Cloud and infrastructure services

Modern cloud architecture, automated infrastructure and governed platforms.

rechberger.it plans and implements AWS and Microsoft Azure cloud foundations, network security and infrastructure as code with Terraform and CloudFormation. SaaS hosting is handled as a cloud platform topic; Microsoft 365, Exchange Online and Intune are treated separately as workplace and tenant operations.

Operating model

Modern infrastructure is built as a platform.

The work starts with a clear operating model: ownership, environments, access paths, deployment flow and support responsibility. That structure keeps later changes predictable.

Landing zone
Network
Identity
Governance
IaC
SaaS hosting

Landing zones and governance.

The baseline defines accounts, subscriptions, regions, policies, logs, backup expectations, naming and ownership before workloads move in.

AWS OrganizationsAzure subscriptionsLog archiveBackup defaults
Governed foundation

A baseline for account and subscription structure, shared services, central logging, backup defaults and policy guardrails. Environments are separated early, ownership is visible, and changes can move through Terraform or CloudFormation instead of manual console work.

Accounts / subscriptionsRegions and environmentsLogging and recovery

Network, firewall and edge design.

Traffic paths are mapped through VPCs, VNets, DNS, VPN connectivity, private routes, firewall policy and edge entry points.

VPC / VNetDNSVPNFirewall policy
Network architecture

VPC and VNet layouts with hub-spoke routing, private DNS, VPN paths, firewall inspection and edge entry points. The focus is simple traffic flow: what connects, where it is inspected, and how services stay reachable without exposing too much.

Hub and spokesPrivate routesInspection points

Identity, access and security controls.

Cloud access is designed around IAM, Entra ID integration, SSO, MFA, service identities, privileged roles and repeatable review processes.

AWS IAMEntra IDSSO / MFAService identitiesPrivileged rolesAccess reviews
Identity model

Cloud identity focuses on who can access accounts, subscriptions, workloads and automation. IAM roles, Entra ID integration, service principals, MFA and privileged access are documented separately from Microsoft 365 tenant operations.

Human accessService identitiesPrivileged rolesReview process

SaaS hosting and cloud platform operations.

SaaS hosting is treated as application infrastructure: DNS, certificates, CDN and edge routing, containerized services, managed orchestration, secrets, monitoring, backups and recovery expectations.

DNSCertificatesContainersOrchestrationSecretsMonitoring
SaaS platform

Application hosting with DNS, TLS, CDN and edge routing, containerized services, managed orchestration, secrets, monitoring, backup checks and release flow. Microsoft 365 administration is kept as a separate workplace operations area.

Edge and TLSContainer servicesManaged orchestrationRecovery checks
PlatformAWS / Azure
Landing zoneaccounts / subscriptions
Governancepolicy / guardrails
IaCTerraform / CloudFormation
Networkrouting / firewall
IdentityIAM / Entra ID / access
SaaS opsmonitoring / recovery / hosting
Technical overview

Governed and automated, not clicked together.

Infrastructure changes should be versioned, reviewed and repeatable. Terraform and CloudFormation keep AWS and Azure platform changes traceable, while monitoring, backup checks and release notes make hosted services operable after deployment. Microsoft 365, Exchange Online and Intune are handled as a separate tenant operations stream.

Landing zone

Account layout, subscription structure, separated environments, logs and shared services.

Governance

Guardrails, tagging, ownership, cost visibility and reviewable defaults.

Infrastructure as code

Terraform modules, CloudFormation stacks and deployment pipelines for controlled releases.

Network and security

Hub-spoke networking, DNS, firewall rules, private access and inspection paths.

Microsoft 365

Exchange Online, tenant settings, Intune policy, device controls and handover notes.

Platform notes

What gets designed, automated and handed over.

Cloud work is strongest when the platform model is clear before workloads arrive. These notes describe the practical areas behind a modern AWS and Azure foundation without turning the page into product documentation.

Landing zone baseline

A landing zone defines the starting structure for cloud adoption: account or subscription layout, management groups, environments, shared services, logging, identity integration and network entry points. The goal is a prepared environment where new workloads can be placed consistently.

  • Account and subscription hierarchy
  • Shared logging and security services
  • Environment separation
Governance and guardrails

Governance is implemented as practical defaults: policies, naming, tagging, role ownership, budget visibility and reviewable exception handling. Guardrails should reduce avoidable risk while still allowing teams to deploy and operate real workloads.

  • Policy assignments and controls
  • Tagging and ownership rules
  • Cost and compliance visibility
Infrastructure as Code

Terraform and CloudFormation describe infrastructure in code so changes can be reviewed, versioned and repeated. The important part is not only writing modules or stacks, but also defining state handling, approvals, rollout order and documentation for future changes.

  • Terraform modules and state
  • CloudFormation stacks
  • Pull request based changes
Network and security path

Network design maps how services communicate: VPCs, VNets, hub-spoke routing, private DNS, VPN or private connectivity, firewall inspection and edge entry points. Security controls are easier to operate when traffic paths and ownership are visible.

  • Hub-spoke routing
  • Firewall and inspection points
  • Private DNS and access paths
Cloud identity and access

Cloud identity controls connect human users, service identities and administrative roles for AWS and Azure. IAM, Entra ID integration, SSO, MFA and privileged access patterns are documented so platform access can be reviewed instead of guessed later.

  • Least privilege role design
  • SSO and MFA integration
  • Admin and service identities
SaaS and cloud-native hosting

Application hosting uses DNS, TLS, CDN or edge routing, containerized services, managed orchestration, secrets, monitoring and backup expectations. This area is about running applications on cloud infrastructure, separate from Microsoft 365 tenant administration.

  • Containerized services
  • Managed orchestration
  • DNS, TLS and edge routing
Microsoft 365 operations

Microsoft 365 work is a workplace and tenant operations area: Exchange Online, tenant configuration, Intune policy, device compliance and access rules. The focus is operational clarity for users, devices, mail flow and tenant administration.

  • Exchange Online configuration
  • Intune policy management
  • Tenant and device controls
Observability and recovery

Platforms need signals after deployment: logs, metrics, alarms, backup status, recovery expectations and incident notes. This keeps operations focused on the first checks to run when something changes or fails.

  • Logs, metrics and alerts
  • Backup and recovery checks
  • Runbooks and handover notes

Assess

Inventory the current environment before changing it: accounts, subscriptions, tenants, DNS, network paths, workloads, user access, devices, backup state, operational ownership and known risks. The assessment separates facts from assumptions and shows which parts can move safely.

Design

Turn requirements into separate target models for AWS and Azure foundations, SaaS hosting, network segmentation, firewall inspection, identity access and Microsoft 365 workplace operations. Decisions are written down as diagrams, naming patterns, access rules, policy defaults and implementation steps.

Build

Implement the platform with reviewable changes: Terraform modules, CloudFormation stacks, tenant configuration, DNS, certificates, routing, monitoring, backup checks and policy controls. The goal is repeatable infrastructure, not one-off console state.

Handover

Leave the environment understandable: architecture diagrams, runbooks, admin notes, recovery expectations, monitoring checks, release flow and open decisions. Operations should know how the platform is built, where to look first and how changes are released.

Contact

Build the next layer of your cloud platform.

For AWS and Azure foundations, infrastructure as code, network security and SaaS hosting, plus separate Microsoft 365, Exchange Online and Intune operations.

rechberger.itCloud and Infrastructure Services
AWS and Azure cloud foundations SaaS hosting and cloud-native operations Microsoft 365, Exchange Online and Intune Terraform, CloudFormation and automation Based in Austria