JD Alignment: "Strong understanding of network traffic management, including ingress and egress routing, traffic optimization, path selection, and high-availability network design across distributed cloud environments"
Production traffic engineering: BGP path manipulation, ingress/egress traffic control, ECMP load splitting, SD-WAN traffic steering, and network performance optimization across AWS, Azure, and hybrid environments.
INBOUND TRAFFIC CONTROL (how internet reaches you)
AS_PATH prepend → make your prefix less preferred via specific ISP
MED (Multi-Exit Discriminator) → hint to ISP which of YOUR routers to use
BGP communities → signal to upstream ISPs to apply their policies
Anycast → same prefix advertised from multiple locations (nearest wins)
Route 53 latency → DNS-based steering to closest region
CloudFront → edge caching reduces origin traffic
OUTBOUND TRAFFIC CONTROL (how you reach the internet/cloud)
LOCAL_PREF → which exit path is preferred (higher = preferred)
Static routes → override BGP for specific destinations
PBR (Policy-Based Routing) → steer traffic by source IP or application
SD-WAN → application-aware path selection (SaaS over broadband, critical over MPLS)
AWS TGW route tables → different routing for prod vs dev traffic
Azure UDR → force specific traffic to firewall or NVA
! Scenario: Traffic to Azure (10.2.0.0/14) should go via ExpressRoute (DX)
! Failover to VPN only if DX fails
! On CE router:
route-map RM-FROM-MEGAPORT-IN permit 10
description Azure prefix via ExpressRoute (primary — HIGH LOCAL_PREF)
match ip address prefix-list PL-AZURE-PREFIXES
set local-preference 300 ! Very high — strongly prefer this path
route-map RM-FROM-MEGAPORT-IN permit 20
description AWS prefixes (normal preference)
match ip address prefix-list PL-AWS-PREFIXES
set local-preference 200
route-map RM-FROM-VPN-BACKUP-IN permit 10
description All cloud prefixes via VPN (LOW LOCAL_PREF — backup only)
set local-preference 100
! Result:
! Azure → uses ExpressRoute path (LOCAL_PREF 300)
! AWS → uses DX/MCR path (LOCAL_PREF 200)
! Both → fail to VPN if primary paths fail (LOCAL_PREF 100)
! Scenario: Primary inbound via ISP-A (Megaport/DX)
! Backup inbound via ISP-B (VPN) — make it less preferred
! Outbound to ISP-B (backup) — prepend our ASN 3x to make path look longer
route-map RM-TO-ISP-B-OUT permit 10
match ip address prefix-list PL-OUR-PREFIX
set as-path prepend 65001 65001 65001 ! ISP sees: 65001 65001 65001 65001
! Outbound to ISP-A (primary) — no prepend, natural path length
route-map RM-TO-ISP-A-OUT permit 10
match ip address prefix-list PL-OUR-PREFIX
! (no AS_PATH manipulation — shortest path via ISP-A)
! Result: BGP routers on internet prefer ISP-A path (shorter AS_PATH)
! Only use ISP-B if ISP-A path is withdrawn
# Scenario: Prod traffic must traverse NVA (Palo Alto inspection)
# Dev traffic bypasses NVA (cost optimization)
# PROD route table: default to inspection VPC
aws ec2 create-transit-gateway-route \
--destination-cidr-block "0.0.0.0/0" \
--transit-gateway-attachment-id $INSPECTION_VPC_ATTACHMENT \
--transit-gateway-route-table-id $PROD_ROUTE_TABLE_ID
# DEV route table: default direct to NAT GW VPC (no NVA)
aws ec2 create-transit-gateway-route \
--destination-cidr-block "0.0.0.0/0" \
--transit-gateway-attachment-id $NAT_VPC_ATTACHMENT \
--transit-gateway-route-table-id $DEV_ROUTE_TABLE_ID
# Shared services reachable by both
aws ec2 create-transit-gateway-route \
--destination-cidr-block "10.200.0.0/16" \
--transit-gateway-attachment-id $SHARED_SVC_ATTACHMENT \
--transit-gateway-route-table-id $PROD_ROUTE_TABLE_ID
aws ec2 create-transit-gateway-route \
--destination-cidr-block "10.200.0.0/16" \
--transit-gateway-attachment-id $SHARED_SVC_ATTACHMENT \
--transit-gateway-route-table-id $DEV_ROUTE_TABLE_ID
