Cloud & Platform Engineering

Lift & shift is a trap. Moving on-prem VMs to cloud without redesign means triple costs with the same problems. We migrate strategically — assessment, workload prioritization, hybrid bridge, gradual switching.

5R Assessment Framework: For each workload we decide: Rehost (lift & shift — only for legacy with short lifespan), Replatform (containerization, managed services), Refactor (redesign for cloud-native), Replace (SaaS alternative), Retire (shut down). Most workloads are a mix of replatform + refactor.

Hybrid bridge: Old and new worlds run in parallel. VPN/ExpressRoute between on-prem and cloud. Gradual service switching with traffic splitting and automatic rollback. No big bang cutover.

Dependency mapping: Before migrating anything, you need to know what depends on what. Automatic discovery (Azure Migrate, AWS Migration Hub) + manual validation. Output: dependency graph with risk scoring for each workload.

Typical timeline: Assessment (2-4 weeks) → Pilot (4-6 weeks, 2-3 services) → Wave migration (2-4 services/month) → Consolidation (4-6 weeks). Overall 3-12 months depending on size.

Manual infrastructure is technical debt. A server configured via SSH console is a snowflake — nobody knows exactly how to reproduce it, documentation is outdated, disaster recovery is a guessing game. IaC eliminates this.

Terraform vs. Pulumi: Terraform (HCL) is the industry standard — huge ecosystem of providers, mature tooling, large community. Pulumi allows writing infrastructure in TypeScript/Python — better for teams that don’t want another language. We choose based on team context.

GitOps workflow: All infrastructure changes go through Pull Request. Code review, automated tests (terraform validate, tflint, checkov for security), plan preview in PR comments. Merge = apply. Audit trail in git history.

Modularization: Terraform modules for standard patterns — VPC/VNet, Kubernetes cluster, database, monitoring stack. Internal module registry. New team gets production-ready infrastructure in hours, not weeks.

State management: Remote state in encrypted storage (S3 + DynamoDB lock, Azure Blob + lock). State locking for team collaboration. Drift detection — automatic detection of manual changes.

Kubernetes isn’t for everyone — but when you need it, we do it right. K8s makes sense with 5+ microservices, multi-cloud needs, or specific operational requirements (auto-scaling, service mesh, progressive delivery).

Managed Kubernetes: AKS (Azure), EKS (AWS), GKE (Google). We don’t build custom control planes — managed service eliminates 80% of operational overhead. Focus on workloads, not etcd backup.

GitOps with ArgoCD: Declarative deployment. Desired state in git, ArgoCD synchronizes cluster. Drift detection — if someone changes something manually, ArgoCD fixes it. Self-healing cluster.

Helm + Kustomize: Helm charts for standard components (nginx, cert-manager, monitoring). Kustomize for environment-specific overlays (dev/staging/prod). Templating without template hell.

Progressive delivery: Argo Rollouts for canary and blue-green releases. Automated analysis (Prometheus metrics) decides on rollout/rollback. Istio/Linkerd service mesh for traffic splitting and mTLS.

CI/CD isn’t just build and deploy. It’s the entire delivery pipeline — from commit through tests, security scans, quality gates, staging validation to progressive rollout to production. Every step automated, measurable, auditable.

Pipeline architecture: Build → Unit tests → SAST (security) → Container build → Integration tests → Deploy to staging → E2E tests → Deploy to prod (canary) → Automated analysis → Full rollout. Entire flow < 15 minutes for typical service.

Quality gates: Automated checks that stop deployment on failure. Test coverage < threshold? Stop. Security vulnerability (critical/high)? Stop. Performance regression > 10%? Stop. No manual approval for standard changes.

Monorepo vs. Polyrepo: We support both. For monorepo: affected detection (only changed services build/deploy). For polyrepo: standardized pipeline templates shared across all repos.

Metrics: DORA metrics as feedback loop. Deployment frequency, lead time, change failure rate, MTTR. Dashboard for engineering leadership. Trends, not snapshots.

Monitoring tells you THAT. Observability tells you WHY. Three pillars: metrics (Prometheus), logs (Loki), traces (Jaeger/Tempo). OpenTelemetry as standard instrumentation — vendor-agnostic, instrument once, export anywhere.

SLO/SLI Framework: We define Service Level Objectives for every critical service. SLI (metrics) measures reality, SLO (target) defines acceptable quality. Error budget = how much “errorness” you can afford. When error budget runs out, stop feature work, fix reliability.

Alerting philosophy: We alert on symptoms, not causes. “API error rate > 1%” is a good alert. “CPU > 80%” is a bad alert (CPU can be 95% and everything works). Page only for actionable alerts — if on-call can’t do anything, it’s not a page.

SRE processes: On-call rotation, incident management (severity classification, communication protocol, escalation), blameless post-mortems. Runbooks for top 10 incidents. Toil tracking and elimination.

Dashboards: Executive dashboard (SLO compliance, availability, cost), engineering dashboard (latency, error rate, throughput per service), on-call dashboard (active incidents, recent deployments, anomaly detection).

Cloud bill isn’t a weather report — it’s a controllable process. Most companies pay 30-50% more for cloud than they need to. Unused reserved instances, oversized VMs, forgotten resources, unoptimized storage tiering.

Cost visibility: Tagging strategy (team, environment, project, cost center). Cost allocation per team/project/service. Showback/chargeback model — teams see how much their services cost. When you see the price, you behave differently.

Optimization techniques: Reserved Instances/Savings Plans (commitment = 30-60% discount), right-sizing (most VMs are oversized 2-4×), spot/preemptible instances for non-critical workloads, autoscaling (scale to zero in dev/staging), storage tiering (hot → cool → archive).

Continuous optimization: Monthly cost review with recommendations. Automatic alerting on cost anomalies (unexpected spike). Waste detection (unused disks, unattached IPs, idle load balancers). FinOps dashboard with trends and forecasting.

Unit economics: Cost per transaction, cost per user, cost per API call. When you know unit cost, you can optimize meaningfully. “We cost 0.003 CZK per API call” is actionable. “Azure cost 500K last month” isn’t.