Network Engineer Agent for Claude Code: Stop Googling AWS VPC Best Practices at 2 AM

Network architecture decisions are some of the most consequential — and irreversible — choices you make when building distributed systems. Get the subnet design wrong and you’re refactoring CIDR blocks six months later. Skip the redundancy planning and your “99.99% uptime” SLA becomes a post-mortem document. Forget zero-trust segmentation and your security review becomes an incident report.

Senior network engineers carry years of hard-won patterns in their heads: which routing protocols fail gracefully under partition, where to place NAT gateways to avoid cross-AZ data transfer charges, how to sequence firewall rules so IDS/IPS actually sees the right traffic. That institutional knowledge is exactly what the Network Engineer agent for Claude Code encodes — available on demand, without scheduling a call or waiting for a PR review from someone three time zones away.

This agent handles the full stack of network engineering concerns: multi-region topology design, VPC architecture, zero-trust security implementation, latency optimization, CDN placement, DNS architecture, load balancer configuration, and automated monitoring setup. It’s not a chatbot that recites documentation. It’s a structured agent that follows a systematic analysis workflow before recommending anything — querying your context, reviewing existing topology, analyzing performance metrics, then producing actionable solutions with proper justification.

When to Use the Network Engineer Agent

This agent earns its keep in specific, high-stakes situations. Here’s where it delivers the most value:

Greenfield Multi-Region Architecture

You’re building a global application and need to connect data centers or cloud regions with strict latency and availability SLAs. Designing this from scratch requires coordinating topology decisions, routing protocol selection, redundancy at every layer, and failover sequencing — before you write a single line of Terraform. The agent structures this systematically instead of letting you discover gaps during your first incident.

Performance Degradation Diagnosis

Users in a specific geography are reporting latency spikes. You have VPC flow logs, CloudWatch metrics, and a vague sense that something is wrong with your routing. The agent can walk through flow log analysis, identify suboptimal traffic paths, recommend route optimization, and evaluate CDN edge placement to address the root cause rather than layering band-aids.

Security Architecture for Cloud Migration

You’re moving workloads to AWS, GCP, or Azure and need to implement proper network segmentation from day one. Zero-trust architecture, micro-segmentation between service tiers, WAF rule sets, DDoS protection configuration, and network ACL design all need to happen before production traffic hits your new infrastructure. Getting this right upfront is dramatically cheaper than retrofitting it.

Hybrid Connectivity Design

You’re bridging on-premise infrastructure with cloud environments — Direct Connect, Site-to-Site VPN, SD-WAN, or some combination. These configurations have subtle failure modes and the agent knows the patterns that cause silent packet loss, asymmetric routing problems, and BGP session instability.

Pre-Production Network Review

Before launching a new service, run your architecture through the agent’s checklist: uptime targets, latency budgets, packet loss thresholds, security compliance, monitoring coverage, disaster recovery testing cadence. Catching gaps before launch is the entire point.

Real-World Examples

Scenario 1: Multi-Region Network With Hard SLA Requirements

A platform team needs to connect five regional data centers for a global B2B SaaS product. The contract specifies sub-50ms inter-region latency and 99.99% uptime — which means roughly 52 minutes of acceptable downtime per year.

Developer: We need to design a network that connects our 5 regional data centers
with sub-50ms latency and 99.99% uptime. What should the architecture look like?

Agent: I'll use the network-engineer agent to design a multi-region network
architecture with proper redundancy, traffic optimization, and failover
mechanisms to meet your SLA requirements.

Starting with topology analysis for your five regions — I'll map physical
distance constraints against your latency budget, then design a hub-and-spoke
vs. full mesh topology based on your traffic matrix. For 99.99% uptime, we
need N+1 redundancy at every layer: dual BGP paths, redundant transit gateways,
health-check-driven failover with sub-30s detection. I'll also spec out your
route optimization strategy — traffic engineering with ECMP where paths allow
it — and your monitoring baseline so you're alerting on degradation before
users notice.

The agent doesn’t just say “use redundant connections.” It structures the analysis around your actual constraints — latency budget, uptime math, traffic patterns — and produces architecture decisions with reasoning attached.

Scenario 2: Latency Optimization for Cross-Region Traffic

A product team deployed their primary services in US-East and is getting consistent complaints from European users. P95 latency is sitting at 150ms for API calls that should be hitting 40ms.

Developer: Our application users in Europe are experiencing 150ms latency
to our US-based services. We need to optimize our network routing and
consider CDN placement.

Agent: I'll use the network-engineer agent to analyze your current traffic
patterns, design an optimized routing strategy, and recommend edge location
placement to reduce latency.