echo "TGW routing: Prod → Inspection → NVA → Internet | Dev → NAT → Internet"cd terraform/azure/
# UDR: Force all outbound through Azure Firewall
AZF_PRIVATE_IP="10.0.1.4" # Azure Firewall private IP
az network route-table create \
--name rt-spoke-prod \
--resource-group rg-networking \
--location eastus \
--disable-bgp-route-propagation true # CRITICAL: prevent GW routes bypassing firewall
# Default route → Azure Firewall
az network route-table route create \
--route-table-name rt-spoke-prod \
--resource-group rg-networking \
--name force-to-firewall \
--address-prefix 0.0.0.0/0 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address $AZF_PRIVATE_IP
# Specific on-prem route via GW (not firewall)
az network route-table route create \
--route-table-name rt-spoke-prod \
--resource-group rg-networking \
--name to-on-prem \
--address-prefix 10.10.0.0/16 \
--next-hop-type VirtualNetworkGateway
# Associate with spoke subnet
az network vnet subnet update \
--vnet-name vnet-spoke-prod \
--name snet-app \
--resource-group rg-networking \
--route-table rt-spoke-prod
echo "UDR applied: all spoke traffic → Azure Firewall for inspection"! vManage policy — application-aware routing (Cisco SD-WAN)
! Microsoft Teams/O365 → direct internet (low latency, no backhaul)
! SAP ERP → MPLS/DX (guaranteed QoS, no internet)
! General web → broadband (cost-optimized)
! Application-aware routing policy (configured in vManage, pushed to C8000V)
data-policy _aar-policy_
vpn-list CORPORATE_VPNS
sequence 10
match
app-list OFFICE365_TEAMS ! Microsoft service tags
action accept
set
local-tloc-list INTERNET_TLOC ! Use broadband (lowest latency)
sequence 20
match
app-list SAP_ENTERPRISE ! SAP ERP application signatures
action accept
set
local-tloc-list MPLS_TLOC ! Use MPLS/DX (QoS guaranteed)
sequence 30
match
app-list VIDEO_STREAMING
action accept
set
local-tloc-list INTERNET_TLOC
default-action accept
set
local-tloc-list MPLS_TLOC ! Default: send via MPLS
# AWS: Analyze VPC Flow Logs for traffic patterns
aws logs filter-log-events \
--log-group-name /aws/vpc/flow-logs/prod-vpc \
--filter-pattern '[version, account, eni, source, destination, srcport, dstport, protocol, packets, bytes, start, end, action, status]' \
--start-time $(date -d '1 hour ago' +%s000) \
--query 'events[*].message' \
--output text \
| python3 scripts/analyze_traffic.py --top-talkers 20
# Check TGW data processing charges (high bill = traffic not optimized)
aws cloudwatch get-metric-statistics \
--namespace AWS/TransitGateway \
--metric-name BytesIn \
--dimensions Name=TransitGateway,Value=$TGW_ID \
--start-time $(date -d '24 hours ago' +%Y-%m-%dT%H:%M:%S) \
--end-time $(date +%Y-%m-%dT%H:%M:%S) \
--period 3600 \
--statistics Sum \
--query 'Datapoints[*].Sum' \
--output text | python3 -c "import sys; vals=sys.stdin.read().split(); print(f'Total: {sum(float(v) for v in vals)/1e9:.2f} GB processed')"
# Azure: Check ExpressRoute utilization
az monitor metrics list \
--resource $ER_CIRCUIT_ID \
--metric BitsInPerSecond BitsOutPerSecond \
--interval PT5M \
--query 'value[*].timeseries[0].data[-1]' \
--output table# AWS TGW ECMP across multiple VPN tunnels
# Enable ECMP on TGW
aws ec2 modify-transit-gateway \
--transit-gateway-id $TGW_ID \
--options VpnEcmpSupport=enable
# Create second VPN connection (same CGW, different TGW — ECMP across both)
aws ec2 create-vpn-connection \
--customer-gateway-id $CGW_ID \
--transit-gateway-id $TGW_ID \
--type ipsec.1 \
--options StaticRoutesOnly=false
echo "ECMP enabled: traffic load-balanced across both VPN connections"
echo "Effective bandwidth: 2 × 1.25 Gbps = 2.5 Gbps aggregate"
# Cisco: Verify ECMP
# show ip route 0.0.0.0/0
# Expected: 2 paths via 169.254.30.2 and 169.254.30.6 (both equal cost)MIT License