playbooks

home / skills / 89jobrien / steve / network-engineering

network-engineering skill

/steve/skills/network-engineering

This skill helps you design robust networks, troubleshoot connectivity, and optimize performance across load balancing, DNS, SSL/TLS, and security.

npx playbooks add skill 89jobrien/steve --skill network-engineering

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
5.6 KB
---
name: network-engineering
description: Network architecture, troubleshooting, and infrastructure patterns. Use
  when designing network topologies, debugging connectivity issues, configuring load
  balancers, DNS, or implementing network security.
author: Joseph OBrien
status: unpublished
updated: '2025-12-23'
version: 1.0.1
tag: skill
type: skill
---

# Network Engineering

Comprehensive network engineering skill covering network design, troubleshooting, load balancing, DNS, and network security.

## When to Use This Skill

- Designing network topologies
- Troubleshooting connectivity issues
- Configuring load balancers
- DNS configuration and troubleshooting
- SSL/TLS setup and debugging
- Network security implementation
- Performance optimization
- CDN configuration

## Network Architecture

### OSI Model Reference

| Layer | Name | Protocols | Troubleshooting |
|-------|------|-----------|-----------------|
| 7 | Application | HTTP, DNS, SMTP | curl, browser tools |
| 6 | Presentation | SSL/TLS | openssl |
| 5 | Session | NetBIOS | - |
| 4 | Transport | TCP, UDP | netstat, ss |
| 3 | Network | IP, ICMP | ping, traceroute |
| 2 | Data Link | Ethernet | arp |
| 1 | Physical | - | cable tester |

### VPC/Network Design

**Subnet Strategy:**

```
VPC CIDR: 10.0.0.0/16 (65,536 IPs)

Public Subnets (internet-facing):
  - 10.0.1.0/24 (AZ-a) - Load balancers, bastion
  - 10.0.2.0/24 (AZ-b)
  - 10.0.3.0/24 (AZ-c)

Private Subnets (application tier):
  - 10.0.11.0/24 (AZ-a) - App servers
  - 10.0.12.0/24 (AZ-b)
  - 10.0.13.0/24 (AZ-c)

Database Subnets (isolated):
  - 10.0.21.0/24 (AZ-a) - Databases only
  - 10.0.22.0/24 (AZ-b)
  - 10.0.23.0/24 (AZ-c)
```

**Traffic Flow:**

- Internet → Load Balancer (public) → App (private) → DB (isolated)
- NAT Gateway for private subnet outbound
- VPC Endpoints for AWS services

## Load Balancing

### Load Balancer Types

| Type | Layer | Use Case |
|------|-------|----------|
| Application (ALB) | 7 | HTTP/HTTPS, path routing |
| Network (NLB) | 4 | TCP/UDP, static IP, high performance |
| Classic | 4/7 | Legacy |
| Gateway | 3 | Third-party appliances |

### Health Checks

```yaml
# ALB Health Check
health_check:
  path: /health
  protocol: HTTP
  port: 8080
  interval: 30
  timeout: 5
  healthy_threshold: 2
  unhealthy_threshold: 3
  matcher: "200-299"
```

### Routing Strategies

- **Round Robin**: Equal distribution
- **Least Connections**: Route to least busy
- **IP Hash**: Sticky sessions by client IP
- **Weighted**: Percentage-based distribution
- **Path-based**: Route by URL path
- **Host-based**: Route by hostname

## DNS

### Record Types

| Type | Purpose | Example |
|------|---------|---------|
| A | IPv4 address | `example.com → 192.0.2.1` |
| AAAA | IPv6 address | `example.com → 2001:db8::1` |
| CNAME | Alias | `www → example.com` |
| MX | Mail server | `example.com → mail.example.com` |
| TXT | Arbitrary text | SPF, DKIM, verification |
| NS | Name server | DNS delegation |
| SRV | Service location | `_sip._tcp.example.com` |
| CAA | Certificate authority | Restrict CA issuance |

### DNS Debugging

```bash
# Query specific record type
dig example.com A
dig example.com MX
dig example.com TXT

# Query specific DNS server
dig @8.8.8.8 example.com

# Trace DNS resolution
dig +trace example.com

# Check propagation
dig +short example.com @{dns-server}
```

### TTL Strategy

| Record Type | Recommended TTL |
|-------------|-----------------|
| Static content | 86400 (1 day) |
| Dynamic content | 300 (5 min) |
| Failover records | 60 (1 min) |
| Pre-migration | Lower to 60 |

