hybrid-cloud-networking

Name: hybrid-cloud-networking
Author: W. Shobson

cloud networkinghybrid cloudawsazuregcpvpndirect connectexpressroutenetwork securityinfrastructure-as-code

⭐ 36.8k📄 MIT🕒 2026-06-16Source ↗

Install this skill

npx skills add wshobson/agents

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

The hybrid-cloud-networking skill automates the configuration of network bridges between on-premises infrastructure and cloud environments. It handles the provisioning of encrypted IPsec VPN tunnels, dedicated private interconnects like AWS Direct Connect, Azure ExpressRoute, or GCP Cloud Interconnect, and manages dynamic BGP routing updates. By codifying infrastructure as code, it ensures network topology—such as hub-and-spoke models or multi-region failover architectures—remains consistent across environments. This skill reduces manual configuration errors in transit gateway setups and virtual network gateways, providing a reliable foundation for data center extensions, cloud migrations, and low-latency application access. It enforces security through route propagation control, traffic flow monitoring, and the establishment of redundant, high-availability pathing between local hardware and public cloud VPCs or VNets.

When to Use This Skill

•Bridging on-premises physical data centers with cloud-hosted application VPCs
•Establishing low-latency, private network paths for bandwidth-heavy migrations
•Implementing disaster recovery failover between local sites and cloud regions
•Standardizing network routing configurations across multi-cloud environments

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

“Set up a site-to-site VPN connection between my data center and AWS
“Automate the deployment of an Azure ExpressRoute gateway
“Configure BGP routing for a hybrid network
“Create a dual-tunnel VPN configuration for high availability
“Define a hub-and-spoke network architecture for my hybrid cloud

Pro Tips

💡Always plan your IP addressing scheme carefully to avoid overlaps between on-premises and cloud networks, utilizing private RFC 1918 ranges.
💡Prioritize dedicated connections (Direct Connect, ExpressRoute) for mission-critical applications requiring high bandwidth, low latency, and consistent performance over VPNs.
💡Implement robust monitoring and logging for all hybrid network connections to quickly identify and troubleshoot connectivity or performance issues.
💡Automate your connection provisioning using Infrastructure as Code (e.g., Terraform) to ensure consistency, reduce manual errors, and speed up deployment.

What this skill does

•Automated deployment of VPN gateways and customer gateway associations
•Configuration of BGP sessions for dynamic route propagation
•Infrastructure as code templates for AWS, Azure, and GCP connectivity
•Implementation of high-availability redundant tunnel patterns
•Network topology design support for hub-and-spoke architectures

When not to use it

✕When connecting two cloud VPCs that share the same region or cloud provider, where VPC peering is more efficient
✕For simple public-facing web applications that do not require private backend communication with on-premises databases

Example workflow

Identify the required bandwidth and latency requirements for the connection
Select the appropriate connectivity type (VPN vs. Direct/Private Interconnect)
Provision the cloud-side gateway resource using the corresponding provider template
Configure BGP ASN numbers and customer gateway IP addresses
Update route tables to enable propagation to target subnets
Verify tunnel status and BGP session health via CLI diagnostics

Prerequisites

–Defined CIDR blocks for on-premises and cloud networks
–Public IP address for the local router or firewall
–Appropriate cloud provider permissions (IAM/RBAC) for network administration

Pitfalls & limitations

!Misconfiguring BGP ASNs leads to route flapping and network isolation
!Underestimating data transfer costs for high-bandwidth traffic over VPN tunnels
!Assuming auto-failover works without configuring active-active dual tunnel pathing
!Failing to account for MTU limitations leading to packet fragmentation

FAQ

What is the primary difference between a VPN and Direct Connect?

VPNs use the public internet and offer flexible setup, while Direct Connect provides a dedicated, private physical line for lower latency and higher security.

Does this skill help with cost optimization?

Yes, it assists in selecting the right connectivity type based on traffic needs and provides patterns to avoid unnecessary data transfer fees.

How do I ensure high availability in my hybrid network?

Implement dual tunnels or multiple connections across diverse physical locations and utilize BGP for dynamic traffic rerouting upon failure.

Can this skill manage routing for multiple VPCs?

Yes, it supports transit gateway and hub-and-spoke configurations to aggregate traffic across multiple spokes.

How it compares

While manual configuration involves clicking through cloud consoles and creating fragile, undocumented settings, this skill utilizes declarative code to ensure network state is reproducible, auditable, and version-controlled.

Source & trust

⭐ 37k stars📄 MIT🕒 Updated 2026-06-16

View original skill on GitHub →

📄 Full skill instructions — original source: wshobson/agents

# Hybrid Cloud Networking

Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.

## Purpose

Establish secure, reliable network connectivity between on-premises data centers and cloud providers (AWS, Azure, GCP).

