

N

• NIST - National Institute of Standards and Technology. Formulates security standards like SP 800 series - especially NIST SP 800-207 (zero trust), SP 800-53 (controls), and Cybersecurity Framework are referenced worldwide. The industry bible called “when in doubt, NIST”
• NoSQL - Generic for non-relational DBs - 4 representative families: KVS, document (MongoDB), wide-column (Cassandra), graph (Neo4j). Strong at large-scale horizontal scaling and flexible schemas RDB struggles with, weak at transactions / JOIN. Realistic answer is using with RDB per use case
• NFR (Non-Functional Requirements) - Group of requirements for “how it should run” beyond features - performance, availability, scalability, security, operability, maintainability. IPA’s “non-functional requirement grades” is the representative framework - agreement at requirements-definition stage is key to quality stability
• NAT - Network Address Translation. The mechanism converting between private IP addresses (internal, LAN) and public IP addresses, widely used from home routers to cloud NAT Gateway. Spread as countermeasure for IPv4 address depletion, also with internal-host-hiding effect

O

• OAuth 2.0 - The protocol for authorization, the mechanism allowing third-party apps to access resources on behalf of users (behind “link with Google account” etc.). Key understanding: token types (access token, refresh token) and flows (Authorization Code, PKCE etc.). The most important point is “not authentication”
• OIDC - OpenID Connect. Extension protocol layering “authentication” feature on OAuth 2.0, providing user identity-confirmation info via ID token (JWT). Easier to organize as “OAuth is authorization, OIDC is authentication,” the modern social-login and SSO standard
• OLAP / OLTP - 2 major DB-use classifications. OLTP (Online Transaction Processing) is business-system, handling “many small updates in short time” of orders, inventory etc. (PostgreSQL, MySQL). OLAP (Online Analytical Processing) is analytics, handling “aggregation queries on massive data” (BigQuery, Snowflake, Redshift). Optimization directions completely opposite
• One-way Door - The decision-classification term spread by Amazon’s Jeff Bezos, meaning “doors you can’t return through once passed.” Recommends carefully proceeding irreversible decisions like database selection, public-API design, and data models as One-way Doors, while reversible decisions (Two-way Door) try fast - the use case
• OpenTelemetry - The CNCF project standardizing collection / send of metrics, logs, and traces with vendor-neutral specs and SDKs. Abbreviated OTel - benefit is swapping backends (Datadog, Honeycomb, Grafana etc.) without rewriting instrumentation code. Effective for observability-tool-selection lock-in avoidance
• Outbox pattern - The design pattern aligning DB writes and message sends in 1 transaction. Holds event-record table (Outbox) in same DB, executing business updates and Outbox writes simultaneously in DB transaction first, then separate process reads Outbox and sends messages. The realistic answer avoiding distributed transactions
• OWASP - Open Web Application Security Project. The OSS community on Web security, with “OWASP Top 10” (most-important-vulnerability ranking) the global bible. Rich free, high-quality resources like ZAP (vulnerability scanner), ASVS (verification standard), SAMM (maturity model)

P

• P95 / P99 - The metrics measuring response time at 95 / 99 percentile. Means “95% / 99% of requests returned within this time,” capturing user experience of the “slow few” hidden in averages. The modern standard for SLO definition and performance benchmarks is seeing P95/P99 over averages
• PaaS - Platform as a Service. The form where cloud providers provide app execution environments (OS, middleware, scaling foundations) bundled. Heroku, Google App Engine, Azure App Service, Render, Vercel are representatives - minimum deploy effort but can’t control internal details
• Passkey - Generic for password-less authentication based on FIDO2/WebAuthn. Unlocks device-internal private keys via biometric or PIN, authenticating with server via public-key crypto - principally high in phishing resistance. Apple, Google, Microsoft pushed since 2022, with consumer-Web spread accelerating from 2024
• PCI DSS - Payment Card Industry Data Security Standard. The international security standard businesses handling credit-card-member data must comply with. 12 requirements like network separation, encryption, log management, vulnerability scanning - required for payment-handling EC / SaaS. Violations carry fines / card-brand transaction-stop risk
• PII - Personally Identifiable Information. Generic for info identifying individuals - name, address, phone, email, My Number, etc. Subject of GDPR / revised Personal Information Protection Act handling - basic requirements: design not mixing into logs / analytics data, encrypted storage, access auditing
• PKI - Public Key Infrastructure. The trust mechanism with CAs (certificate authorities) at apex, issuing / verifying digital certificates. Backbone of HTTPS TLS certificates, code signing, and email encryption (S/MIME). Has chain structure of root CA → intermediate CA signing terminal certs
• PoC - Proof of Concept. The small verification for judging “should we proceed to serious development” - confirming tech feasibility, performance, and cost validity in short period. The frequent term especially in generative-AI area, with the iron rule of pre-deciding evaluation metrics and stop conditions at PoC stage
• Postmortem - The review document after failure / incident. Records occurrence, impact range, timeline, root cause, and recurrence prevention, sharing org-wide. Aim is mechanism improvement, not individual blame (Blameless Postmortem) - core of SRE culture
• Prometheus - The CNCF OSS time-series-metric monitoring system, integrating Pull-style collection, PromQL query language, alert manager, and service discovery. The de facto for Kubernetes envs, standardly combined with Grafana. Long-term retention extended via Thanos, Cortex, Mimir
• Pub/Sub - Publisher-Subscriber. The async messaging pattern where publishers publish messages to topics without consciousness of specific subscribers, and subscribers subscribe to topics of interest. Benefit of loose-coupling sender / receiver - Kafka, Google Pub/Sub, AWS SNS, Redis Pub/Sub are representatives

