Cloud engineer focused on access governance, secure network architectures, and pragmatic automation.
I like clean runbooks, reversible cutovers, and evidence-first security.
I work primarily in Azure, with complementary projects in AWS and GCP where they deliver value.
- π‘οΈ Identity & Access: JIT elevation, Conditional Access, PIM, external-ID federation (Azure β’ AWS STS β’ GCP WIF)
- π Networking: Fortinet SD-WAN/IPsec in Azure, HA/BGP, MTU optimization, deterministic routing and secure egress patterns
- βοΈ Automation: PowerShell/Bicep, Logic Apps, YAML pipelines, GitHub/Azure DevOps
- π₯οΈ Endpoint & Governance: Intune configuration, remediation, and policy-driven enforcement
- π Ops: Runbooks, cutover/rollback, observability, backup verification
- βοΈ Documentation: concise, production-ready, redacted
Recent work also explores AI-driven automation and voice-based agents as operational interfaces for platform workflows and customer interaction systems.
Exploration of AI-assisted automation and event-driven systems extending traditional platform engineering patterns into conversational and autonomous workflows.
| Project | Description | Stack |
|---|---|---|
| AI Voice Agent Platform | Event-driven AI voice agent platform handling enquiry intake, outbound calling workflows, structured data capture, and automation pipelines. | π€ AI Β· Azure Functions Β· Event-Driven |
Rather than isolated tooling, these repositories represent real operational problems, designed and implemented with production constraints in mind β security, rollback, observability, and long-term maintainability.
Projects are grouped by engineering domain to reflect how platforms are designed and operated in practice.
Projects focused on moving legacy or operationally risky systems into secure, maintainable cloud architectures with controlled cutover and rollback strategies.
| Project | Description | Stack |
|---|---|---|
| UniFi Controller Cloud Migration | End-to-end migration from legacy hosting to Azure with DNS cutover strategy, version pinning, Entra App Proxy integration, MFA enforcement, and operational hardening. | βοΈ Azure Β· π§ Linux Β· π§° PowerShell |
| Azure Public IP Migration | Discovery and migration framework for retiring Basic SKU public IPs safely across subscriptions with inventory export, validation, and reversible migration workflow. | π§° PowerShell Β· βοΈ Azure |
| Azure VPN (P2S) Runbook | Real-world VPN deployment covering authentication models, DNS behaviour, and secure connectivity modernisation patterns. | π Networking Β· βοΈ Azure |
| CSAT Remote Access Pattern (LB + NAT Gateway) | Policy-compliant remote access pattern using Standard Load Balancer inbound NAT with controlled outbound egress via NAT Gateway. | βοΈ Azure Β· Networking Β· Operations |
Identity is treated as the primary control plane. These projects focus on removing standing privilege, enforcing least access, and making elevation auditable and time-bound.
| Project | Description | Stack |
|---|---|---|
| Cloud Access Broker β JIT (Multi-Cloud) | Multi-cloud just-in-time elevation across Azure, AWS and GCP with approval workflow, audit logging, and automatic revocation. | βοΈ Azure Β· AWS Β· GCP Β· PowerShell |
| AWS JIT Access | Temporary privilege elevation using AWS Identity Center and Step Functions with CloudTrail-backed auditability. | βοΈ AWS Β· π Python Β· π IAM |
| Azure Access Automation | Automated access workflows integrating Forms, Power Automate and Entra ID to provide controlled, time-bound access with policy enforcement. | βοΈ Azure Β· β‘ Power Automate |
| Access Governance Request Platform | Access governance platform enabling request intake, approval workflows, time-bound group membership, automated expiry removal, and audit-ready evidence generation. | βοΈ Azure Β· Identity Β· Automation |
Networking projects focused on deterministic routing, secure egress, and predictable failure modes across hybrid and cloud environments.