## When to Use

- Connect on-premises to cloud
- Extend datacenter to cloud
- Implement hybrid active-active setups
- Meet compliance requirements
- Migrate to cloud gradually

## Connection Options

### AWS Connectivity

#### 1. Site-to-Site VPN

- IPSec VPN over internet
- Up to 1.25 Gbps per tunnel
- Cost-effective for moderate bandwidth
- Higher latency, internet-dependent

resource "aws_vpn_gateway" "main" {
  vpc_id = aws_vpc.main.id
  tags = {
    Name = "main-vpn-gateway"
  }
}

resource "aws_customer_gateway" "main" {
  bgp_asn    = 65000
  ip_address = "203.0.113.1"
  type       = "ipsec.1"
}

resource "aws_vpn_connection" "main" {
  vpn_gateway_id      = aws_vpn_gateway.main.id
  customer_gateway_id = aws_customer_gateway.main.id
  type                = "ipsec.1"
  static_routes_only  = false
}

#### 2. AWS Direct Connect

- Dedicated network connection
- 1 Gbps to 100 Gbps
- Lower latency, consistent bandwidth
- More expensive, setup time required

**Reference:** See references/direct-connect.md

### Azure Connectivity

#### 1. Site-to-Site VPN

resource "azurerm_virtual_network_gateway" "vpn" {
  name                = "vpn-gateway"
  location            = azurerm_resource_group.main.location
  resource_group_name = azurerm_resource_group.main.name

  type     = "Vpn"
  vpn_type = "RouteBased"
  sku      = "VpnGw1"

  ip_configuration {
    name                          = "vnetGatewayConfig"
    public_ip_address_id          = azurerm_public_ip.vpn.id
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = azurerm_subnet.gateway.id
  }
}

#### 2. Azure ExpressRoute

- Private connection via connectivity provider
- Up to 100 Gbps
- Low latency, high reliability
- Premium for global connectivity

### GCP Connectivity

#### 1. Cloud VPN

- IPSec VPN (Classic or HA VPN)
- HA VPN: 99.99% SLA
- Up to 3 Gbps per tunnel

#### 2. Cloud Interconnect

- Dedicated (10 Gbps, 100 Gbps)
- Partner (50 Mbps to 50 Gbps)
- Lower latency than VPN

## Hybrid Network Patterns

### Pattern 1: Hub-and-Spoke

On-Premises Datacenter
         ↓
    VPN/Direct Connect
         ↓
    Transit Gateway (AWS) / vWAN (Azure)
         ↓
    ├─ Production VPC/VNet
    ├─ Staging VPC/VNet
    └─ Development VPC/VNet

### Pattern 2: Multi-Region Hybrid

On-Premises
    ├─ Direct Connect → us-east-1
    └─ Direct Connect → us-west-2
            ↓
        Cross-Region Peering

### Pattern 3: Multi-Cloud Hybrid

On-Premises Datacenter
    ├─ Direct Connect → AWS
    ├─ ExpressRoute → Azure
    └─ Interconnect → GCP

## Routing Configuration

### BGP Configuration

On-Premises Router:
- AS Number: 65000
- Advertise: 10.0.0.0/8

Cloud Router:
- AS Number: 64512 (AWS), 65515 (Azure)
- Advertise: Cloud VPC/VNet CIDRs

### Route Propagation

- Enable route propagation on route tables
- Use BGP for dynamic routing
- Implement route filtering
- Monitor route advertisements

## Security Best Practices

1. **Use private connectivity** (Direct Connect/ExpressRoute)
2. **Implement encryption** for VPN tunnels
3. **Use VPC endpoints** to avoid internet routing
4. **Configure network ACLs** and security groups
5. **Enable VPC Flow Logs** for monitoring
6. **Implement DDoS protection**
7. **Use PrivateLink/Private Endpoints**
8. **Monitor connections** with CloudWatch/Monitor
9. **Implement redundancy** (dual tunnels)
10. **Regular security audits**

## High Availability

### Dual VPN Tunnels

resource "aws_vpn_connection" "primary" {
  vpn_gateway_id      = aws_vpn_gateway.main.id
  customer_gateway_id = aws_customer_gateway.primary.id
  type                = "ipsec.1"
}

resource "aws_vpn_connection" "secondary" {
  vpn_gateway_id      = aws_vpn_gateway.main.id
  customer_gateway_id = aws_customer_gateway.secondary.id
  type                = "ipsec.1"
}

### Active-Active Configuration

- Multiple connections from different locations
- BGP for automatic failover
- Equal-cost multi-path (ECMP) routing
- Monitor health of all connections

## Monitoring and Troubleshooting

### Key Metrics

- Tunnel status (up/down)
- Bytes in/out
- Packet loss
- Latency
- BGP session status

### Troubleshooting

# AWS VPN
aws ec2 describe-vpn-connections
aws ec2 get-vpn-connection-telemetry

# Azure VPN
az network vpn-connection show
az network vpn-connection show-device-config-script

## Cost Optimization

1. **Right-size connections** based on traffic
2. **Use VPN for low-bandwidth** workloads
3. **Consolidate traffic** through fewer connections
4. **Minimize data transfer** costs
5. **Use Direct Connect** for high bandwidth
6. **Implement caching** to reduce traffic

## Reference Files

- references/vpn-setup.md - VPN configuration guide
- references/direct-connect.md - Direct Connect setup

## Related Skills

- multi-cloud-architecture - For architecture decisions
- terraform-module-library - For IaC implementation

By W. Shobson

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

Click "Download" above
In your project, create the directory: .agent/skills/hybrid-cloud-networking/
Save the file as SKILL.md
The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

Claude Code: ~/.claude/skills/wshobson/agents/hybrid-cloud-networking/SKILL.md
Cursor: ~/.cursor/skills/wshobson/agents/hybrid-cloud-networking/SKILL.md
Antigravity: ~/.gemini/antigravity/skills/wshobson/agents/hybrid-cloud-networking/SKILL.md