## SSL/TLS

### Certificate Types

| Type | Validation | Use Case |
|------|------------|----------|
| DV | Domain ownership | Basic sites |
| OV | Organization verified | Business sites |
| EV | Extended validation | High-trust sites |
| Wildcard | *.domain.com | Multiple subdomains |
| SAN | Multi-domain | Multiple specific domains |

### TLS Configuration

**Recommended Settings:**

- TLS 1.2 and 1.3 only
- Strong cipher suites (AEAD)
- HSTS enabled
- OCSP stapling
- Certificate transparency

### Debugging SSL

```bash
# Check certificate
openssl s_client -connect example.com:443 -servername example.com

# Check certificate chain
openssl s_client -connect example.com:443 -showcerts

# Check expiration
echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Test TLS versions
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3
```

## Troubleshooting

### Connectivity Checklist

1. **Physical/Cloud layer**: Is the instance running?
2. **Security groups**: Are ports open?
3. **NACLs**: Are subnets allowing traffic?
4. **Route tables**: Is routing correct?
5. **DNS**: Does name resolve?
6. **Application**: Is service listening?

### Common Commands

```bash
# Check if port is listening
netstat -tlnp | grep :80
ss -tlnp | grep :80

# Test TCP connectivity
nc -zv hostname 443
telnet hostname 443

# Check routes
ip route
traceroute hostname
mtr hostname

# DNS resolution
nslookup hostname
dig hostname
host hostname

# Network interfaces
ip addr
ifconfig

# Active connections
netstat -an
ss -tuln
```

### Performance Debugging

```bash
# Bandwidth test
iperf3 -c server-ip

# Latency analysis
ping -c 100 hostname | tail -1

# MTU issues
ping -M do -s 1472 hostname

# Packet capture
tcpdump -i eth0 port 443
```

## Reference Files

- **`references/troubleshooting.md`** - Detailed troubleshooting workflows

## Integration with Other Skills

- **cloud-infrastructure** - For cloud networking
- **security-engineering** - For network security
- **performance** - For network optimization

Overview

This skill provides practical network engineering guidance for architecture, troubleshooting, load balancing, DNS, SSL/TLS, and security. It focuses on actionable patterns and command-line checks you can use to design, diagnose, and harden networks. Use it to produce reliable topologies, debug connectivity quickly, and tune performance for production systems.

How this skill works

The skill inspects common network layers and components, offering reference checks, CIDR/subnet strategies, traffic flow patterns, and troubleshooting checklists. It maps tools and commands to problems (ping, traceroute, dig, openssl, tcpdump, iperf3) and recommends configuration patterns for VPCs, load balancers, DNS records, and TLS. It also provides health-check and routing strategies, plus performance and security hardening tips.

When to use it

  • Designing VPC/subnet layouts and traffic flow for multi-AZ deployments
  • Debugging connectivity issues from physical link to application layer
  • Configuring or tuning load balancers and health checks
  • Setting up DNS records, TTL strategy, and diagnosing resolution problems
  • Implementing SSL/TLS configurations and debugging certificate chains

Best practices

  • Segment networks by role: public, private app, isolated DB subnets with explicit routing
  • Use TLS 1.2+ (prefer 1.3), AEAD ciphers, HSTS, and OCSP stapling for public services
  • Keep low TTLs only during migrations or failover; use longer TTLs for stable records
  • Use health checks with clear success/failure thresholds and monitor response codes
  • Follow a layered troubleshooting checklist: instance, security groups, NACLs, routes, DNS, service

Example use cases

  • Designing a three-AZ VPC with separate public, private, and DB subnets and NAT/endpoint patterns
  • Troubleshooting intermittent HTTPS failures by checking security groups, route tables, and running openssl s_client
  • Tuning an ALB with path-based routing, health checks on /health, and weighted deployments
  • Diagnosing DNS propagation or misconfiguration using dig +trace and targeted nameserver queries
  • Investigating performance issues with iperf3 for bandwidth and tcpdump for packet-level analysis

FAQ

Which load balancer type should I choose?

Choose ALB for HTTP/HTTPS and path/host routing, NLB for high-performance TCP/UDP with static IP needs, and gateway appliances for specialized third-party functions.

How do I quickly isolate a connectivity problem?

Follow the checklist: confirm instance state, check security groups and NACLs, validate route tables, resolve DNS, then test the application port and capture packets if needed.