Application close date

04/10/2026

1. Project Background

AIIB operates a large-scale, multi-cloud network infrastructure spanning AWS, Azure, and Equinix environments. As the business continues to expand globally — with hub offices growing across multiple international regions — the public cloud serves a dual role: hosting mission-critical business systems and functioning as the backbone of global site-to-site network connectivity.The growing complexity of this infrastructure, combined with increasing security requirements and the need for continuous optimization of network design policies and technical standards, has created a sustained demand for senior-level cloud network expertise that cannot be fulfilled through internal headcount alone. This consultancy engagement is established to address that need on an ongoing basis.

2. Objectives of the Assignment

The primary objectives of this consultancy engagement are:• To design, govern, and continuously modernize AIIB's public cloud network architecture across AWS, Azure, and Equinix platforms.• To ensure stable, resilient, and secure global connectivity across all hub offices and cloud regions as the business grows.• To define and enforce network policies, technical standards, and implementation methodologies aligned with evolving business and regulatory requirements.• To strengthen AIIB's cloud network security posture as an integral component of the broader IT cybersecurity strategy.• To provide Tier 3 technical escalation and expert support for complex cloud network incidents and high-risk production operations.

3. Scope of Services

a. Network Architecture Design• Design and own end-to-end public cloud network architectures across AWS, Azure, and Equinix environments.• Architect Virtual WAN, VPC/VNet, Transit Gateway, hub-and-spoke, and SD-WAN integration designs.• Design hybrid connectivity solutions including Direct Connect, ExpressRoute, Equinix Fabric, and BGP routing.• Develop reference architectures, technical standards, and architecture blueprints for cloud networking.b. AWS Global Network Modernization• Execute global migration from legacy Transit Gateway hubs to AWS Cloud WAN Core Network across Singapore, Frankfurt, Bahrain, London, and Hong Kong regions.• Implement Network Function Groups (NFG) for centralized security inspection and service insertion.c. Azure vWAN Modernization• Architect and lead the transition to Azure Virtual WAN infrastructure with global meshed connectivity.• Design and implement NVA integration, replacing Azure Firewalls with Fortinet NVA in Virtual Hub for internal and external traffic management.• Define and manage complex UDR and DNAT policies for Layer 7 and Layer 4 traffic steering.d. Equinix Hybrid Connectivity Optimization• Optimize Direct Connect Gateway (DXGW) and ExpressRoute architectures within Equinix data centers.• Design VIF and BGP routing specifications for redundant high-speed links connecting AWS, Azure and other cloud regions.e. Network Security & Policy Management• Define centralized security policies for public network boundaries, differentiating internal and external access strategies.• Implement and maintain DDoS protection, Threat Intelligence integration, WAF, Zero Trust (ZTNA), and firewall policies.• Conduct security risk assessments and network threat modeling for cloud environments.f. Tier 3 Support & Operations• Serve as the highest technical escalation point for global connectivity failures and complex cross-cloud routing issues.• Perform Root Cause Analysis (RCA) and post-incident reviews for critical network events.• Oversee high-risk production migrations including Cloud WAN cutovers and core NVA firewall deployments.• Develop and validate Infrastructure as Code (IaC) using Terraform or Python for automated network deployments.

3. Scope of Services (Continued)

(No Value)

4. Consultancy Output / Deliverables

• Completed Azure vWAN and Landing Zone architecture with Fortinet NVA integration and UDR/DNAT policy documentation.• AWS Cloud WAN migration executed across all five target regions with validated routing and NFG configuration.• Equinix hybrid connectivity optimized with BGP routing specifications and redundancy validation reports.• Enterprise network security policy framework covering public boundary controls, DDoS, and threat intelligence.• Network architecture blueprints, reference designs, and Architectural Decision Records (ADRs).• IaC codebase (Terraform / Python) for automated, repeatable network deployments.• Runbooks, operational procedures, and post-RCA reports for Tier 3 incidents.• Technical standards documentation and network policy governance framework.

