Design cloud network architectures with VPC patterns, subnet strategies, zero trust principles, and hybrid connectivity. Use when planning VPC topology, implementing multi-cloud networking, or establishing secure network segmentation for cloud workloads.
View on GitHubskills/architecting-networks/SKILL.md
February 1, 2026
Select agents to install to:
npx add-skill https://github.com/ancoleman/ai-design-components/blob/main/skills/architecting-networks/SKILL.md -a claude-code --skill architecting-networksInstallation paths:
.claude/skills/architecting-networks/# Network Architecture Design secure, scalable cloud network architectures using proven patterns across AWS, GCP, and Azure. This skill provides decision frameworks for VPC design, subnet strategy, zero trust implementation, and hybrid connectivity. ## When to Use This Skill Invoke this skill when: - Designing VPC/VNet topology for new cloud environments - Implementing network segmentation and security controls - Planning multi-VPC or multi-cloud connectivity - Establishing hybrid cloud connectivity (on-premises to cloud) - Migrating from flat network to sophisticated architecture - Implementing zero trust network principles - Optimizing network costs and performance ## Core Network Architecture Patterns ### Pattern 1: Flat (Single VPC) Architecture **Use When:** Small applications, single environment, simple security requirements, team < 10 engineers **Characteristics:** - All resources in one VPC with subnet-level segmentation - Public, private, and database subnet tiers - Simplest to understand and manage - No inter-VPC routing complexity **Tradeoffs:** - ✓ Lowest cost, fastest to set up - ✗ Poor isolation, difficult to scale, entire VPC is blast radius ### Pattern 2: Multi-VPC (Isolated) Architecture **Use When:** Multiple environments (dev/staging/prod), strong isolation requirements, compliance mandates separation **Characteristics:** - Separate VPCs per environment or workload - No direct connectivity without explicit setup - Independent CIDR ranges **Tradeoffs:** - ✓ Strong blast radius containment, clear security boundaries - ✗ Management overhead, duplicate infrastructure, higher costs ### Pattern 3: Hub-and-Spoke (Transit Gateway) Architecture **Use When:** 5+ VPCs need communication, centralized security inspection required, hybrid connectivity, multi-account setup **Characteristics:** - Central hub VPC/Transit Gateway - Spoke VPCs connect to hub - All inter-VPC traffic routes through hub **Tradeoffs:** - ✓ Simplified routing, centralized