hybrid-cloud-networking
Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.
About this skill
This skill empowers an AI agent to guide users through the complex process of establishing and optimizing secure, high-performance network connections between on-premises data centers and various cloud environments. Leveraging best practices for foundational technologies like VPN, AWS Direct Connect, and Azure ExpressRoute, the agent can clarify technical goals, identify constraints, recommend optimal solutions, and provide actionable steps for implementation and verification. This ensures robust, low-latency, and secure hybrid cloud infrastructure, supporting critical workloads like database replication, disaster recovery, and large-scale data transfers.
Best use case
Ideal for IT professionals, cloud architects, or developers tasked with designing, implementing, or troubleshooting network connectivity for hybrid cloud deployments. It provides expert guidance from an AI agent for establishing secure and efficient communication paths between corporate networks and public cloud resources.
Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.
Users can expect a comprehensive plan, detailed configuration guidance, or a step-by-step methodology for setting up or optimizing hybrid cloud network connectivity. This includes recommendations on specific technologies, security considerations, performance tuning, and verification steps, all tailored to their stated requirements and constraints.
Practical example
Example input
I need to connect my on-premises data center in Frankfurt to an AWS VPC in eu-central-1 for a database replication workload. What's the best approach for high availability and low latency, and what steps should I follow?
Example output
To achieve high availability and low latency for database replication between your on-premises data center in Frankfurt and an AWS VPC in eu-central-1, a combination of AWS Direct Connect and VPN as a backup is highly recommended.
**Actionable Steps:**
1. **Assess Your Requirements:**
* **Bandwidth:** Estimate the peak bandwidth required for your database replication.
* **Latency Tolerance:** Identify the maximum acceptable latency.
* **RTO/RPO:** Define your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for network connectivity.
2. **AWS Direct Connect Implementation:**
* **Identify a Direct Connect Location:** Find a Direct Connect location near your Frankfurt data center (e.g., Equinix FR1/FR5 in Frankfurt).
* **Order a Cross Connect:** Work with your co-location provider to establish a cross-connect from your network equipment to the Direct Connect router.
* **Create a Direct Connect Connection:** In the AWS console, provision a new Direct Connect connection, specifying the port speed (e.g., 1 Gbps, 10 Gbps).
* **Create Virtual Interfaces (VIFs):**
* **Private VIF:** For connecting to your VPC. You'll need to specify your on-premises BGP ASN and IP prefixes.
* **Public VIF (Optional):** If you need to access public AWS services (S3, EC2 public IPs) over Direct Connect.
* **Configure BGP:** Set up BGP peering between your on-premises router and the AWS Direct Connect router using the specified BGP ASN and prefixes.
3. **VPN (IPsec) as a Backup:**
* **Create a Customer Gateway:** In AWS VPC, define your on-premises VPN device's public IP address.
* **Create a Virtual Private Gateway (VGW):** Attach a VGW to your eu-central-1 VPC.
* **Create Site-to-Site VPN Connection:** Configure a VPN connection between the VGW and your Customer Gateway. AWS will provide two VPN tunnels for redundancy.
* **Configure VPN on-premises:** Set up your on-premises router to establish IPsec tunnels to both AWS VPN endpoints.
* **Configure Routing:** Use BGP over VPN or static routes to advertise your on-premises networks to AWS and vice versa. Configure routing preference so that Direct Connect is preferred, and VPN is used only if Direct Connect fails.
4. **Network Monitoring and Testing:**
* Implement monitoring for both Direct Connect and VPN connections (e.g., BGP status, latency, packet loss).
* Regularly test failover scenarios to ensure the VPN backup functions correctly.
* Conduct performance benchmarks for your database replication over both primary and backup paths.
By following these steps, you will establish a resilient and high-performance hybrid cloud network for your database replication workload.When to use this skill
- Designing a new hybrid cloud network architecture.
- Optimizing existing on-premises to cloud connectivity for performance, cost, or redundancy.
- Troubleshooting network issues in a hybrid environment.
- Seeking best practice recommendations for implementing VPNs, AWS Direct Connect, or Azure ExpressRoute.