4. Consultancy Output / Deliverables (Continued)

(No Value)

5. Implementation Arrangement

The consultant will be engaged on a full-time basis for the duration of the assignment, working primarily from the Beijing Headquarters with remote access to cloud management platforms as required. The engagement is structured as follows:• Engagement Duration: 12 months, subject to renewal based on project requirements and performance review.• Working Hours: Standard business hours with availability for critical incident response outside normal hours as needed.• Work Mode: On-site at Beijing HQ with access to internal systems, cloud consoles, and collaboration tools.• Reporting: The consultant reports directly to the Network Team Lead and will participate in relevant project and governance meetings.• Review Cadence: Monthly progress reviews with the Network Team Lead; quarterly reviews with IT management.

5. Implementation Arrangement (Continued)

(No Value)

6. Support to the Consultant by the Bank

AIIB commits to providing the following support to enable the consultant to fulfil the assignment effectively:• Access to all relevant cloud management consoles (AWS, Azure, Equinix) with appropriate IAM/RBAC permissions.• Access to internal documentation, existing network diagrams, architecture records, and configuration repositories.• Provisioning of required hardware, software licenses, and collaboration tools (e.g., laptop, VPN, ticketing systems, communication platforms).• Introduction and coordination with internal stakeholders across IT, Security, DevOps, and Platform Engineering teams.• Access to vendor support channels and escalation paths for AWS, Azure, Fortinet, and Equinix.• A dedicated point of contact (Network Team Lead) to provide business context, approvals, and guidance throughout the engagement.• Timely feedback on deliverables and design proposals to ensure project momentum is maintained.

7. Knowledge Transfer and Training

A structured knowledge transfer programme shall be conducted throughout and at the conclusion of the engagement to ensure sustainable capability within the internal team:• Documentation: All architecture designs, configurations, policies, and operational procedures must be thoroughly documented in the organization's knowledge management system.• Internal Workshops: The consultant will conduct periodic technical sessions for internal network and infrastructure engineers covering key design decisions, new technologies introduced, and operational procedures.• Mentoring: Junior and mid-level network engineers will be mentored by the consultant on cloud networking best practices, IaC methodology, and incident handling procedures.• Handover Plan: A formal handover plan will be produced 30 days prior to the end of the engagement, including a technical briefing, documentation review, and transition support period.• IaC Repository: All automation scripts and Terraform code will be committed to the organization's version control system with inline documentation and usage guides.

Qualification Requirement

a. Education• Bachelor's degree in Computer Science, Information Technology, Telecommunications, or a related discipline.• Equivalent combination of education and demonstrated hands-on professional experience will be considered.b. Experience• Minimum 10 years of progressive experience in network engineering, with at least 5 years focused on public cloud network architecture.• Demonstrated hands-on experience with AWS and Azure enterprise-scale network design and implementation.• Proven experience with Equinix interconnect products including Equinix Fabric and Direct Connect/ExpressRoute integration.• Track record of delivering IaC-based network deployments and automation in production environments.c. Technical Skills• Cloud Networking: AWS vWAN, Transit Gateway, Cloud WAN, Azure Virtual WAN, NVA integration, VPC/VNet, PrivateLink, Equinix Fabric.• Routing Protocols: BGP, OSPF, static routing, policy-based routing, UDR, DNAT.• Security: Fortinet NVA, cloud firewall policies, WAF, ZTNA, DDoS mitigation, Threat Intelligence, micro-segmentation.• Connectivity: Direct Connect, ExpressRoute, VPN (site-to-site), SD-WAN, BGP over VIF.• IaC & Automation: Terraform, Python, Ansible, CloudFormation, Azure Bicep.• Monitoring: AWS CloudWatch, Azure Monitor, network flow analysis, packet capture.d. Certifications (Preferred)• AWS Advanced Networking – Specialty• Microsoft Azure Network Engineer Associate (AZ-700)• CCNP Enterprise / CCIE (active or past)• AWS Solutions Architect – Professional• Azure Security Engineer Associate (AZ-500)

At Impactpool we do our best to provide you the most accurate info, but closing dates may be wrong on our site. Please check on the recruiting organization's page for the exact info. Candidates are responsible for complying with deadlines and are encouraged to submit applications well ahead.
Before applying, please make sure that you have read the requirements for the position and that you qualify. Applications from non-qualifying applicants will most likely be discarded by the recruiting manager.