DevOpsCraftDevOpsCraft
All Services
Cloud Infrastructure

Multi-Cloud Infrastructure

Secure, scalable cloud architecture on AWS, GCP, Azure, or multi-cloud — built entirely as code. From account structure and networking to Kubernetes, databases, secrets, and cost optimization. Nothing manual, everything reproducible.

AWSGCPAzureTerraformOpenTofuTerragruntPulumi
Book a call

What we cover

Six domains — fully implemented as code, documented, and handed off.

🌐

Networking & Connectivity

  • VPC / VNet design — subnets, routing tables, NAT, peering
  • Cross-cloud connectivity: AWS Transit Gateway, GCP Cloud Router, Azure VPN
  • Zero-trust network architecture, private service endpoints
  • DNS management: Route53, Cloud DNS, Azure DNS
  • CDN & edge: CloudFront, Cloud CDN, Azure Front Door
  • Load balancing: ALB/NLB, GCP HTTPS LB, Azure Application Gateway
🔐

Identity & Security

  • IAM least-privilege — no wildcard permissions, no shared credentials
  • AWS Organizations + SCPs, GCP Resource Hierarchy + Org Policies
  • Azure AD / Entra ID integration, managed identities
  • Secrets management: AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault
  • TLS/SSL automation: ACM, GCP Certificate Manager, Let's Encrypt
  • CSPM scanning: Prowler, ScoutSuite, Checkov
⚙️

Compute & Containers

  • Managed Kubernetes: EKS, GKE, AKS — production-grade cluster setup
  • Serverless: Lambda, Cloud Run, Azure Functions, Cloud Functions
  • EC2 / Compute Engine / Azure VMs — autoscaling groups, spot/preemptible
  • Container registries: ECR, Artifact Registry, Azure Container Registry
  • Service mesh: Istio, Linkerd for microservices communication
  • Batch workloads: AWS Batch, GKE Batch, Azure Container Instances
🗄️

Data & Storage

  • Object storage: S3, GCS, Azure Blob — lifecycle, versioning, encryption
  • Managed databases: RDS, Cloud SQL, Azure Database — multi-AZ/HA
  • NoSQL: DynamoDB, Firestore, Cosmos DB
  • Caching: ElastiCache (Redis/Memcached), Memorystore, Azure Cache
  • Data warehouse: Redshift, BigQuery, Azure Synapse
  • CDN-backed static delivery, S3/GCS static site hosting
🏗️

IaC & Automation

  • Terraform / OpenTofu — modular, versioned, documented
  • Terragrunt for DRY multi-account / multi-region layouts
  • Pulumi (TypeScript/Python) for teams preferring real code
  • Remote state: S3+DynamoDB, GCS, Azure Blob — encrypted + locked
  • GitOps: ArgoCD + Atlantis / Spacelift for infra PRs
  • Drift detection and policy-as-code with Sentinel / OPA / Checkov
💰

Cost & FinOps

  • Cost tagging strategy — every resource tagged by env/team/product
  • Budget alerts: AWS Budgets, GCP Budget API, Azure Cost Management
  • Rightsizing: compute, database instance sizing recommendations
  • Reserved instances / Committed Use / Savings Plans optimization
  • Spot / preemptible workload migration for batch and non-critical tasks
  • Multi-cloud cost dashboard: OpenCost, Kubecost, Infracost in CI

Our approach

01

Audit

Review current cloud setup — IAM policies, VPC config, cost breakdown, security posture. Identify quick wins and risks across all providers.

02

Design

Architecture diagram, Terraform module structure, account/project layout, cross-cloud connectivity. You approve before we write a line of code.

03

Implement

Everything as code. Remote state encrypted and locked. Plan before every apply. Peer-reviewed PRs. No surprises, no console cowboys.

04

Handoff

Full runbooks, module documentation, IAM access review, cost dashboards. Your team operates independently from day one.

Cloud provider mapping

Same capability, best-in-class service per cloud.