When not to use this skill
- The task is unrelated to hybrid cloud networking concepts or implementations.
- You require assistance with a networking domain or tool outside the scope of VPN, AWS Direct Connect, or Azure ExpressRoute.
- You need direct network configuration execution or automated deployment (this skill provides guidance and planning, not direct execution).
- The goal is purely on-premises networking without any cloud integration.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/hybrid-cloud-networking/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How hybrid-cloud-networking Compares
| Feature / Agent | hybrid-cloud-networking | Standard Approach |
|---|---|---|
| Platform Support | Claude | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | medium | N/A |
Frequently Asked Questions
What does this skill do?
Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.
Which AI agents support this skill?
This skill is designed for Claude.
How difficult is it to install?
The installation complexity is rated as medium. You can find the installation instructions above.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
Top AI Agents for Productivity
See the top AI agent skills for productivity, workflow automation, operational systems, documentation, and everyday task execution.
SKILL.md Source
# Hybrid Cloud Networking
Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.
## Do not use this skill when
- The task is unrelated to hybrid cloud networking
- You need a different domain or tool outside this scope
## Instructions
- Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open `resources/implementation-playbook.md`.
## Purpose
Establish secure, reliable network connectivity between on-premises data centers and cloud providers (AWS, Azure, GCP).
## Use this skill when
- Connect on-premises to cloud
- Extend datacenter to cloud
- Implement hybrid active-active setups
- Meet compliance requirements
- Migrate to cloud gradually
## Connection Options
### AWS Connectivity
#### 1. Site-to-Site VPN
- IPSec VPN over internet
- Up to 1.25 Gbps per tunnel
- Cost-effective for moderate bandwidth
- Higher latency, internet-dependent
```hcl
resource "aws_vpn_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "main-vpn-gateway"
}
}
resource "aws_customer_gateway" "main" {
bgp_asn = 65000
ip_address = "203.0.113.1"
type = "ipsec.1"
}
resource "aws_vpn_connection" "main" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.main.id
type = "ipsec.1"
static_routes_only = false
}
```
#### 2. AWS Direct Connect
- Dedicated network connection
- 1 Gbps to 100 Gbps
- Lower latency, consistent bandwidth
- More expensive, setup time required
**Reference:** See `references/direct-connect.md`
### Azure Connectivity
#### 1. Site-to-Site VPN
```hcl
resource "azurerm_virtual_network_gateway" "vpn" {
name = "vpn-gateway"
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
type = "Vpn"
vpn_type = "RouteBased"
sku = "VpnGw1"
ip_configuration {
name = "vnetGatewayConfig"
public_ip_address_id = azurerm_public_ip.vpn.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.gateway.id
}
}
```
#### 2. Azure ExpressRoute
- Private connection via connectivity provider
- Up to 100 Gbps
- Low latency, high reliability
- Premium for global connectivity
### GCP Connectivity
#### 1. Cloud VPN
- IPSec VPN (Classic or HA VPN)
- HA VPN: 99.99% SLA
- Up to 3 Gbps per tunnel
#### 2. Cloud Interconnect
- Dedicated (10 Gbps, 100 Gbps)
- Partner (50 Mbps to 50 Gbps)
- Lower latency than VPN
## Hybrid Network Patterns
### Pattern 1: Hub-and-Spoke
```
On-Premises Datacenter
↓
VPN/Direct Connect
↓
Transit Gateway (AWS) / vWAN (Azure)
↓
├─ Production VPC/VNet
├─ Staging VPC/VNet
└─ Development VPC/VNet
```
### Pattern 2: Multi-Region Hybrid
```
On-Premises
├─ Direct Connect → us-east-1
└─ Direct Connect → us-west-2
↓
Cross-Region Peering
```
### Pattern 3: Multi-Cloud Hybrid
```
On-Premises Datacenter
├─ Direct Connect → AWS
├─ ExpressRoute → Azure
└─ Interconnect → GCP
```
## Routing Configuration
### BGP Configuration
```
On-Premises Router:
- AS Number: 65000
- Advertise: 10.0.0.0/8
