Network Architecture
Design secure, scalable cloud network architectures using proven patterns across AWS, GCP, and Azure. This skill provides decision frameworks for VPC design, subnet strategy, zero trust implementation, and hybrid connectivity.
When to Use This Skill
Invoke this skill when:
- Designing VPC/VNet topology for new cloud environments
- Implementing network segmentation and security controls
- Planning multi-VPC or multi-cloud connectivity
- Establishing hybrid cloud connectivity (on-premises to cloud)
- Migrating from flat network to sophisticated architecture
- Implementing zero trust network principles
- Optimizing network costs and performance
Core Network Architecture Patterns
Pattern 1: Flat (Single VPC) Architecture
Use When: Small applications, single environment, simple security requirements, team < 10 engineers
Characteristics:
- All resources in one VPC with subnet-level segmentation
- Public, private, and database subnet tiers
- Simplest to understand and manage
- No inter-VPC routing complexity
Tradeoffs:
- ✓ Lowest cost, fastest to set up
- ✗ Poor isolation, difficult to scale, entire VPC is blast radius
Pattern 2: Multi-VPC (Isolated) Architecture
Use When: Multiple environments (dev/staging/prod), strong isolation requirements, compliance mandates separation
Characteristics:
- Separate VPCs per environment or workload
- No direct connectivity without explicit setup
- Independent CIDR ranges
Tradeoffs:
- ✓ Strong blast radius containment, clear security boundaries
- ✗ Management overhead, duplicate infrastructure, higher costs
Pattern 3: Hub-and-Spoke (Transit Gateway) Architecture
Use When: 5+ VPCs need communication, centralized security inspection required, hybrid connectivity, multi-account setup
Characteristics:
- Central hub VPC/Transit Gateway
- Spoke VPCs connect to hub
- All inter-VPC traffic routes through hub
Tradeoffs:
- ✓ Simplified routing, centralized security, scales easily (100+ VPCs)
- ✗ Transit Gateway costs (~$0.05/hour + $0.02/GB), increased latency (hub hop)
Pattern 4: Full Mesh (VPC Peering) Architecture
Use When: Small number of VPCs (< 5), low latency critical, no centralized inspection needed
Characteristics:
- Every VPC directly connected via peering
- Direct VPC-to-VPC communication
Tradeoffs:
- ✓ Lowest latency, no Transit Gateway costs
- ✗ Management complexity scales as O(n²), doesn't scale beyond ~10 VPCs
Pattern 5: Hybrid (Multi-Pattern) Architecture
Use When: Large enterprise with diverse requirements, balancing cost/performance/security
Characteristics:
- Hub-spoke for most VPCs + direct peering for latency-sensitive pairs
- Combination based on workload requirements
Tradeoffs:
- ✓ Optimized for specific needs
- ✗ More complex to design and manage
Pattern Selection Framework
Number of VPCs?
│
├─► 1 VPC → Flat (Single VPC)
├─► 2-4 VPCs + No inter-VPC communication → Multi-VPC (Isolated)
├─► 2-5 VPCs + Low latency critical → Full Mesh (VPC Peering)
├─► 5+ VPCs + Centralized inspection → Hub-and-Spoke (Transit Gateway)
└─► 10+ VPCs + Mixed requirements → Hybrid (Multi-Pattern)
Additional Considerations:
├─► Hybrid connectivity required? → Hub-and-Spoke preferred
├─► Centralized egress/inspection? → Hub-and-Spoke with Inspection VPC
├─► Multi-account environment? → Hub-and-Spoke with AWS RAM sharing
└─► Cost optimization priority? → Flat or Multi-VPC (avoid TGW fees)
Subnet Strategy
Standard Three-Tier Design
Public Subnets:
- Route to Internet Gateway
- Use for load balancers, bastion hosts, NAT Gateways
- CIDR: /24 to /27 (256 to 32 IPs)
Private Subnets:
- Route to NAT Gateway for outbound
- Use for application servers, containers, compute workloads
- CIDR: /20 to /22 (4,096 to 1,024 IPs)
Database Subnets:
- No direct internet route
- Use for RDS, ElastiCache, managed databases
- CIDR: /24 to /26 (256 to 64 IPs)
Multi-AZ Distribution
Production: Distribute each tier across 3 Availability Zones minimum
Dev/Test: 1-2 AZs acceptable for cost savings
CIDR Block Planning
VPC Sizing:
- /16 (65,536 IPs) - Large production environments
- /20 (4,096 IPs) - Medium environments
- /24 (256 IPs) - Small/dev environments
Critical Rules:
- Non-overlapping CIDR ranges across VPCs
- Coordinate with on-premises network team for hybrid connectivity
- Reserve address space for future expansion
For detailed subnet planning, see references/subnet-strategy.md
NAT Gateway Strategy
Decision Framework
Cost vs Resilience?