Q

• QPS - Queries Per Second. Queries (requests) per second, the basic unit of performance design and capacity planning. Reverse-derive infrastructure scale from “how many QPS to handle at peak.” Often used synonymously with RPS (Requests Per Second)
• QUIC - Quick UDP Internet Connections. The Google-originated UDP-based new transport protocol, integrating TCP+TLS features, accelerating connection establishment (0-RTT), and localizing packet-loss impact. Foundation of HTTP/3, greatly improving mobile-environment performance

R

• RBAC - Role-Based Access Control. The most-widely-spread model tying permissions to roles, assigning users to roles for authorization. Organized as “admin role,” “viewer role” etc. - low operational load but weak to fine exceptional conditions. In many cases, base on RBAC with ABAC or ReBAC for supplemental reinforcement
• RDB (Relational Database) - The classic DB managing data normalized in row-column table structure, providing ACID transactions and SQL. PostgreSQL, MySQL, Oracle, SQL Server are representatives. When in doubt, this is a steady choice - still core of 90%+ of business systems today
• ReBAC - Relationship-Based Access Control. The model authorizing based on relationships between resources (owner, member, parent-child etc.). Based on Google’s Zanzibar paper, OSS like SpiceDB and OpenFGA emerged, easier to handle SaaS fine-grained permissions (“members of this folder can see all files inside” etc.)
• RED - Rate (request count), Errors (error count), Duration (response time). The metric-design framework for service monitoring - suited for grasping health of request-processing systems (Web APIs etc.). USE method is foundation-side, RED is service-side complementary relationship
• REST - Representational State Transfer. The API-design style combining HTTP methods (GET/POST/PUT/DELETE etc.) with resource URLs. Origin: Roy Fielding’s PhD dissertation - became the de facto standard for public APIs from simplicity and browser-friendliness. Reality is loose RESTish over pure definitions like HATEOAS
• ROI - Return on Investment. The ratio of how much return (revenue increase / cost reduction) generated against investment, one of the most-important metrics for IT-investment decisions. In architecture selection too, need to speak in ROI beyond just “technically correct”
• RPO / RTO - Recovery Point Objective and Recovery Time Objective. Former represents “how far back from last backup is OK,” latter “in how many minutes after failure should recover” - the basic 2 metrics of BCP / DR design. Phase-define per business impact
• RSC - React Server Components. React components executed server-side generating HTML, standardly adopted in Next.js App Router. Reduces client JS bundle and writes DB access directly inside components, while design philosophy greatly differs from conventional React
• Runbook - The failure-response manual, formalizing “on alert firing, who, in what order, runs what commands.” Often organized as Postmortem improvement items - aiming for the state of responding without judgment errors even on midnight on-call. Recently, auto-runnable Automated Runbooks become mainstream

