APCO Holdings partners with dealerships across North America to deliver innovative vehicle protection products and services that enhance the ownership experience for customers and drive growth for our partners. Through our family of brands, we bring together industry expertise, technology, and data-driven insights to help dealers strengthen their finance and insurance performance and build lasting relationships with their customers.
Our teams work collaboratively across operations, technology, risk, finance, marketing, and sales to deliver solutions that create measurable value and support the continued growth of APCO and the partners we serve.
The Sr. Network Engineer & Connectivity Architect serves as the principal architect of the organization’s enterprise connectivity platform (“The Backbone”), with a primary focus on Microsoft Azure networking, Cisco Meraki infrastructure, and identity-driven access (Active Directory & Entra ID).
This role is responsible for designing and operating a secure, highly resilient, and cloud-aligned network architecture, where access decisions are governed by user identity, device posture, and real-time risk signals, rather than traditional network boundaries.
Leveraging Infrastructure as Code (IaC), AIOps, and Zero Trust principles, this position ensures seamless, secure connectivity across Azure, on-prem environments, branch networks (Meraki), and SaaS platforms such as Microsoft 365, while enabling a scalable, automated, and self-healing infrastructure.
Key Responsibilities
- Architect and support enterprise-scale hybrid identity environments, including:
- Active Directory design (sites, replication, GPO strategy)
- Entra Connect (Azure AD Connect) synchronization
- Authentication protocols (Kerberos, NTLM, modern authentication)
- Secure integration with cloud and network services
- Design, implement, and optimize Conditional Access policies, including:
- MFA enforcement strategies
- Device compliance (Intune integration)
- Risk-based and session-based access controls
- Location-aware and Zero Trust access models
- Lead the implementation of a Zero Trust architecture by aligning:
- Identity (Entra ID / Active Directory / Okta)
- Network (Azure, Meraki)
- Endpoint (Intune / device posture)
- Ensure consistent enforcement of least privilege access across all environments
- Ensure secure, high-performance access to Microsoft 365 by:
- Aligning identity policies with network routing and access controls
- Supporting modern authentication flows and token-based access
- Optimizing Teams, Exchange, and SharePoint connectivity
- Design and implement scalable Azure networking solutions, including:
- Virtual Networks (VNet) and Hub-and-Spoke architectures
- Private Endpoints and Private Link
- Azure Firewall, NSGs, and routing strategies
- DNS architecture and name resolution
- Lead the design, deployment, and optimization of Cisco Meraki environments, including:
- MX (SD-WAN & security appliances)
- MS (switching)
- MR (wireless)
- Auto VPN and centralized cloud-based management
- Architect and manage secure connectivity between environments using:
- ExpressRoute
- VPN Gateways
- Meraki SD-WAN (Auto VPN)
- Ensure low latency, high availability, and seamless failover.
- Manage network and cloud configurations as code using:
- Terraform, Bicep, or ARM templates
- CI/CD pipelines (Azure DevOps, GitHub Actions)
- Ensure all deployments are standardized, repeatable, and auditable.
- Implement monitoring and telemetry across Azure and Meraki using:
- Azure Monitor & Log Analytics
- Meraki Dashboard
- Observability tools (Dynatrace, Splunk, etc.)
- Enable proactive detection, anomaly identification, and automated remediation.
- Design and maintain a highly resilient network architecture across Azure, Meraki, on-prem, and SaaS environments:
- Eliminate single points of failure
- Implement redundancy across WAN, LAN, wireless, and cloud
- Design for automated failover and rapid recovery
- Ensure identity-dependent services remain available during outages
- Establish and enforce governance using:
- Azure Policy and tagging standards
- Policy-as-Code frameworks
- Identity governance (access reviews, RBAC, least privilege)
- Ensure compliance with security, regulatory, and enterprise standards.
Identity-Driven Network Architecture (CORE)
Design and implement a network architecture where identity is the primary control plane. Integrate Active Directory (on-prem), Entra ID, and identity providers (Okta) with network enforcement points to enable real-time, identity-based access decisions.