│
├─► Cost Priority (Dev/Test)
│ └─► Single NAT Gateway (~$32/month)
│ └─► Risk: Single point of failure
│
├─► Balanced (Most Production)
│ └─► One NAT Gateway per AZ (~$96/month for 3 AZs)
│ └─► Resilience: AZ failure doesn't break connectivity
│
└─► Maximum Resilience
└─► Multiple NAT Gateways per AZ + monitoring
└─► Critical workloads, SLA-dependent
Alternative: Centralized Egress Pattern
└─► Hub-and-Spoke: Single egress VPC with NAT
└─► Reduces NAT Gateway count, centralized logging
No Outbound Internet Needed?
- Skip NAT Gateway entirely (cost savings)
- Use VPC Endpoints for AWS service access
Security Controls
Security Groups (Recommended)
Characteristics:
- Stateful (return traffic auto-allowed)
- Instance-level control
- Allow rules only (implicit deny)
- Can reference other security groups
Use For:
- Service-to-service communication
- Instance-level security
- Most common use case
Best Practices:
- Use descriptive names (app-alb-sg, app-backend-sg)
- Reference other security groups instead of CIDR blocks
- Keep rules minimal and specific
Network ACLs (Optional)
Characteristics:
- Stateless (must allow both request and response)
- Subnet-level control
- Allow and deny rules
- Processes rules in order (lowest number first)
Use For:
- Explicit deny rules (block specific IPs)
- Compliance requirements (defense in depth)
- Additional layer beyond security groups
Best Practices:
- Use sparingly (complex to manage)
- Remember to allow ephemeral ports (1024-65535)
- Test thoroughly (stateless nature causes issues)
For security group architecture patterns, see references/security-controls.md
Zero Trust Principles
Core Tenets
Never Trust, Always Verify
- Authenticate every request regardless of source
- No implicit trust based on network location
Least Privilege Access
- Grant minimum necessary permissions
- Time-bound access (just-in-time)
Assume Breach
- Segment network aggressively
- Monitor all traffic
- Rapid detection and response
Implementation Patterns
Microsegmentation:
- Isolate every workload with granular security group rules
- Service-to-service communication only between specific services
- Reduce blast radius
Identity-Based Access:
- Use IAM roles instead of IP addresses for authorization
- VPC Endpoints with IAM policies
- Service-to-service identity verification
Continuous Verification:
- VPC Flow Logs for traffic analysis
- Monitor rejected connections
- Alert on anomalies
For zero trust architecture patterns, see references/zero-trust-networking.md
Hybrid Connectivity
VPN (Virtual Private Network)
Use When: Dev/test environments, backup connectivity, temporary connections
Characteristics:
- Encrypted tunnel over public internet
- Throughput: ~1.25 Gbps per tunnel
- Latency: Variable (internet-dependent)
- Cost: Low (~$0.05/hour + data transfer)
- Setup: Quick (no contracts)
Direct Connect / ExpressRoute / Cloud Interconnect
Use When: Production workloads, large data transfers, real-time applications
Characteristics:
- Dedicated network connection (bypasses public internet)
- Throughput: Up to 100 Gbps
- Latency: Low and consistent
- Cost: Higher (port fees + data transfer)
