Private Network Setup

We design VPCs with tiered subnets: public (load balancers, bastion hosts), private (application servers), and isolated (databases, caches). CIDR blocks are sized for growth without overlap across environments or regions — critical for VPC peering. Subnets span multiple availability zones for high availability. NAT gateways provide outbound internet access for private subnets without inbound exposure.

VPC peering connects networks directly — low latency, no bandwidth limits, no single point of failure. For hub-and-spoke architectures (many VPCs connecting through a central hub), Transit Gateway simplifies routing and reduces peering mesh complexity. Cross-region peering connects workloads across geographies. Routing tables are explicit — no 'allow all' between peered networks.

Site-to-site VPN or Direct Connect/ExpressRoute links on-prem networks to your cloud VPC. We configure redundant tunnels across diverse paths for high availability. BGP routing dynamically adjusts to link failures. Bandwidth requirements determine whether VPN (up to ~1.25 Gbps) suffices or dedicated connectivity is needed. DNS resolution bridges cloud and on-prem namespaces.

You get network diagrams (not Visio files from 2019 — infrastructure-as-code that generates current diagrams), IP allocation spreadsheets, routing tables, and security group inventories. All network infrastructure is Terraform-managed so changes go through PR review. Runbooks cover common operations: adding a new subnet, peering a new VPC, and troubleshooting routing issues.