Initial commit

2025-11-29 18:33:20 +08:00
commit 0fbd64964a
14 changed files with 1919 additions and 0 deletions
--- a/skills/hybrid-cloud-networking/SKILL.md
+++ b/skills/hybrid-cloud-networking/SKILL.md
@@ -0,0 +1,226 @@
+---
+name: hybrid-cloud-networking
+description: Configure secure, high-performance connectivity between on-premises infrastructure and cloud platforms using VPN and dedicated connections. Use when building hybrid cloud architectures, connecting data centers to cloud, or implementing secure cross-premises networking.
+---
+
+# Hybrid Cloud Networking
+
+Configure secure, high-performance connectivity between on-premises and cloud environments using VPN, Direct Connect, and ExpressRoute.
+
+## Purpose
+
+Establish secure, reliable network connectivity between on-premises data centers and cloud providers (AWS, Azure, GCP).
+
+## When to Use
+
+- Connect on-premises to cloud
+- Extend datacenter to cloud
+- Implement hybrid active-active setups
+- Meet compliance requirements
+- Migrate to cloud gradually
+
+## Connection Options
+
+### AWS Connectivity
+
+#### 1. Site-to-Site VPN
+- IPSec VPN over internet
+- Up to 1.25 Gbps per tunnel
+- Cost-effective for moderate bandwidth
+- Higher latency, internet-dependent
+
+```hcl
+resource "aws_vpn_gateway" "main" {
+  vpc_id = aws_vpc.main.id
+  tags = {
+    Name = "main-vpn-gateway"
+  }
+}
+
+resource "aws_customer_gateway" "main" {
+  bgp_asn    = 65000
+  ip_address = "203.0.113.1"
+  type       = "ipsec.1"
+}
+
+resource "aws_vpn_connection" "main" {
+  vpn_gateway_id      = aws_vpn_gateway.main.id
+  customer_gateway_id = aws_customer_gateway.main.id
+  type                = "ipsec.1"
+  static_routes_only  = false
+}
+```
+
+#### 2. AWS Direct Connect
+- Dedicated network connection
+- 1 Gbps to 100 Gbps
+- Lower latency, consistent bandwidth
+- More expensive, setup time required
+
+**Reference:** See `references/direct-connect.md`
+
+### Azure Connectivity
+
+#### 1. Site-to-Site VPN
+```hcl
+resource "azurerm_virtual_network_gateway" "vpn" {
+  name                = "vpn-gateway"
+  location            = azurerm_resource_group.main.location
+  resource_group_name = azurerm_resource_group.main.name
+
+  type     = "Vpn"
+  vpn_type = "RouteBased"
+  sku      = "VpnGw1"
+
+  ip_configuration {
+    name                          = "vnetGatewayConfig"
+    public_ip_address_id          = azurerm_public_ip.vpn.id
+    private_ip_address_allocation = "Dynamic"
+    subnet_id                     = azurerm_subnet.gateway.id
+  }
+}
+```
+
+#### 2. Azure ExpressRoute
+- Private connection via connectivity provider
+- Up to 100 Gbps
+- Low latency, high reliability
+- Premium for global connectivity
+
+### GCP Connectivity
+
+#### 1. Cloud VPN
+- IPSec VPN (Classic or HA VPN)
+- HA VPN: 99.99% SLA
+- Up to 3 Gbps per tunnel
+
+#### 2. Cloud Interconnect
+- Dedicated (10 Gbps, 100 Gbps)
+- Partner (50 Mbps to 50 Gbps)
+- Lower latency than VPN
+
+## Hybrid Network Patterns
+
+### Pattern 1: Hub-and-Spoke
+```
+On-Premises Datacenter
+         ↓
+    VPN/Direct Connect
+         ↓
+    Transit Gateway (AWS) / vWAN (Azure)
+         ↓
+    ├─ Production VPC/VNet
+    ├─ Staging VPC/VNet
+    └─ Development VPC/VNet
+```
+
+### Pattern 2: Multi-Region Hybrid
+```
+On-Premises
+    ├─ Direct Connect → us-east-1
+    └─ Direct Connect → us-west-2
+            ↓
+        Cross-Region Peering
+```
+
+### Pattern 3: Multi-Cloud Hybrid
+```
+On-Premises Datacenter
+    ├─ Direct Connect → AWS
+    ├─ ExpressRoute → Azure
+    └─ Interconnect → GCP
+```
+
+## Routing Configuration
+
+### BGP Configuration
+```
+On-Premises Router:
+- AS Number: 65000
+- Advertise: 10.0.0.0/8
+
+Cloud Router:
+- AS Number: 64512 (AWS), 65515 (Azure)
+- Advertise: Cloud VPC/VNet CIDRs
+```
+
+### Route Propagation
+- Enable route propagation on route tables
+- Use BGP for dynamic routing
+- Implement route filtering
+- Monitor route advertisements
+
+## Security Best Practices
+
+1. **Use private connectivity** (Direct Connect/ExpressRoute)
+2. **Implement encryption** for VPN tunnels
+3. **Use VPC endpoints** to avoid internet routing
+4. **Configure network ACLs** and security groups
+5. **Enable VPC Flow Logs** for monitoring
+6. **Implement DDoS protection**
+7. **Use PrivateLink/Private Endpoints**
+8. **Monitor connections** with CloudWatch/Monitor
+9. **Implement redundancy** (dual tunnels)
+10. **Regular security audits**
+
+## High Availability
+
+### Dual VPN Tunnels
+```hcl
+resource "aws_vpn_connection" "primary" {
+  vpn_gateway_id      = aws_vpn_gateway.main.id
+  customer_gateway_id = aws_customer_gateway.primary.id
+  type                = "ipsec.1"
+}
+
+resource "aws_vpn_connection" "secondary" {
+  vpn_gateway_id      = aws_vpn_gateway.main.id
+  customer_gateway_id = aws_customer_gateway.secondary.id
+  type                = "ipsec.1"
+}
+```
+
+### Active-Active Configuration
+- Multiple connections from different locations
+- BGP for automatic failover
+- Equal-cost multi-path (ECMP) routing
+- Monitor health of all connections
+
+## Monitoring and Troubleshooting
+
+### Key Metrics
+- Tunnel status (up/down)
+- Bytes in/out
+- Packet loss
+- Latency
+- BGP session status
+
+### Troubleshooting
+```bash
+# AWS VPN
+aws ec2 describe-vpn-connections
+aws ec2 get-vpn-connection-telemetry
+
+# Azure VPN
+az network vpn-connection show
+az network vpn-connection show-device-config-script
+```
+
+## Cost Optimization
+
+1. **Right-size connections** based on traffic
+2. **Use VPN for low-bandwidth** workloads
+3. **Consolidate traffic** through fewer connections
+4. **Minimize data transfer** costs
+5. **Use Direct Connect** for high bandwidth
+6. **Implement caching** to reduce traffic
+
+## Reference Files
+
+- `references/vpn-setup.md` - VPN configuration guide
+- `references/direct-connect.md` - Direct Connect setup
+
+## Related Skills
+
+- `multi-cloud-architecture` - For architecture decisions
+- `terraform-module-library` - For IaC implementation