- Setup: Slower (contracts, coordination)
Transit Gateway + Direct Connect
Use When: Multiple VPCs need on-premises connectivity
Benefits:
- Single Direct Connect connection → Transit Gateway → Multiple VPCs
- Cost efficient and scalable
- Centralized hybrid connectivity
For hybrid connectivity patterns and examples, see references/hybrid-connectivity.md
Multi-Cloud Networking
Unified Concepts Across Providers
| Concept |
AWS |
GCP |
Azure |
| Virtual Network |
VPC |
VPC |
Virtual Network (VNet) |
| Subnets |
Subnets (AZ-scoped) |
Subnets (Regional) |
Subnets |
| NAT |
NAT Gateway |
Cloud NAT |
NAT Gateway |
| Peering |
VPC Peering |
VPC Peering |
VNet Peering |
| Hub-Spoke |
Transit Gateway |
Cloud Router |
Virtual WAN |
| Private Endpoints |
PrivateLink |
Private Service Connect |
Private Link |
| Hybrid VPN |
VPN |
Cloud VPN |
VPN Gateway |
| Hybrid Dedicated |
Direct Connect |
Cloud Interconnect |
ExpressRoute |
Provider-Specific Best Practices
AWS:
- Multi-AZ baseline for production
- Prefer Transit Gateway for 5+ VPCs
- Use VPC Endpoints to avoid NAT charges
GCP:
- Custom mode VPC (not auto-mode)
- Start with single VPC, use Shared VPC for multi-project
- Grant network user role at subnet level
Azure:
- Hub-and-spoke network topology as standard
- Few large VNets vs many small VNets
- Private endpoints for Azure services
For multi-cloud implementations, see references/multi-cloud-networking.md
Network Observability
VPC Flow Logs
Enable Flow Logs for:
- Traffic analysis and troubleshooting
- Security monitoring (detect unauthorized access)
- Cost attribution by network path
- Compliance requirements
Configuration:
- Traffic type: ALL (capture accepted and rejected)
- Aggregation interval: 1-10 minutes
- Destination: CloudWatch Logs or S3
Monitoring Patterns
Monitor:
- Rejected connections (security anomalies)
- Traffic volume spikes
- Cross-VPC communication patterns
- NAT Gateway utilization
Alert On:
- Spike in rejected connections
- Unusual traffic patterns
- High data transfer costs
- Network errors
For observability patterns and flow log analysis, see references/network-observability.md
Cost Optimization
Common Cost Drivers
- NAT Gateway: $0.045/hour + $0.045/GB data processed
- Transit Gateway: $0.05/hour/attachment + $0.02/GB
- Data Transfer: Egress charges vary by destination
- VPN/Direct Connect: Port fees + data transfer
Optimization Strategies
Reduce NAT Gateway Costs:
- Use VPC Endpoints for AWS services (S3, DynamoDB)
- Centralized egress VPC pattern
- Single NAT Gateway for dev/test (accept availability risk)
Reduce Data Transfer Costs:
- Keep traffic within same region
- Use VPC Endpoints instead of public internet
- Private connectivity for high-volume transfers
Avoid Transit Gateway Costs:
- Use VPC Peering for small number of VPCs (< 5)
- Direct peering for latency-sensitive pairs
For detailed cost optimization strategies, see references/cost-optimization.md
Implementation Workflow
Step 1: Analyze Requirements
- How many VPCs/environments needed?
- Hybrid connectivity required?
- Latency requirements?
- Security/compliance requirements?
- Budget constraints?