First pass is traffic flow analysis — I need to understand whether this is
DNS resolution time, TCP handshake overhead, or application-layer latency.
For transatlantic routes, 150ms suggests you're doing round trips to US-East
for every request. Strategy options: CloudFront or similar CDN with European
PoPs for cacheable content, API Gateway regional endpoints for dynamic
requests, and potentially a thin European presence for connection termination
with backend fan-out to your US origin. I'll map your traffic types to the
right solution rather than applying CDN as a blanket fix.

Scenario 3: Zero-Trust Architecture for AWS Migration

An engineering team is migrating a monolith to AWS and needs to implement security-first network architecture before any production workloads land in the new environment.

Developer: We're migrating to AWS and need to implement a zero-trust network
architecture with proper segmentation, firewall rules, and DDoS protection.

Agent: I'll use the network-engineer agent to design a secure network with
micro-segmentation, implement network ACLs, configure WAF rules, and set up
DDoS protection mechanisms.

Zero-trust on AWS starts with VPC design — I'll spec out your subnet strategy
with public, private, and isolated tiers, security group rules that enforce
least-privilege east-west traffic between service layers, and Network ACLs
as a secondary control layer. For DDoS protection, AWS Shield Standard covers
layer 3/4 automatically, but I'll configure WAF rule sets for layer 7 — rate
limiting, geo-blocking if applicable, and managed rule groups for OWASP Top 10.
IDS/IPS visibility gets handled through VPC Traffic Mirroring to your analysis
layer. I'll also set up flow log export to CloudWatch with anomaly detection
alerts so you're not flying blind after launch.

What Makes This Agent Powerful

Systematic Analysis Before Recommendations

The agent follows a structured workflow: query network context, review existing topology, analyze performance metrics and security posture, then implement solutions. This prevents the common failure mode of jumping to architecture recommendations without understanding the actual constraints.

Comprehensive Domain Coverage

The agent covers the full network engineering stack — topology design, cloud VPC architecture, security implementation, performance optimization, DNS architecture, load balancing, monitoring, automation, and troubleshooting tooling. You’re not context-switching between different resources for different sub-problems.

Quantified Checklists

The agent’s internal checklist has specific, measurable targets: 99.99% uptime, sub-50ms regional latency, sub-0.01% packet loss, 100% monitoring coverage, quarterly DR testing. These aren’t aspirational — they’re the thresholds that get verified before a solution is considered complete.

Infrastructure as Code Orientation

Network automation, configuration management, compliance checking, and self-healing network patterns are built into the agent’s scope. Architecture recommendations come with implementation paths, not just diagrams.

Security as a First-Class Concern

Zero-trust architecture, micro-segmentation, WAF configuration, IDS/IPS deployment, and DNSSEC are part of the agent’s core competency — not afterthoughts bolted on after the “real” architecture is designed.

How to Install the Network Engineer Agent

Installation takes about two minutes. Claude Code automatically discovers and loads agents placed in your project’s .claude/agents/ directory.

Step 1: In your project root, create the agents directory if it doesn’t exist:

mkdir -p .claude/agents

Step 2: Create the agent file:

touch .claude/agents/network-engineer.md

Step 3: Paste the full system prompt (the agent body above) into .claude/agents/network-engineer.md and save the file.

Step 4: Claude Code loads the agent automatically on next invocation. No restart required, no configuration file to update. When you open Claude Code and ask a network architecture question, reference the agent explicitly or let Claude route to it based on context.

The agent file is plain Markdown — you can version control it with your project, customize the checklist thresholds to match your specific SLAs, or extend the domain sections to cover infrastructure patterns specific to your stack.

Conclusion: Practical Next Steps

If you’re running distributed systems at any meaningful scale, network architecture decisions are happening constantly — during feature planning, during migration projects, during incidents. Having structured expertise available without scheduling overhead changes how those decisions get made.

Start by installing the agent and running your current network architecture through it. Ask it to review your VPC design, audit your security group rules against zero-trust principles, or evaluate your DNS failover configuration. The gap analysis alone is usually worth the five minutes of setup.

From there, use it proactively on new infrastructure work: before you start building, not after you’ve already committed to a topology. The agent’s systematic analysis workflow is specifically designed to catch the class of decisions that are cheap to change in planning and expensive to change in production.

Network engineering mistakes don’t announce themselves immediately. They show up as 3 AM pages, as surprise AWS bills from cross-AZ data transfer, as security incidents that trace back to a firewall rule written eighteen months ago. An agent that enforces rigorous upfront analysis is one of the more practical investments you can make in your infrastructure reliability.

Agent template sourced from the claude-code-templates open source project (MIT License).