CapabilityAWSGCPAzure
Managed KubernetesEKSGKEAKS
Serverless ComputeLambdaCloud Run / FunctionsAzure Functions
Managed SQL DBRDS (Aurora)Cloud SQL / AlloyDBAzure Database
Object StorageS3Cloud StorageBlob Storage
Container RegistryECRArtifact RegistryACR
Secrets ManagementSecrets ManagerSecret ManagerKey Vault
DNSRoute53Cloud DNSAzure DNS
CDNCloudFrontCloud CDNAzure Front Door
IAMIAM + SCPsCloud IAM + Org PolicyEntra ID + RBAC
Cost ManagementAWS BudgetsBudget APICost Management

Common engagements

Greenfield Setup

Starting from scratch on AWS, GCP, or Azure. We design the full account/project structure, networking, IAM, and CI/CD from day one.

Multi-Cloud Strategy

Primary cloud + secondary for compliance, latency, or vendor lock-in avoidance. Unified IaC, unified observability, unified cost view.

Landing Zone

AWS Landing Zone or GCP Landing Zone implementation — Control Tower, organization units, guardrails, and log aggregation accounts.

Existing Infra Migration

Import existing resources into Terraform, fix policy drift, refactor spaghetti CloudFormation or manual console config.

Security Hardening

IAM audit, network segmentation, secrets rotation, CSPM tooling, compliance baseline (SOC2, HIPAA, PCI-ready infrastructure).

Cost Reduction

Cloud cost audit — rightsizing, reserved/committed capacity, spot migration, idle resource cleanup, Infracost in CI/CD.

Technologies

AWS Core
EC2EKSLambdaRDSS3VPCIAMRoute53CloudFrontACMECRCloudWatchAWS Organizations
GCP Core
GKECloud RunCloud SQLGCSVPCCloud IAMCloud DNSCloud CDNArtifact RegistrySecret ManagerCloud Monitoring
Azure Core
AKSAzure FunctionsAzure DBBlob StorageVNetEntra IDAzure DNSFront DoorACRKey VaultAzure Monitor
IaC
TerraformOpenTofuTerragruntPulumiCDK for TerraformCrossplane
GitOps / Infra Automation
ArgoCDAtlantisSpaceliftenv0FluxGitHub ActionsGitLab CI
Security & Compliance
HashiCorp VaultProwlerScoutSuiteCheckovtfsectrivyOPA/RegoSentinel
Networking
AWS Transit GatewayVPC PeeringCloud RouterAzure VPNIstioLinkerdNginxTraefik
FinOps
InfracostOpenCostKubecostAWS Cost ExplorerGCP BillingAzure Cost Management
Observability
CloudWatchCloud MonitoringAzure MonitorPrometheusGrafanaDatadogNew Relic

Questions

We're AWS-only. Do you still handle GCP/Azure?

Yes, but we don't force multi-cloud. If you're AWS-only we build the best AWS architecture possible. Multi-cloud only makes sense for specific scenarios — we'll tell you honestly if it does.

We already have infrastructure — can you improve it instead of rebuilding?

Yes. We import existing resources into Terraform, audit for issues, and fix incrementally. No big-bang rewrites unless truly necessary.

Terraform or OpenTofu?

Either. For new setups we default to OpenTofu (open-source Terraform fork). If you already have a Terraform setup we continue in Terraform. Pulumi is also an option for code-first teams.

What about multi-account setups?

Highly recommended beyond early stage. AWS Organizations + separate accounts per env (prod/staging/dev), SCPs for guardrails, cross-account IAM roles. GCP equivalent: folder hierarchy + org policies.

How do you handle Terraform state security?

Remote state in S3 (or GCS/Azure Blob) with server-side encryption, DynamoDB/GCS state locking, and strict IAM on the state bucket. State files never live locally.

What compliance frameworks do you support?

SOC 2, HIPAA, PCI-DSS, ISO 27001 — we configure infrastructure to meet technical controls. We work alongside your compliance team, not replace them.

Can you do disaster recovery across clouds?

Yes. Active-passive or active-active across regions or clouds. RTO/RPO definition, automated failover testing, runbooks for each failure scenario.

How do you handle cost in multi-cloud?

Infracost in CI shows cost delta per PR. OpenCost/Kubecost on Kubernetes for per-team chargeback. Budget alerts per account/project. Monthly review included in retainer.

Ready to build your cloud foundation?

Free 30-min call. We review your setup and tell you exactly what we'd prioritize — no sales pitch.

Book Discovery Call