Step 2: Select Pattern
Use pattern selection framework above to choose:
- Flat, Multi-VPC, Hub-Spoke, Mesh, or Hybrid
Step 3: Design Subnets
- Calculate CIDR blocks (non-overlapping)
- Plan multi-AZ distribution
- Determine public/private/database tiers
Step 4: Configure Security
- Design security group architecture
- Plan microsegmentation
- Configure Network ACLs if needed
Step 5: Implement with IaC
Use infrastructure-as-code skill to implement with Terraform/Pulumi
Step 6: Enable Observability
- Configure VPC Flow Logs
- Set up monitoring and alerting
- Cost tracking
Quick Reference
VPC Pattern Selection
| Requirement |
Recommended Pattern |
| Single environment |
Flat (Single VPC) |
| Multiple isolated environments |
Multi-VPC (Isolated) |
| 2-5 VPCs, low latency |
Full Mesh (Peering) |
| 5+ VPCs, centralized security |
Hub-and-Spoke (TGW) |
| Hybrid connectivity |
Hub-and-Spoke (TGW) |
| Cost optimization |
Flat or Multi-VPC |
NAT Gateway Configuration
| Scenario |
Configuration |
Monthly Cost (3 AZs) |
| Dev/Test |
Single NAT |
~$32 |
| Production |
NAT per AZ |
~$96 |
| Centralized Egress |
Hub VPC NAT |
~$32-96 |
Hybrid Connectivity
| Requirement |
Solution |
Throughput |
Latency |
| Dev/Test |
VPN |
~1.25 Gbps |
Variable |
| Production |
Direct Connect |
Up to 100 Gbps |
Low, consistent |
| Backup |
VPN (backup to DX) |
~1.25 Gbps |
Variable |
Reference Documentation
Detailed Guides:
references/vpc-design-patterns.md - Comprehensive pattern descriptions with diagramsreferences/subnet-strategy.md - CIDR planning, IPAM, multi-AZ best practicesreferences/zero-trust-networking.md - Microsegmentation, IAM integration, continuous verificationreferences/hybrid-connectivity.md - VPN, Direct Connect, Transit Gateway patternsreferences/multi-cloud-networking.md - AWS, GCP, Azure implementationsreferences/security-controls.md - Security groups, NACLs, firewall patternsreferences/private-networking.md - VPC Endpoints, PrivateLink, Private Service Connectreferences/multi-region-networking.md - Cross-region peering, global load balancingreferences/network-observability.md - Flow logs, monitoring, troubleshootingreferences/cost-optimization.md - Egress reduction, NAT strategies
Code Examples:
examples/aws/ - AWS VPC patterns (flat, hub-spoke, peering, VPN, Direct Connect)examples/gcp/ - GCP VPC patterns (custom VPC, Shared VPC, Cloud Interconnect)examples/azure/ - Azure VNet patterns (hub-spoke, peering, ExpressRoute)examples/multi-cloud/ - Cross-cloud connectivity examples
Utility Scripts:
scripts/cidr-calculator.py - Calculate CIDR blocks and plan IP addressingscripts/cost-estimator.sh - Estimate network infrastructure costsscripts/validate-sg-rules.py - Validate security group rule configurationsscripts/flow-log-analyzer.py - Analyze VPC flow logs for security and cost
Integration with Other Skills
Use infrastructure-as-code skill to:
- Implement network architectures with Terraform/Pulumi
- Version control network configurations
- Automate network provisioning
Use kubernetes-operations skill to:
- Configure Kubernetes networking (CNI) on top of VPC design
- Implement pod networking and service meshes
Use security-hardening skill to:
- Implement firewall rules and WAF configurations
- Configure network-level DDoS protection
- Set up intrusion detection systems
Use observability skill to:
- Implement comprehensive network monitoring
- Set up distributed tracing across network boundaries
- Configure performance dashboards
Use disaster-recovery skill to:
- Design multi-region failover networking
- Implement cross-region backup connectivity
- Plan network recovery procedures