Cloud Router:
- AS Number: 64512 (AWS), 65515 (Azure)
- Advertise: Cloud VPC/VNet CIDRs
```
### Route Propagation
- Enable route propagation on route tables
- Use BGP for dynamic routing
- Implement route filtering
- Monitor route advertisements
## Security Best Practices
1. **Use private connectivity** (Direct Connect/ExpressRoute)
2. **Implement encryption** for VPN tunnels
3. **Use VPC endpoints** to avoid internet routing
4. **Configure network ACLs** and security groups
5. **Enable VPC Flow Logs** for monitoring
6. **Implement DDoS protection**
7. **Use PrivateLink/Private Endpoints**
8. **Monitor connections** with CloudWatch/Monitor
9. **Implement redundancy** (dual tunnels)
10. **Regular security audits**
## High Availability
### Dual VPN Tunnels
```hcl
resource "aws_vpn_connection" "primary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.primary.id
type = "ipsec.1"
}
resource "aws_vpn_connection" "secondary" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.secondary.id
type = "ipsec.1"
}
```
### Active-Active Configuration
- Multiple connections from different locations
- BGP for automatic failover
- Equal-cost multi-path (ECMP) routing
- Monitor health of all connections
## Monitoring and Troubleshooting
### Key Metrics
- Tunnel status (up/down)
- Bytes in/out
- Packet loss
- Latency
- BGP session status
### Troubleshooting
```bash
# AWS VPN
aws ec2 describe-vpn-connections
aws ec2 get-vpn-connection-telemetry
# Azure VPN
az network vpn-connection show
az network vpn-connection show-device-config-script
```
## Cost Optimization
1. **Right-size connections** based on traffic
2. **Use VPN for low-bandwidth** workloads
3. **Consolidate traffic** through fewer connections
4. **Minimize data transfer** costs
5. **Use Direct Connect** for high bandwidth
6. **Implement caching** to reduce traffic
## Reference Files
- `references/vpn-setup.md` - VPN configuration guide
- `references/direct-connect.md` - Direct Connect setup
## Related Skills
- `multi-cloud-architecture` - For architecture decisions
- `terraform-module-library` - For IaC implementationRelated Skills
multi-cloud-architecture
Decision framework and patterns for architecting applications across AWS, Azure, and GCP.
hybrid-search-implementation
Combine vector and keyword search for improved retrieval. Use when implementing RAG systems, building search engines, or when neither approach alone provides sufficient recall.
hybrid-cloud-architect
Expert hybrid cloud architect specializing in complex multi-cloud solutions across AWS/Azure/GCP and private clouds (OpenStack/VMware).
gcp-cloud-run
Specialized skill for building production-ready serverless applications on GCP. Covers Cloud Run services (containerized), Cloud Run Functions (event-driven), cold start optimization, and event-driven architecture with Pub/Sub.
database-cloud-optimization-cost-optimize
You are a cloud cost optimization expert specializing in reducing infrastructure expenses while maintaining performance and reliability. Analyze cloud spending, identify savings opportunities, and implement cost-effective architectures across AWS, Azure, and GCP.
cloudformation-best-practices
CloudFormation template optimization, nested stacks, drift detection, and production-ready patterns. Use when writing or reviewing CF templates.
cloudflare-workers-expert
Expert in Cloudflare Workers and the Edge Computing ecosystem. Covers Wrangler, KV, D1, Durable Objects, and R2 storage.
cloud-penetration-testing
Conduct comprehensive security assessments of cloud infrastructure across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform (GCP).
cloud-architect
Expert cloud architect specializing in AWS/Azure/GCP multi-cloud infrastructure design, advanced IaC (Terraform/OpenTofu/CDK), FinOps cost optimization, and modern architectural patterns.
nft-standards
Master ERC-721 and ERC-1155 NFT standards, metadata best practices, and advanced NFT features.
nextjs-app-router-patterns
Comprehensive patterns for Next.js 14+ App Router architecture, Server Components, and modern full-stack React development.
new-rails-project
Create a new Rails project