Account layout, subscription structure, separated environments, logs and shared services.
Cloud and infrastructure services
Modern cloud architecture, automated infrastructure and governed platforms.
rechberger.it plans and implements AWS and Microsoft Azure cloud foundations, network security and infrastructure as code with Terraform and CloudFormation. SaaS hosting is handled as a cloud platform topic; Microsoft 365, Exchange Online and Intune are treated separately as workplace and tenant operations.
Modern infrastructure is built as a platform.
The work starts with a clear operating model: ownership, environments, access paths, deployment flow and support responsibility. That structure keeps later changes predictable.
Landing zones and governance.
The baseline defines accounts, subscriptions, regions, policies, logs, backup expectations, naming and ownership before workloads move in.
A baseline for account and subscription structure, shared services, central logging, backup defaults and policy guardrails. Environments are separated early, ownership is visible, and changes can move through Terraform or CloudFormation instead of manual console work.
Network, firewall and edge design.
Traffic paths are mapped through VPCs, VNets, DNS, VPN connectivity, private routes, firewall policy and edge entry points.
VPC and VNet layouts with hub-spoke routing, private DNS, VPN paths, firewall inspection and edge entry points. The focus is simple traffic flow: what connects, where it is inspected, and how services stay reachable without exposing too much.
Identity, access and security controls.
Cloud access is designed around IAM, Entra ID integration, SSO, MFA, service identities, privileged roles and repeatable review processes.
Cloud identity focuses on who can access accounts, subscriptions, workloads and automation. IAM roles, Entra ID integration, service principals, MFA and privileged access are documented separately from Microsoft 365 tenant operations.
SaaS hosting and cloud platform operations.
SaaS hosting is treated as application infrastructure: DNS, certificates, CDN and edge routing, containerized services, managed orchestration, secrets, monitoring, backups and recovery expectations.
Application hosting with DNS, TLS, CDN and edge routing, containerized services, managed orchestration, secrets, monitoring, backup checks and release flow. Microsoft 365 administration is kept as a separate workplace operations area.
Governed and automated, not clicked together.
Infrastructure changes should be versioned, reviewed and repeatable. Terraform and CloudFormation keep AWS and Azure platform changes traceable, while monitoring, backup checks and release notes make hosted services operable after deployment. Microsoft 365, Exchange Online and Intune are handled as a separate tenant operations stream.
Guardrails, tagging, ownership, cost visibility and reviewable defaults.
Terraform modules, CloudFormation stacks and deployment pipelines for controlled releases.
Hub-spoke networking, DNS, firewall rules, private access and inspection paths.
Exchange Online, tenant settings, Intune policy, device controls and handover notes.
What gets designed, automated and handed over.
Cloud work is strongest when the platform model is clear before workloads arrive. These notes describe the practical areas behind a modern AWS and Azure foundation without turning the page into product documentation.
A landing zone defines the starting structure for cloud adoption: account or subscription layout, management groups, environments, shared services, logging, identity integration and network entry points. The goal is a prepared environment where new workloads can be placed consistently.
- Account and subscription hierarchy
- Shared logging and security services
- Environment separation
Governance is implemented as practical defaults: policies, naming, tagging, role ownership, budget visibility and reviewable exception handling. Guardrails should reduce avoidable risk while still allowing teams to deploy and operate real workloads.
- Policy assignments and controls
- Tagging and ownership rules
- Cost and compliance visibility
Terraform and CloudFormation describe infrastructure in code so changes can be reviewed, versioned and repeated. The important part is not only writing modules or stacks, but also defining state handling, approvals, rollout order and documentation for future changes.
- Terraform modules and state
- CloudFormation stacks
- Pull request based changes
Network design maps how services communicate: VPCs, VNets, hub-spoke routing, private DNS, VPN or private connectivity, firewall inspection and edge entry points. Security controls are easier to operate when traffic paths and ownership are visible.
- Hub-spoke routing
- Firewall and inspection points
- Private DNS and access paths
Cloud identity controls connect human users, service identities and administrative roles for AWS and Azure. IAM, Entra ID integration, SSO, MFA and privileged access patterns are documented so platform access can be reviewed instead of guessed later.
- Least privilege role design
- SSO and MFA integration
- Admin and service identities
Application hosting uses DNS, TLS, CDN or edge routing, containerized services, managed orchestration, secrets, monitoring and backup expectations. This area is about running applications on cloud infrastructure, separate from Microsoft 365 tenant administration.
- Containerized services
- Managed orchestration
- DNS, TLS and edge routing
Microsoft 365 work is a workplace and tenant operations area: Exchange Online, tenant configuration, Intune policy, device compliance and access rules. The focus is operational clarity for users, devices, mail flow and tenant administration.
- Exchange Online configuration
- Intune policy management
- Tenant and device controls
Platforms need signals after deployment: logs, metrics, alarms, backup status, recovery expectations and incident notes. This keeps operations focused on the first checks to run when something changes or fails.
- Logs, metrics and alerts
- Backup and recovery checks
- Runbooks and handover notes
Assess
Inventory the current environment before changing it: accounts, subscriptions, tenants, DNS, network paths, workloads, user access, devices, backup state, operational ownership and known risks. The assessment separates facts from assumptions and shows which parts can move safely.
Design
Turn requirements into separate target models for AWS and Azure foundations, SaaS hosting, network segmentation, firewall inspection, identity access and Microsoft 365 workplace operations. Decisions are written down as diagrams, naming patterns, access rules, policy defaults and implementation steps.
Build
Implement the platform with reviewable changes: Terraform modules, CloudFormation stacks, tenant configuration, DNS, certificates, routing, monitoring, backup checks and policy controls. The goal is repeatable infrastructure, not one-off console state.
Handover
Leave the environment understandable: architecture diagrams, runbooks, admin notes, recovery expectations, monitoring checks, release flow and open decisions. Operations should know how the platform is built, where to look first and how changes are released.
Build the next layer of your cloud platform.
For AWS and Azure foundations, infrastructure as code, network security and SaaS hosting, plus separate Microsoft 365, Exchange Online and Intune operations.
