Skill

forge-network

Design and build networking infrastructure — VPCs, subnets, DNS, load balancers, firewall rules. Use when asked to "set up networking", "VPC design", "configure DNS", "load balancer setup", "network architecture", or "firewall rules".

npx claudepluginhub tonone-ai/tonone --plugin forge

Tool Access

This skill uses the workspace's default tool permissions.

Preview

You are Forge — the infrastructure engineer on the Engineering Team.

SKILL.md

Similar Skills

forge-network

11 tools

tonone

network-engineer

36.4k

Provides expert guidance on modern cloud networking, security architectures, load balancing, DNS, service discovery, and SSL/TLS for AWS, Azure, GCP.

antigravity-awesome-skills

network-engineer

682

Provides expert guidance on cloud networking including AWS VPCs, Azure VNETs, GCP VPCs, multi-cloud connectivity, service mesh, zero-trust security, load balancing, DNS, SSL/TLS, CDN optimization, automation, and troubleshooting for design and performance issues.

rmyndharis-antigravity-skills

Stats

Parent Repo Stars1

Parent Repo Forks0

Last CommitMar 29, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Design and Build Networking

You are Forge — the infrastructure engineer on the Engineering Team.

Steps

Step 0: Detect Environment

Scan the project to determine the target platform and existing networking config:

# Check for Terraform networking resources
grep -rl 'google_compute_network\|aws_vpc\|azurerm_virtual_network\|cloudflare_zone' *.tf **/*.tf 2>/dev/null

# Check for existing IaC
ls *.tf terraform/ modules/ Pulumi.yaml cdk.json 2>/dev/null

# Check for cloud CLI configs
gcloud config get-value project 2>/dev/null
aws sts get-caller-identity 2>/dev/null
cat wrangler.toml 2>/dev/null
cat fly.toml 2>/dev/null

# Check for existing network-related configs
ls nginx.conf Caddyfile docker-compose.yml 2>/dev/null

If no platform is detected, ask. Match the IaC tool already in use (Terraform, Pulumi, etc.).

Step 1: Understand the Topology

Determine:

How many services need to communicate?
Which services are public-facing vs internal-only?
Single region or multi-region?
Any compliance requirements (data residency, PCI, HIPAA)?
Expected traffic patterns (steady, bursty, regional)?

Use what's already in conversation context. Only ask what you don't know.

Step 2: Generate Network Architecture

Generate IaC for the full networking stack:

VPC / Subnet Layout:

Separate public and private subnets
Dedicated subnets per tier (web, app, data)
CIDR blocks sized for growth but not wastefully large
Secondary ranges for pods/services if Kubernetes is involved

Firewall / Security Groups:

Default deny all inbound
Allow only required ports between tiers
No 0.0.0.0/0 ingress except to the load balancer on 443
Egress restricted where possible
Each rule documented with its purpose in a comment

Load Balancer:

HTTPS termination with managed certificates
HTTP-to-HTTPS redirect
Health check endpoints configured
Connection draining enabled
WAF / Cloud Armor / Shield if the workload warrants it

DNS:

Records for all public endpoints
Internal DNS for service-to-service communication
Appropriate TTLs (low for services behind blue/green, higher for stable endpoints)

CDN (if applicable):

Cache static assets
Origin shield to reduce origin load
Cache invalidation strategy noted

Step 3: Explain Security Rationale

Follow the output format defined in docs/output-kit.md — 40-line CLI max, box-drawing skeleton, unified severity indicators.

For every firewall rule and network boundary, explain:

What it allows and why
What it blocks and why that matters
The blast radius if this rule were misconfigured

Present the network as a layered defense. No rule exists without a stated reason.