Network Analyst · Infrastructure Operations · Auckland, NZ

Anjelo
Fernando.

I deploy and support networks for SME clients across Auckland. Most of my work sits where physical infrastructure, change control, and support reality meet: rack installs, switching, firewall changes, service validation, and documentation the next engineer can actually use.

Get in touch LinkedIn ↗
Scroll
About
I try to leave work in a state the next person can pick up without too much guesswork.

Most of my work is on-site: rack installs, switching, VLANs, firewall changes, and service validation. Physical infrastructure has details that remote-only work misses.

I try to leave change notes and final-state docs where I can, because I've seen what undocumented environments cost the next person in the seat.

I prefer boring, maintainable setups over clever ones. A network that stays up is more valuable than a network that's interesting to look at.

Current Role

Network Analyst at Netbridge Ltd, deploying and commissioning network infrastructure for SME clients across Auckland. Day-to-day that usually means on-site installs, config changes, validation, and handover.

Hardware Lifecycle

I also handle the operational side: vendor quotes, procurement, asset tracking, support contracts, and license renewals. It's not the glamorous part, but it's where a lot of environments quietly fall apart without someone watching it.

Expertise

What I work
on.

Network Infrastructure
SME Enterprise Networking
SwitchingVLANsFirewall ChangesOn-site Deployment
Virtualisation
Home Lab · Production Ready
VMware ESXiProxmoxDockerContainers
Security & Compliance
Perimeter & internal controls
FirewallsNetwork SegmentationSIEMCompliance
Governance & Asset Lifecycle
License · Contract · Inventory
Asset TrackingLicense MgmtProcurementContracts
Documentation & Handover
Centralised Internal Wikis
BookStackChange RecordsNetwork DiagramsConfig Mgmt
VoIP & Telephony
3CX Advanced Certified
3CXVoIPSIP TrunkingTelephony
Documentation

Change records, final-state diagrams, and handover notes are part of the job, not an afterthought. I've seen what happens when they're missing and the original engineer is unavailable.

Practical Decisions

Most jobs have a constraint worth understanding: why the DMZ lives here and not there, why a tunnel over an open port, why the simpler design over the clever one. I try to document those reasons alongside the config.

Delivery

I follow jobs through: procurement, on-site install, config, testing, and handover. That last step is where a lot of work quietly gets lost, so I treat it as part of the job rather than an afterthought.

Projects

Things I’m building.

Capstone Project · Netbridge Ltd · S1 2026
PlainSight

Problem: Wazuh was generating 30–50 alerts per shift. Reviewing them meant manually reading raw log lines, cross-referencing event IDs, and deciding what was worth escalating. First-pass triage was taking 45–60 minutes per batch.

Constraint: Client data couldn't leave the network. No cloud LLMs, no external API calls, no third-party summarisation services. Whatever ran the AI analysis had to run locally on hardware already in the lab.

Outcome: Triage dropped from 45–60 minutes to under 10 seconds in testing. Each alert batch now produces a plain-English summary with MITRE ATT&CK tags and a one-click PDF report for management review.

[ screenshot pending ]
Alert Feed · Streamlit
[ screenshot pending ]
PDF Report
01
SIEM Backend
Wazuh + Elasticsearch + Logstash running on Ubuntu Server, virtualised on VMware ESXi. Ingests syslog from a FortiGate 60E firewall, Ruckus R650 WAP, and FS-148F switch. Events are parsed, normalised, and indexed in under 2 seconds.
Wazuh Elasticsearch Logstash Ubuntu Server VMware ESXi Syslog
02
Local AI Engine
phi3:mini running 4-bit quantised via Ollama on a ThinkCentre i5-8500T with 16 GB RAM. I chose phi3:mini because it fit in the hardware I already had and the structured summarisation task doesn't need GPT-4 scale. Generates summaries and MITRE ATT&CK mappings per batch in under 10 seconds. No data leaves the network, no external calls.
phi3:mini Ollama MITRE ATT&CK ThinkCentre i5-8500T Zero Cloud
03
Streamlit Dashboard
Python frontend pulling live data from the Wazuh REST API. Displays a real-time alert feed with severity filters, AI summary cards, MITRE ATT&CK tags, and a one-click executive PDF report that generates in under 30 seconds, replacing three separate vendor portals with a single screen.
Streamlit Python Wazuh REST API PDF Export 85%+ Triage Reduction
Network Analyst · Enterprise Project
Enterprise Documentation
Migration & Deployment

Problem: The company's documentation was split across shared drives, email threads, and individually-named Word files with no consistent structure. Engineers were spending real time finding things that should have been immediately findable, and institutional knowledge was leaving with people when they left.

Constraint: Management required a SharePoint fallback—the platform couldn't be the only copy of the data. The server also had to be internal-only, which ruled out any public SaaS wiki.

Outcome: Hundreds of legacy docs migrated into a single searchable BookStack instance with a consistent shelf/book/chapter hierarchy. The SharePoint export pipeline runs nightly, so there's a readable backup even if the server goes down.