| Project | Description | Stack |
|---|---|---|
| Fortinet SD-WAN + IPsec (Azure) | Enterprise hub-and-spoke SD-WAN architecture with HA, BGP routing, MTU optimisation, and operational validation patterns. | 𧱠Fortinet Β· βοΈ Azure |
| Cloud-Secure Egress Policy | Centralised outbound control using firewall chaining and enforced egress paths with documented cutover and rollback strategy. | π Network Security Β· βοΈ Azure |
| Azure Firewall Multi-Site Publishing | Secure ingress architecture publishing multiple internal applications through Azure Firewall using DNAT and isolated backend patterns. | π₯ Azure Firewall Β· βοΈ Azure |
| Azure Hub-Spoke Hybrid Routing Pattern | Hybrid routing design steering partner traffic over VPN gateway using UDR prefix routing and gateway transit patterns. | π Networking Β· βοΈ Azure |
Automation projects focused on scale, repeatability, and reducing operational risk across large cloud estates.
| Project | Description | Stack |
|---|---|---|
| Azure Governance Baseline Framework | Governance baseline implementing naming standards, tag enforcement, policy-as-code scaffolding, drift detection, and controlled remediation workflows. | βοΈ Azure Β· Policy Β· PowerShell |
| Azure Cost & Tagging Governance | Automation enforcing tagging standards and cost attribution models across subscriptions with reporting and remediation workflows. | βοΈ Azure Β· Governance Β· Automation |
| Azure Budget Governance | Budget enforcement and alerting automation using cost management APIs and operational reporting patterns. | βοΈ Azure Β· FinOps Β· Automation |
| Intune Kyocera Print Governance | Endpoint governance automation enforcing compliant printer usage and removing unmanaged drivers through Intune remediation. | π₯οΈ Intune Β· π§° PowerShell |
Operational tooling focused on visibility, health validation, and ensuring systems remain observable after deployment.
| Project | Description | Stack |
|---|---|---|
| LogicMonitor Hybrid Monitoring | Hybrid monitoring model spanning Hyper-V, AWS and GCP with unified alerting and operational dashboards. | π LogicMonitor Β· βοΈ AWS Β· βοΈ GCP |
| Observability (Grafana + Kibana) | Centralised observability stack for metrics and log analysis across hybrid environments. | π Grafana Β· Kibana Β· Monitoring |
| M365 Security Alerts to Teams | Logic App workflow aggregating security alerts and publishing operational summaries to Teams using adaptive cards. | βοΈ Azure Β· Security Β· Automation |
| Datto Grafana Monitoring | Monitoring dashboards and alerting patterns designed for operational visibility and infrastructure validation. | π Grafana Β· Monitoring |
- Identity-first platform design and least-privilege access models
- Deterministic cloud networking and secure ingress/egress architecture
- DevOps practices aligned with operational ownership
- Governance and repeatability across multi-subscription environments
- Automation driven by operational need rather than tooling preference
- Documentation designed for operational handover
- Removed standing privilege through identity-driven elevation models across cloud environments.
- Delivered production migrations and cutovers with pre-defined rollback paths and controlled change patterns.
- Standardised network and access patterns reducing operational drift across environments.
- Built automation replacing manual access provisioning and configuration workflows.
- Produced operational runbooks enabling predictable support and incident response.
- Design for rollback first.
- Prefer small, reversible changes over high-risk deployments.
- Treat identity as the primary security boundary.
- Document systems so someone else can operate them at 3am.
- Automate only after the manual process is fully understood.
- Identity over network trust.
- Short-lived access over standing privilege.
- Evidence over assumptions.
- Safe defaults over permissive convenience.
- Production systems should fail predictably.
- Workload identity federation patterns across cloud providers
- Zero-trust network segmentation models
- Policy-as-code for access governance and platform controls
- Platform engineering workflows for repeatable environments
π§Ύ All documentation and code samples are redacted for confidentiality.
No secrets, IP addresses, or tenant identifiers are included.