Active Directory & Hybrid Identity Ownership
Entra ID & Conditional Access Engineering
Category
Requirements
Identity & Access (PRIMARY)
Deep expertise in Active Directory (architecture, GPOs, replication), Entra ID, Conditional Access, MFA, federation (SAML, OAuth, OIDC), hybrid identity
Zero Trust Architecture
Experience implementing identity-driven access integrating network, endpoint, and SaaS
Azure Networking (PRIMARY)
VNets, ExpressRoute, VPN Gateway, Azure Firewall, Private Link, DNS, Hub-Spoke design
Meraki (PRIMARY)
MX (SD-WAN), MS (switching), MR (wireless), Auto VPN, Meraki Dashboard
Automation & IaC
Terraform, Bicep, ARM templates, CI/CD pipelines
M365 Integration
Identity and network dependency across Exchange, Teams, SharePoint
Endpoint Integration
Intune/device compliance integration with access policies
Observability
Azure Monitor, Log Analytics, Meraki Dashboard, Dynatrace, Splunk
Scripting & DevOps
PowerShell, Python, or similar scripting experience
Education and Experience
- Bachelor’s degree in Computer Science, Information Technology, or a related technical field; Master’s degree in Information Systems Management preferred.
- In lieu of a degree, 12+ years of enterprise-level infrastructure experience with a proven track record of delivering automation-first networking projects.
- 8–10+ years of enterprise networking experience
- 5+ years of Active Directory experience (enterprise scale)
- 3+ years of Entra ID (Azure AD), Conditional Access, and MFA
- 3+ years of Azure networking experience
- 3+ years of Cisco Meraki experience (SD-WAN, switching, wireless)
- Experience designing hybrid connectivity (ExpressRoute, VPN, SD-WAN)
- Experience implementing IaC (Terraform, Bicep, ARM)
- Experience integrating identity with network and Zero Trust frameworks
- Proven experience leading a transition from legacy "box-by-box" management to a centralized, API-driven orchestration model.
- Microsoft 365 performance and connectivity optimization
Required Experience
Preferred Experience
Certifications (Preferred)
- Microsoft Certified: Azure Network Engineer Associate (AZ-700)
- Microsoft Certified: Identity and Access Administrator (SC-300)
- Microsoft Certified: Azure Solutions Architect Expert
- Cisco Meraki Solutions Specialist (CMSS)
- Cisco Certified Internetwork Expert (CCIE) or CCNP Enterprise
- Cisco Certified DevNet Professional
- Hashi Corp Certified: Terraform Associate
- Certified Kubernetes Administrator (CKA)
Skills Required
- Bachelor's degree in Computer Science, Information Technology, or related field (Master's preferred) or in lieu of degree, 12+ years enterprise-level infrastructure experience
- 8-10+ years of enterprise networking experience
- 5+ years of Active Directory experience (architecture, GPOs, replication)
- 3+ years of Entra ID (Azure AD), Conditional Access, and MFA experience
- 3+ years of Azure networking experience (VNets, Hub-and-Spoke, ExpressRoute, VPN Gateway, Azure Firewall, NSGs, Private Link)
- 3+ years of Cisco Meraki experience (MX, MS, MR, Auto VPN, dashboard)
- Experience designing hybrid connectivity (ExpressRoute, VPN, Meraki SD-WAN) and ensuring low-latency high-availability interconnects
- Experience implementing Infrastructure as Code and automation using Terraform, Bicep, or ARM templates and CI/CD (Azure DevOps, GitHub Actions)
- Experience integrating identity with network and Zero Trust frameworks (identity-driven access, device posture, risk signals)
- Experience with observability and AIOps tools (Azure Monitor, Log Analytics, Meraki Dashboard, Dynatrace, Splunk) and automated remediation
- Scripting/automation skills (PowerShell, Python or similar)
- Proven experience leading transition from legacy box-by-box management to centralized, API-driven orchestration
- Designing resilient network architectures and business continuity (redundancy, failover, identity service availability)
- Microsoft 365 performance and connectivity optimization
- Preferred certifications: AZ-700, SC-300, Azure Solutions Architect, CMSS, CCIE/CCNP, Cisco DevNet Professional, HashiCorp Terraform Associate, CKA
What We Do
APCO, established in 1984, is a leading marketer and administrator of extended vehicle service contracts, warranties, and other related products sold primarily by automobile dealers located throughout the United States. APCO has expanded its offerings over the last decade to include leading-edge training for dealership sales and finance teams. The company markets its products using the EasyCare and GWC brands, as well as other private label automobile manufacturer brands, through a network of independent agents and an internal salesforce that specialize in consulting with and servicing the automotive dealership markets. EasyCare and GWC Warranty are the only "Motor Trend Recommended Best Buy" brands in the automotive aftermarket. For further information about APCO, see www.gwcwarranty.com and www.easycare.com.
