Project
NerdWallet AWS Networking Platform
Designed and built the Transit Gateway and IPAM foundation every NerdWallet team uses to ship.
- 3 regions (us-east-1, us-east-2, us-west-2)
- Days → hours for account onboarding
- Owned 99% of iac-networking
The problem
NerdWallet was running on a VPC peering architecture that had grown organically over years. Every new AWS account required manual peering connections, route table edits, and cross-account DNS work. As the engineering org grew, adding a new team’s infrastructure became a days-long, error-prone process that required deep networking knowledge. CIDR ranges were assigned by humans, which meant overlaps, conflicts, and constant firefighting.
What I built
AWS Transit Gateway as the central hub. I replaced the VPC peering mesh with a
Transit Gateway architecture spanning us-east-1, us-east-2, and us-west-2. Every
NerdWallet VPC attaches to the TGW, which eliminated the N-squared peering problem and
gave us a single point of routing control across the company.
IPAM-driven CIDR management. I set up AWS IPAM with a pool hierarchy organized by
environment and region (for example, staging-us-east-1 and production-us-west-2),
plus separate pools for Kubernetes pod networks so EKS clusters wouldn’t exhaust VPC IP
space. Any new VPC draws from the appropriate IPAM pool automatically. No more manual
CIDR planning, no more overlaps.
Self-service VPC and account provisioning. On top of this foundation, I built a workflow that lets any engineering team provision its own AWS account, get connected to the TGW automatically, and manage its infrastructure with Terraform and GitHub Actions. This became the “account per team” (A3) model at NerdWallet. Teams that used to wait days for networking changes can now spin up production-ready infrastructure on their own.
Standardized VPC design. Every VPC follows the same pattern: three availability
zones, a four-way CIDR split (three application subnets plus one reserved for the TGW
attachment), private subnets by default, consistent tagging (ipam_managed=true,
private=true), NAT gateway for outbound internet, and inbound traffic routed
exclusively through NerdWallet’s edge configuration.
Cross-account DNS resolution. I integrated private DNS resolution so services across hundreds of AWS accounts could reach each other by hostname without manual Route 53 configuration in every account.
Documentation as a product. I wrote and maintained the canonical “Create a VPC attached to NerdWallet Transit Gateway” guide that every engineer at the company uses. It turned what used to be tribal infrastructure knowledge into a step-by-step path any developer can follow.
Impact
- Replaced a manual, days-long account onboarding process with a self-service workflow measured in hours.
- Eliminated CIDR conflicts across the company.
- Reduced ongoing networking support load on the infrastructure team.
- Made secure, private, cross-account communication the default rather than an opt-in configuration.
- Became the foundation that every AWS migration, account split, and new service launch at NerdWallet now runs on.
Tech
AWS Transit Gateway, AWS IPAM, AWS Route 53 Resolver, EKS, Terraform, GitHub Actions, Python.