architecting-networks

# Network Architecture

Design secure, scalable cloud network architectures using proven patterns across AWS, GCP, and Azure. This skill provides decision frameworks for VPC design, subnet strategy, zero trust implementation, and hybrid connectivity.

## When to Use This Skill

Invoke this skill when:
- Designing VPC/VNet topology for new cloud environments
- Implementing network segmentation and security controls
- Planning multi-VPC or multi-cloud connectivity
- Establishing hybrid cloud connectivity (on-premises to cloud)
- Migrating from flat network to sophisticated architecture
- Implementing zero trust network principles
- Optimizing network costs and performance

## Core Network Architecture Patterns

### Pattern 1: Flat (Single VPC) Architecture

**Use When:** Small applications, single environment, simple security requirements, team < 10 engineers

**Characteristics:**
- All resources in one VPC with subnet-level segmentation
- Public, private, and database subnet tiers
- Simplest to understand and manage
- No inter-VPC routing complexity

**Tradeoffs:**
- ✓ Lowest cost, fastest to set up
- ✗ Poor isolation, difficult to scale, entire VPC is blast radius

### Pattern 2: Multi-VPC (Isolated) Architecture

**Use When:** Multiple environments (dev/staging/prod), strong isolation requirements, compliance mandates separation

**Characteristics:**
- Separate VPCs per environment or workload
- No direct connectivity without explicit setup
- Independent CIDR ranges

**Tradeoffs:**
- ✓ Strong blast radius containment, clear security boundaries
- ✗ Management overhead, duplicate infrastructure, higher costs

### Pattern 3: Hub-and-Spoke (Transit Gateway) Architecture

**Use When:** 5+ VPCs need communication, centralized security inspection required, hybrid connectivity, multi-account setup

**Characteristics:**
- Central hub VPC/Transit Gateway
- Spoke VPCs connect to hub
- All inter-VPC traffic routes through hub

**Tradeoffs:**
- ✓ Simplified routing, centralized