S

• SaaS - Software as a Service. The instant-use cloud service usable just from browser - Slack, Salesforce, Microsoft 365, Google Workspace are representatives. No installation / operation needed, with subscription-style licensing too. Grew to enterprise IT spending’s largest category
• Saga pattern - The design pattern aligning microservice-spanning business processing with chains of each service’s local transactions and compensation processing (cancellation processing). Realizes eventual consistency while avoiding distributed transactions (2PC). Has 2 types - Choreography and Orchestration, the latter active with dedicated platforms like Camunda
• SAML - Security Assertion Markup Language. The XML-based enterprise SSO protocol, the long-used veteran from before OIDC’s emergence. Heavy spec but still active in corporate areas, with enterprise SaaS like Salesforce and ServiceNow standard-supporting
• SAST / DAST - Static/Dynamic Application Security Testing. SAST detects vulnerabilities in source-code static analysis (SonarQube, Snyk Code, Semgrep), DAST detects via attempting attacks on running apps (OWASP ZAP, Burp). Mutually complementary - DevSecOps building both into CI is the modern standard
• SBOM - Software Bill of Materials. List of all libraries / components apps depend on - SPDX and CycloneDX are representative formats. As supply-chain-attack countermeasure (Log4Shell etc.), required in US-presidential-order federal procurement, with global spread progressing
• Schema Registry - The mechanism centrally managing schema definitions for Avro, Protobuf, JSON Schema, etc. Confluent Schema Registry is representative - required in Kafka ecosystem to maintain inter-data-send/receive compatibility. Compatibility checks (forward, backward, complete) on schema changes built in
• SLA / SLO / SLI - Service Level Agreement (external customer contract) / Objective (internal target) / Indicator (measurement metric). Hierarchy of: SLI for actuals, SLO for target, SLA for external commitment. With SLO < SLA, internal response can start at SLO violation
• SLSA - Supply-chain Levels for Software Artifacts. The software-supply-chain-security-maturity framework Google originated and OpenSSF standardizing. Levels 1-4 phase-evaluate “to what extent can the build-process provenance and integrity be guaranteed” - pillar of supply-chain countermeasures alongside SBOM
• SOAP - Simple Object Access Protocol. The XML-based RPC protocol with heavy spec combining WS-Security and WS-* spec group. Web-service standard from late 1990s-2000s, replaced by REST and GraphQL - currently remains in legacy integration and finance / public systems
• SOC 2 - Service Organization Control 2. The internal-control-audit framework for service-providing businesses defined by AICPA, evaluating 5 principles of security, availability, processing integrity, confidentiality, and privacy. Audit report nearly required when B2B SaaS contracts with large-enterprise customers - 2 types: Type 1 and Type 2
• SOLID principles - 5 principles of object-oriented design - acronym of Single Responsibility, Open/Closed, Liskov Substitution, Interface Segregation, Dependency Inversion. Robert C. Martin systematized, settling as the basic guideline of high-maintainability / extensibility code design
• SPA - Single Page Application. The app form where after first loading 1 HTML, page transitions are JS-redrawn. General to build with React, Vue, Angular - realizes near-native-app UX on Web. SEO / first-display-delay challenges resolved via SSR / SSG combination
• SPOF - Single Point of Failure. The composition element not redundant, where its falling stops the whole system. The first item to check in architecture review - typical examples: DB primary single composition, LB single-side biasing, specific-region dependence
• SQL Injection - The classic attack of mixing SQL statements into input values to unauthorizedly operate DB. Principally preventable with placeholders (parameterized queries), still frequent in old code building SQL by string concatenation. Regular OWASP Top 10
• SRE - Site Reliability Engineering. The reliability-engineering methodology born at Google - philosophy of “solve operations problems with software engineering.” Packages concepts of SLO, error budget, Toil reduction, and Postmortem, providing framework dissolving dev-ops opposition
• SSG - Static Site Generation. The method generating static HTML for all pages at build time, delivered via CDN. Astro, Next.js, Hugo, Jekyll are representatives - excellent in display speed, security, and low operational cost. This blog itself is built on Astro SSG too
• SSO - Single Sign-On. The mechanism logging into multiple linked services with one auth, implemented via SAML or OIDC. Internally Microsoft Entra ID and Okta, in consumer Google and Apple accounts are representative IdPs. Security-aggregation effects beyond just “reducing passwords to remember” are large
• SSR - Server Side Rendering. The method composing HTML server-side and returning to browser. Stronger than CSR in initial display, SEO, and low-spec devices - frameworks like Next.js, Nuxt, SvelteKit support. Tradeoff of increased server load and deploy complexity
• SSRF - Server-Side Request Forgery. The attack making servers send requests to internal networks - the famous victim case is Capital One incident (2019) where AWS credentials were stolen by reaching cloud-metadata endpoint (169.254.169.254). Countermeasures: migrate to IMDSv2, validate URL input

