Anonymised deep dives into real architecture decisions. The problems, the options, the trade offs, and what I actually built.
A large organisation needed to connect 30+ sites to Azure workloads with consistent security policy, low latency, and centralised management. Their existing MPLS network was expensive, inflexible, and couldn't support direct cloud breakout.
The business had a mix of legacy MPLS circuits, direct internet access at some sites, and a growing Azure footprint with no consistent connectivity model. Security policy was applied differently at every location. Cloud traffic was being backhauled through a single data centre, adding latency and creating a bottleneck.
Azure Virtual WAN with Secured Virtual Hubs running Cisco Secure Firewall for centralised policy enforcement. Cisco SD WAN at each site provided intelligent path selection and direct cloud breakout for trusted SaaS traffic. ExpressRoute for the primary data centre connection with VPN failover. The whole environment was deployed through Terraform with governance controls and security baselines baked into the landing zone from day one.
I founded a guest Wi Fi platform and needed to design the entire technical stack from scratch. No legacy to migrate, no existing team, no inherited decisions. Just a blank page and a product to build.
The platform needed to handle unpredictable traffic volumes, process sensitive user data securely, deploy reliably with a tiny team, and keep costs low until revenue materialised. Every architecture decision had to optimise for speed of delivery, operational simplicity, and the ability to scale without re-platforming.
Multi cloud architecture across AWS and GCP. Serverless backends using Lambda and Cloud Functions for event driven workloads. Containerised microservices for the core platform logic. RESTful APIs connecting the frontend applications (React, Next.js, Flutter) to the backend services. Everything deployed through Terraform with CI/CD pipelines on GitHub Actions. Security model built from the ground up: IAM, network segmentation, and data protection controls for a platform handling personal data at volume.
A managed services business needed a scalable, secure hosting platform that could onboard new customers quickly without compromising isolation or blowing up costs.
Each customer needed their own isolated environment with strict IAM boundaries, but the operational overhead of managing dozens of separate accounts manually was unsustainable. Cost allocation had to be transparent and per-tenant. Security and compliance controls had to be consistent across every customer without relying on engineers remembering to apply them.
AWS Control Tower with a custom account vending machine pattern. Tightly scoped IAM models per tenant with guardrails enforced at the organisation level. Cost optimised resource design with reserved capacity planning and automated right-sizing recommendations. The platform became the reference architecture for all new customer onboarding across the business.
Additional write ups covering SD WAN migrations, infrastructure governance frameworks, and internal automation tooling.