Skill

network-topology

Design VPCs, subnets, security groups, load balancing, and DNS architecture. Plan for segmentation, DDoS protection, and failover. Use when architecting network infrastructure.

From infrastructure-design

Install

Run in your terminal

npx claudepluginhub sethdford/claude-skills --plugin architect-infrastructure-design

Tool Access

This skill uses the workspace's default tool permissions.

Skill Content

Similar Skills

ui-ux-pro-max

Provides UI/UX resources: 50+ styles, color palettes, font pairings, guidelines, charts for web/mobile across React, Next.js, Vue, Svelte, Tailwind, React Native, Flutter. Aids planning, building, reviewing interfaces.

ui-ux-pro-max

57.6k

context7-mcp

Fetches up-to-date documentation from Context7 for libraries and frameworks like React, Next.js, Prisma. Use for setup questions, API references, and code examples.

context7-plugin

51.4k

market-sizing-analysis

2 files

Calculates TAM/SAM/SOM using top-down, bottom-up, and value theory methodologies for market sizing, revenue estimation, and startup validation.

startup-business-analyst

32.9k

Stats

Parent Repo Stars3

Parent Repo Forks0

Last CommitMar 11, 2026

Actions

View Source View Plugin View on GitHub View README

Domain Context

Based on network architecture best practices (AWS VPC, GCP VPC):

VPC: Virtual private cloud; isolated network environment. Multiple subnets for segmentation.

Subnets: Public (NAT to internet) and private (no direct internet). Separate database tier from web tier.

Security Groups: Stateful firewall rules. Default-deny, whitelist only needed ports.

Load Balancing: ALB for HTTP/HTTPS, NLB for TCP/UDP. Distribute traffic across instances.

DNS: Route 53 for DNS with health checks and failover routing

Instructions

Design VPC: CIDR block (10.0.0.0/16 typical). Public subnets in AZ-1 and AZ-2 for web tier. Private subnets for database tier. NAT Gateway for outbound access from private.

Segment with Security Groups: Web tier: allow 80/443. App tier: allow traffic from web only. Database tier: allow traffic from app tier only. Principle of least privilege.

Plan Load Balancing: Application Load Balancer (ALB) for web traffic; routes by hostname/path. Network Load Balancer (NLB) for high performance, millions of RPS.

Set Up DNS: Route 53 routes users to nearest region or healthy endpoint. Health checks detect failures; failover to standby. Support multiple A records for multi-region.

Implement DDoS Protection: CloudFlare or Shield Standard for volumetric attacks. WAF for application-layer attacks (SQL injection, XSS). Rate limiting for API abuse.

Anti-Patterns

Single Subnet for Everything: All servers in one subnet. Result: hard to enforce policies, lateral movement risk. Guard: Segment by tier; use security groups for access control.

Overly Permissive Security Groups: Allow 0.0.0.0/0 (anywhere) on all ports. Result: security risk. Guard: Default-deny; whitelist specific ports/IPs.

No Health Checks: Load balancer routes to dead instance. Result: user errors. Guard: Health checks detect failures; remove from load balancer.

Ignoring DDoS: Assume no one will attack. Result: downtime during attack. Guard: DDoS protection layers (WAF, rate limiting, CDN); plan capacity for spikes.

Domain Context

Based on network architecture best practices (AWS VPC, GCP VPC):

VPC: Virtual private cloud; isolated network environment. Multiple subnets for segmentation.

Subnets: Public (NAT to internet) and private (no direct internet). Separate database tier from web tier.

Security Groups: Stateful firewall rules. Default-deny, whitelist only needed ports.

Load Balancing: ALB for HTTP/HTTPS, NLB for TCP/UDP. Distribute traffic across instances.

DNS: Route 53 for DNS with health checks and failover routing

Instructions

Design VPC: CIDR block (10.0.0.0/16 typical). Public subnets in AZ-1 and AZ-2 for web tier. Private subnets for database tier. NAT Gateway for outbound access from private.

Segment with Security Groups: Web tier: allow 80/443. App tier: allow traffic from web only. Database tier: allow traffic from app tier only. Principle of least privilege.

Plan Load Balancing: Application Load Balancer (ALB) for web traffic; routes by hostname/path. Network Load Balancer (NLB) for high performance, millions of RPS.

Set Up DNS: Route 53 routes users to nearest region or healthy endpoint. Health checks detect failures; failover to standby. Support multiple A records for multi-region.

Implement DDoS Protection: CloudFlare or Shield Standard for volumetric attacks. WAF for application-layer attacks (SQL injection, XSS). Rate limiting for API abuse.

Anti-Patterns

Single Subnet for Everything: All servers in one subnet. Result: hard to enforce policies, lateral movement risk. Guard: Segment by tier; use security groups for access control.

Overly Permissive Security Groups: Allow 0.0.0.0/0 (anywhere) on all ports. Result: security risk. Guard: Default-deny; whitelist specific ports/IPs.

No Health Checks: Load balancer routes to dead instance. Result: user errors. Guard: Health checks detect failures; remove from load balancer.

Ignoring DDoS: Assume no one will attack. Result: downtime during attack. Guard: DDoS protection layers (WAF, rate limiting, CDN); plan capacity for spikes.

network-topology

network-topology

Network Topology

Context

Domain Context

Instructions

Anti-Patterns

Further Reading

Network Topology

Context

Domain Context

Instructions

Anti-Patterns

Further Reading