T

• Terraform - HashiCorp’s IaC tool, declaratively defining cloud resources in HCL (proprietary language), applying with terraform apply taking diff with actual state. Supports many providers like AWS, Azure, GCP, Datadog - de facto standard for multi-cloud / SaaS-config management. With BSL license change as trigger, OSS fork OpenTofu split off
• TLS - Transport Layer Security. The standard protocol encrypting / authenticating communication, the inside of HTTPS (SSL successor). Currently TLS 1.3 mainstream - TLS 1.0/1.1 deprecated for vulnerabilities. With Let’s Encrypt’s emergence, anyone can get certificates free, accelerating Web HTTPS-ization
• TOGAF - The Open Group Architecture Framework. The EA industry-standard framework, with ADM (Architecture Development Method) - 8-phase approach - at core. Document body massive and large-enterprise-oriented, but the thinking helps mid-size projects too. Certifications also widespread
• Toil - SRE term pointing to “operational work repeated manually that should be automatable.” Manual deploys, alert response, user-account issuance are typical - keeping Toil ratio under 50% is SRE-team KPI. Used as basis for continuous-automation investment
• TOTP - Time-based One-Time Password. The method calculating 30-second-changing 6-digit one-time passwords from shared secret (RFC 6238). Widely used in apps like Google Authenticator, Authy, 1Password - the standard MFA means with higher security than SMS
• tRPC - The TypeScript type-sharing RPC-style API standard, strong when server and client are in same TS repo. Realizes type-safe APIs via TypeScript type inference alone, without schema definitions like GraphQL or OpenAPI. Popular surge in monorepo-composition Next.js projects etc.

U

• USE - Utilization, Saturation, Errors. The metric-design framework for resource (CPU, memory, disk, network) monitoring, proposed by Brendan Gregg. The auxiliary line for systematically seeing “whether resources are clogged” - used combined with service-side RED

V

• VPC - Virtual Private Cloud. The logically-isolated virtual network built in cloud - AWS VPC, Azure VNet, GCP VPC are representatives. Combines subnet splitting, routing, security groups, and NAT Gateway etc., basic unit building pseudo-corporate-network in cloud
• VPN - Virtual Private Network. The technology realizing dedicated-line-equivalent secure communication by tunneling encrypted over public internet. Used in remote-work internal-network connections and on-prem-cloud Site-to-Site connections. With zero-trust-ization progressing, the very necessity of corporate VPN being reconsidered

W

• WAF - Web Application Firewall. The defense layer inspecting OSI layer-7 HTTP requests/responses, blocking Web attacks like SQL injection, XSS, and path traversal. AWS WAF, Cloudflare, Akamai, Imperva are representatives - many forms integrated with CDN. Composes multi-layer defense with app-side countermeasures
• WCAG - Web Content Accessibility Guidelines. The international standard of Web accessibility formulated by W3C, with 3 levels A, AA, AAA. Many nations / municipalities legally require WCAG 2.1 AA compliance - required for public / large-enterprise sites. Required Web-developer knowledge alongside OWASP Top 10
• WebAuthn - The W3C standard API of FIDO2, the JavaScript interface handling public-key-based auth from browsers. The core technology of Passkey implementation - all of Chrome, Safari, Firefox, Edge support. Unifiedly handles biometric, security keys, and platform authenticators
• WebSocket - The protocol upgrading HTTP connections to bidirectional communication (RFC 6455). Servers can actively push, so widely used in chat, real-time notifications, online games, and stock-tickers. Recent debate also includes use-separation with Server-Sent Events (SSE) and WebTransport

X

• XSS - Cross-Site Scripting. The attack making malicious scripts execute in other users’ browsers, stealing cookies, tokens, or operations. Caused by user-input output-escape gaps - 3 types: Stored, Reflected, DOM-Based. Modern frameworks like React standard-escape, but holes easily open via dangerouslySetInnerHTML etc.

Z

• Zero Trust - The modern security model with “no implicit trust” as principle. Discards the premise that internal networks are safe, authenticating / authorizing / encrypting every communication / access. NIST SP 800-207 formulating standards - went mainstream in one stroke with remote-work spread

How to use the glossary

This glossary is intended to be used as an index when feeling “this term is unclear” throughout the series.

The IT-architecture world has very many acronyms, with areas where similar acronyms line up like SaaS / PaaS / IaaS / FaaS, and areas where AuthN / AuthZ / OAuth / OIDC / SAML appear around auth - just organizing terms is one job.

Reading through this article once produces the recognition “this is an acronym I saw before” when reading individual articles, greatly raising read-along speed. No need to memorize completely - just grasping the feel of “such a term exists” is enough.

Summary

This article organized the terminology-list reference appearing in the series “Architecture Crash Course for the Generative-AI Era.”

Each article also adds 1-line explanations to first-mentioned terms - the assumed use is first reading individual articles, returning here when concerned about terms.

This glossary is a document planned to grow alongside article additions / updates. As the series progresses, items will be added.

Back to series TOC -> ‘Architecture Crash Course for the Generative-AI Era’: How to Read This Book

I hope you’ll read the next article as well.