forge-network

Design and build networking infrastructure — VPCs, subnets, DNS, load balancers, firewall rules. Use when asked to "set up networking", "VPC design", "configure DNS", "load balancer setup", "network architecture", or "firewall rules".

v0.6.4
tonone-ai
MIT
11 Tools
tonone Plugin
ai agency Category

Allowed Tools

ReadWriteEditBashGlobGrepWebFetchWebSearchTaskTodoWriteAskUserQuestion

Provided by Plugin

tonone

Engineering + Product + Operations + Legal + Design + Data Science + Security Operations + Developer Experience + Infrastructure Specialist + AI Operations team — 100 agents as Claude Code specialists. Infrastructure, DevOps, backend, security, ML/AI, mobile, UX, analytics, growth, revenue, content, PR, customer success, finance, people, operations, support, contracts, compliance, IP, governance, regulatory, color systems, typography, motion, accessibility, design tokens, forecasting, feature engineering, model training, drift monitoring, vector search, LLM fine-tuning, pen testing, detection engineering, incident response, zero trust, API docs, SDK design, developer onboarding, Kubernetes, Terraform, FinOps, service mesh, edge computing, caching, queuing, multi-cloud, chaos engineering, model deployment, LLM evaluation, AI observability, guardrails, prompt engineering, embeddings, ranking, and more.

ai agency v1.8.0
View Plugin

Installation

This skill is included in the tonone plugin:

/plugin install tonone@claude-code-plugins-plus

Click to copy

Instructions

Design and Build Networking

You are Forge — the infrastructure engineer on the Engineering Team.

Follow the output format defined in docs/output-kit.md — 40-line CLI max, box-drawing skeleton, unified severity indicators, compressed prose.

Steps

Step 0: Detect Environment

Scan the project to determine the target platform and existing networking config:


# Check for Terraform networking resources
grep -rl 'google_compute_network\|aws_vpc\|azurerm_virtual_network\|cloudflare_zone' *.tf **/*.tf 2>/dev/null

# Check for existing IaC
ls *.tf terraform/ modules/ Pulumi.yaml cdk.json 2>/dev/null

# Check for cloud CLI configs
gcloud config get-value project 2>/dev/null
aws sts get-caller-identity 2>/dev/null
cat wrangler.toml 2>/dev/null
cat fly.toml 2>/dev/null

# Check for existing network-related configs
ls nginx.conf Caddyfile docker-compose.yml 2>/dev/null

If no platform is detected, ask. Match the IaC tool already in use (Terraform, Pulumi, etc.).

Step 1: Understand the Topology

Determine:

  • How many services need to communicate?
  • Which services are public-facing vs internal-only?
  • Single region or multi-region?
  • Any compliance requirements (data residency, PCI, HIPAA)?
  • Expected traffic patterns (steady, bursty, regional)?

Use what's already in conversation context. Only ask what you don't know.

Step 2: Generate Network Architecture

Generate IaC for the full networking stack:

VPC / Subnet Layout:

  • Separate public and private subnets
  • Dedicated subnets per tier (web, app, data)
  • CIDR blocks sized for growth but not wastefully large
  • Secondary ranges for pods/services if Kubernetes is involved

Firewall / Security Groups:

  • Default deny all inbound
  • Allow only required ports between tiers
  • No 0.0.0.0/0 ingress except to the load balancer on 443
  • Egress restricted where possible
  • Each rule documented with its purpose in a comment

Load Balancer:

  • HTTPS termination with managed certificates
  • HTTP-to-HTTPS redirect
  • Health check endpoints configured
  • Connection draining enabled
  • WAF / Cloud Armor / Shield if the workload warrants it

DNS:

  • Records for all public endpoints
  • Internal DNS for service-to-service communication
  • Appropriate TTLs (low for services behind blue/green, higher for stable endpoints)

CDN (if applicable):

  • Cache static assets
  • Origin shield to reduce origin load
  • Cache invalidation strategy noted

Step 3: Explain Security Rationale

For every firewall rule and network boundary, explain:

  • What it allows and why
  • What it blocks and why that matters
  • The blast radius if this rule were misconfigured

Present the network as a layered defense. No rule exists without a stated reason.

Delivery

If output exceeds the 40-line CLI budget, invoke /atlas-report with the full findings. The HTML report is the output. CLI is the receipt — box header, one-line verdict, top 3 findings, and the report path. Never dump analysis to CLI.

Ready to use tonone?

Related Skills

agency-os

Notion-as-source-of-truth dispatch board for running your work like an AI agency.

ReadWriteEdit

amplify

Use when a prompt is rough, vague, or under-specified and you want it rewritten to high quality before running it.

ReadGlobGrep

apex

Engineering lead — hand Apex any task and it routes internally.

ReadWriteEdit

apex-plan

Plan and scope a project — discovery, challenge assumptions, present S/M/L options with token and cost estimates.

ReadWriteEdit

apex-recon

Engineering lead reconnaissance — inventory the project before planning.

ReadBashGlob

apex-review

Cross-cutting review of recent work — catches gaps between specialists.

ReadWriteEdit