sawrus/vpc-design
areas/devops/networking/skills/vpc-design/SKILL.md
Design cloud-agnostic private networks — subnet layout, CIDR allocation, zone redundancy, routing, and bare-metal equivalent.
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides vpc-designInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:22 AM92.7s1 file scanned
SKILL.md
- name:
- vpc-design
- type:
- skill
- description:
- Design cloud-agnostic private networks — subnet layout, CIDR allocation, zone redundancy, routing, and bare-metal equivalent.
- allowed-tools:
- Read, Write, Edit
Skill: VPC / Network Design
Expertise: CIDR planning, zone-redundant subnets, routing tables, NAT, VPN/peering — AWS, GCP, Hetzner, and bare-metal.
When to load
When designing a new network for a cloud environment or bare-metal cluster, planning subnets, or diagnosing routing issues.
CIDR Allocation Strategy
Organization supernet: 10.0.0.0/8
Environment blocks:
production: 10.10.0.0/16 (65,534 addresses)
staging: 10.20.0.0/16
dev: 10.30.0.0/16
Per-environment subnet layout (/16 → four /18 zones):
Zone A (eu-west-1a): 10.10.0.0/18 (16,382 IPs)
Public subnet: 10.10.0.0/20 (4,094 IPs — load balancers, NAT GW)
App subnet: 10.10.16.0/20 (4,094 IPs — K8s nodes)
Data subnet: 10.10.32.0/20 (4,094 IPs — databases, Redis)
Zone B (eu-west-1b): 10.10.64.0/18
(same subdivision pattern)
Zone C (eu-west-1c): 10.10.128.0/18
(same subdivision pattern)
Reserved / Management: 10.10.192.0/18
Management subnet: 10.10.192.0/24 (jump hosts, CI runners)
Future expansion: 10.10.193.0/18
Terraform: AWS VPC Module
module "vpc" {
source = "git::https://git.example.com/infra/modules//vpc?ref=v2.1.0"
project = var.project
environment = var.environment
cidr = "10.10.0.0/16"
azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
public_subnets = ["10.10.0.0/20", "10.10.64.0/20", "10.10.128.0/20"]
private_subnets = ["10.10.16.0/20", "10.10.80.0/20", "10.10.144.0/20"]
database_subnets = ["10.10.32.0/20", "10.10.96.0/20", "10.10.160.0/20"]
enable_nat_gateway = true
single_nat_gateway = var.environment != "production" # save cost in non-prod
# K8s tags (required for AWS Load Balancer Controller)
private_subnet_tags = {
"kubernetes.io/role/internal-elb" = "1"
"kubernetes.io/cluster/${local.cluster_name}" = "owned"
}
public_subnet_tags = {
"kubernetes.io/role/elb" = "1"
}
}
Terraform: Hetzner Network
resource "hcloud_network" "main" {
name = "${var.project}-${var.environment}"
ip_range = "10.10.0.0/16"
}
resource "hcloud_network_subnet" "k8s_nodes" {
network_id = hcloud_network.main.id
type = "cloud"
network_zone = "eu-central"
ip_range = "10.10.16.0/20"
}
resource "hcloud_network_subnet" "databases" {
network_id = hcloud_network.main.id
type = "cloud"
network_zone = "eu-central"
ip_range = "10.10.32.0/20"
}
# Attach servers to subnets
resource "hcloud_server_network" "worker" {
for_each = var.worker_servers
server_id = each.value.id
network_id = hcloud_network.main.id
ip = each.value.private_ip
}
Bare-Metal Network Design
Physical topology:
- 2× top-of-rack switches (bonded for HA)
- Each server: 2× 10GbE NICs (bonded: active-backup or LACP)
VLAN layout:
VLAN 10 (management): 192.168.10.0/24 — IPMI, switch mgmt
VLAN 20 (K8s nodes): 10.10.16.0/20 — kubelet, pod CIDR routed
VLAN 30 (storage): 10.10.32.0/24 — Longhorn/Ceph replication
VLAN 40 (public): 203.0.113.0/28 — load balancer IPs (MetalLB pool)
Routing:
- Default GW on VLAN 20 → firewall → internet (via NAT for egress)
- VLAN 30 (storage) — no routing outside rack (isolated L2)
- VLAN 40 — router sends public IPs to MetalLB L2 advertisement
Network Security Design Checklist
- [ ] Data subnets have no route to internet (no NAT GW for DB subnet)
- [ ] Management access via VPN or jump host only (no public SSH)
- [ ] NAT Gateway in each AZ (not single NAT — single point of failure)
- [ ] VPC Flow Logs enabled (30-day retention)
- [ ] Security groups default-deny; rules documented with justification
- [ ] Subnet CIDR does not overlap with on-prem or peered VPCs
- [ ] IPv6 considered (especially for K8s pod addressing at scale)
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026