[ screenshot pending ]
BookStack · Knowledge Base
01
Infrastructure & Hosting
Provisioned a dedicated Ubuntu Server VM on VMware ESXi to host the BookStack application stack. The entire environment, app, database, and reverse proxy, was containerized using Docker and Docker Compose for clean dependency isolation. The server was placed inside a DMZ network segment, restricting access to internal users only and limiting its exposure to the wider network.
Docker Docker Compose BookStack Ubuntu Server VMware ESXi DMZ NGINX Reverse Proxy
02
Migration Automation
Wrote custom scripts in both Node.js and Python to batch-process hundreds of legacy documents. The scripts parsed existing Word and PDF files, extracted structured content, and used the BookStack REST API to programmatically create the correct shelf, book, chapter, and page hierarchy, eliminating what would have been weeks of manual copy-paste work.
Node.js Python BookStack REST API Batch Processing Document Parsing
03
Business Continuity & Backup
Designed and implemented a dual-redundancy backup strategy: automated nightly database dumps stored locally on the VM, and a scheduled export pipeline that pushed HTML and PDF exports of all books to a SharePoint document library. The SharePoint integration was a direct management requirement, ensuring that even in the event of server failure, no institutional knowledge would be lost.
SharePoint Automated DB Dumps Export Pipelines Scheduled Tasks
04
Rollout & Adoption
Worked with the team to agree on a shelf/book/chapter structure before the migration started, so the hierarchy made sense to the people who'd be writing in it. Ran a short walkthrough for non-technical staff and wrote internal usage notes to reduce the learning curve after launch.
Internal Training Documentation Taxonomy Usage Guides
Creator / Administrator · Self-Hosted
analogarray.org

Problem: I wanted a place to write about work without handing the content to a third-party platform I don't control. Shared hosting felt like a step backwards given the infrastructure I was already running at home.

Key decision: Publishing through a Cloudflare Tunnel rather than opening inbound firewall ports. The home IP stays hidden, there are no open ports on the router, and I don't have to deal with dynamic IP or residential ISP restrictions.

Outcome: A hand-coded static site and a Ghost blog, both served from a mini PC at home, with zero external hosting dependencies and full control over the deployment pipeline.

[ screenshot pending ]
blog.analogarray.org · Live
01
Self-Hosted Hardware & OS
The entire site runs on a personal mini PC deployed as a home server, running a minimal Linux installation. No rented VPS, no shared hosting. Full ownership of the hardware, the OS, the web stack, and all data. The server runs 24/7 and serves the live site directly from the local machine.
Mini PC Linux 24/7 Uptime Data Sovereignty
02
Secure Public Exposure via Cloudflare Tunnels
Rather than opening inbound firewall ports and exposing the home IP address, the site is published using a Cloudflare Tunnel, an outbound-only encrypted connection from the server to Cloudflare's edge. This means the origin IP is never exposed, there are no open ports on the router, and all traffic benefits from Cloudflare's DDoS protection and TLS termination at the edge.
Cloudflare Tunnel Zero Open Ports DDoS Protection TLS Termination DNS Management
03
Web Stack & Content
Built and maintained as a hand-coded static site, no CMS, no frameworks, no dependencies to update. Content covers technical project write-ups, network documentation, and a live professional portfolio. A companion technical blog runs on a separate subdomain (blog.analogarray.org), self-hosted on the same machine.
Static HTML/CSS/JS Technical Blog Subdomain Routing Python HTTP Server
Personal Project · Ongoing
Home Lab &
Containerized Infrastructure

A working lab for running real services, testing configurations before production, and learning what breaks under load. Not a demo environment—things actually depend on this staying up.

All services run in Docker Compose with version-controlled configs, meaning the full environment can be rebuilt from scratch in under an hour. That constraint forces clean separation between state and configuration.

[ screenshot pending ]
Pi-hole · DNS Dashboard
01
Container Orchestration
All services run as Docker Compose stacks with explicit volume mounts and network definitions. Every config file is in version control, which started as a habit but became essential after a storage migration went sideways and I needed to rebuild three containers quickly. The constraint I impose on myself: if it can't be rebuilt in an hour from the repo, it doesn't count as managed infrastructure.
Docker Docker Compose Version-Controlled Config Network Isolation
02
Network-Level Services
Pi-hole runs as the primary DNS resolver for the whole home network. I set it up partly for the ad blocking, but it's also where I manage internal hostname resolution for lab services—which meant when it went down once and everything broke, I had a very clear lesson about what single points of failure look like in DNS. It's now in a separate container network with a fallback resolver configured on the router.
Pi-hole Local DNS Network-Wide Ad Blocking Custom Upstream Resolvers
24/7Lab Uptime
3+Hypervisors
Things Broken
∞+1Things Fixed
Credentials & Education

Qualifications.

Unitec | Te Pūkenga
Current
Bachelor of Computing Systems, IT
2023 – 2026
Curtin University
Foundation Degree, IT
2021 – 2022
Completed
3CX logo
3CX Advanced Certified
Dec 2025 · ID: OuYAhj1pmv
Google logo
Google IT Support Certificate
Jul 2025 · ID: UE22HGO05XE6
NIBM logo
Certificate in Software Engineering
NIBM
Currently Studying
Google logo
Google Cybersecurity Certificate
Google · In Progress
Fortinet logo
Fortinet Network Security Certificate
Fortinet · In Progress
Contact

Let’s connect.

Open to connecting with people in networking, infrastructure, and IT operations. If you want to connect and talk shop, get in touch.

Email me LinkedIn ↗ GitHub ↗ Blog ↗
All Systems Operational // Last Build: 2026.04.01 // analogarray.org