Sovereign Network Group (SNG) is a leading housing association dedicated to providing exceptional services to our communities. We're looking for a skilled and motivated Network Engineer to join our Cloud Infrastructure team within the CIO Directorate. You'll take a hybrid approach working from home and in the Basingstoke office 2 days per week. You'll also have to visit our other offices across our geography, so a full UK Drivers License and your own transport is essential. The Role As a Network Engineer, you'll play a crucial role in designing, implementing, supporting, and evolving modern cloud and on-premises network infrastructure - with a strong emphasis on Azure-native networking, zero trust principles, and next-generation security controls powered by Palo Alto Networks. You will be instrumental in transforming our network landscape, replacing legacy infrastructure with secure, scalable, and policy-driven architectures built around Azure Virtual Networks (VNets), Palo Alto VM-Series firewalls, Prisma Access, and Strata Cloud Manager. This role operates at the intersection of engineering, architecture, governance, and operational leadership, working closely with Security Assurance, Security Operations, and external partners. Key Responsibilities include: Cloud & Azure Network Engineering Lead the design, rationalisation, and implementation of Azure Virtual Networks (VNets) including peerings, subnet design, UDRs, NSGs, and integration with VNGs (Azure Virtual Network Gateways). Design and operate Palo Alto VM-Series NGFWs in Azure, delivering secure inbound, outbound, and east-west traffic inspection using the Transit VNet hub-and-spoke model. Implement and optimize site-to-site IPSEC VPNs and ExpressRoute integrations for hybrid cloud connectivity between Azure, Equinix LD8, and SNH/SHA campuses. Conduct detailed application discovery and microsegmentation planning to define secure traffic flows and Zero Trust policy baselines. Next-Generation Security Engineering Administer and enhance Palo Alto VM-Series, PA-3420 firewalls, and Strata Cloud Manager as the centralized policy engine across cloud and on-prem deployments. Implement and support Palo Alto Prisma Access (GlobalProtect) for remote access, including policy design, portal configuration, SAMLMFA integration, and service connections. Deploy and manage Strata Logging Service, ensuring logs are securely forwarded (TLS) for analysis and compliance, including operational management of alerting, routing, and certificate handling. Architecture & Governance Own the end-to-end documentation of network topologies, routing architecture, and firewall policies across Azure, LD8, and WAN environments. Drive and participate in Change Advisory Board (CAB) processes, preparing and reviewing technical change documentation aligned to governance standards. Act as a subject matter expert for security assurance reviews, supporting risk assessments, compliance reviews, and network threat modelling initiatives. Legacy Infrastructure Transition Lead the decommissioning and migration from Cisco ASA, Meraki, Fortinet firewalls, and Nexus switches to next-gen infrastructure. Support the transformation of Cisco Meraki environments into Cisco Catalyst Center (formerly DNA Center). Liaise with and oversee suppliers managing ExpressRoute, internet services, SD-WAN, and MPLS, ensuring aligned SLAs and governance. Operations & Support Provide 3rd line engineering support for escalated incidents, proactively resolving performance and availability issues. Support network monitoring, log analysis, and telemetry configuration, driving early detection and incident prevention. Contribute to capacity planning, DR planning, patch management, and lifecycle upgrades. Participate in on-call support rotation and out-of-hours change implementations. What We're Looking For: Technical Expertise Strong experience designing and implementing Azure network infrastructure, including VNets, Azure Virtual Network Gateways (VNG), Transit VNet architectures, and ExpressRoute. Hands-on engineering expertise with Palo Alto NGFWs (VM-Series, PA-3420), Strata Cloud Manager, Strata Logging Service, and Prisma Access. Proven ability to deliver application-aware micro segmentation using Zero Trust principles in cloud and hybrid environments. Experience with IPSEC VPNs, BGP routing, NSGs/UDRs, and inter-region VNet peering. Familiarity with SCEP, TLS, certificates, and secure log forwarding. Legacy to Modern Transition Experience Cisco experience across Catalyst, Meraki, DNA Center, and Nexus switching platforms. Fortinet and ASA firewall knowledge is desirable to support transition. Experience managing or migrating from traditional MPLS/IPVPN to modern SD-WAN and cloud-native networks. Tools & Methodologies Strong documentation skills using Visio, Lucidchart, or equivalents. Understanding of frameworks such as TOGAF, ITIL, Agile methodologies. Experience using ticketing, monitoring, and log platforms (e.g., ServiceNow, Panorama, Azure Monitor, Wireshark, Palo Alto CLI/API). Preferred Certifications PCNSE - Palo Alto Networks Certified Network Security Engineer AZ-700 - Designing and Implementing Microsoft Azure Networking Solutions CCNP/CCIE or equivalent ITIL Foundation or higher What we can offer you Some of our benefits include: £450 yearly flexible benefit pot to use against benefits of your choice Flexible working 25 Days Holiday Bank Holidays (with an extra day every year up to 30 days) A chance to buy or sell holiday as part of our flexible benefits package A generous pension scheme matching up to 12% Life cover as soon as you join us You will be a part of our Recognition scheme where you can be gifted retail vouchers A range of wellbeing discounts including Gym Memberships A wide selection of other benefits available