Cloud engineer focused on access governance, secure network architectures, and pragmatic automation.
I like clean runbooks, reversible cutovers, and evidence-first security.
I work primarily in Azure, with complementary projects in AWS and GCP where they deliver value.
- π‘οΈ Identity & Access: JIT elevation, Conditional Access, PIM, external-ID federation (Azure β’ AWS STS β’ GCP WIF)
- π Networking: Fortinet SD-WAN/IPsec in Azure, HA/BGP, MTU optimization
- βοΈ Automation: PowerShell/Bicep, Logic Apps, YAML pipelines, GitHub/Azure DevOps
- π Ops: Runbooks, cutover/rollback, observability, backup verification
- βοΈ Documentation: concise, production-ready, redacted
| Project | Description | Stack |
|---|---|---|
| Cloud Access Broker β JIT (Multi-Cloud) | Time-bound least-privilege elevation across Azure, AWS & GCP with approvals, audit, and auto-revocation. | βοΈ Azure Β· AWS Β· GCP Β· PowerShell/Bash |
| AWS JIT Access | Identity Center + Step Functions flow for temporary AWS elevation with auto-expiry & CloudTrail logging. | βοΈ AWS Β· π Python Β· π IAM |
| Azure Access Automation | Forms β SharePoint β Power Automate β Entra ID group β Conditional Access (time-boxed outside-country access). | βοΈ Azure Β· β‘ Power Automate |
| Fortinet SD-WAN + IPsec (Azure) | Hub-and-spoke SD-WAN/IPsec topology with HA/BGP, MTU hardening, and route health validation. | 𧱠Fortinet Β· βοΈ Azure |
| Azure Public IP Migration | Discover Basic SKU IPs, export inventory CSV, and migrate safely to Standard SKU. | π§° PowerShell Β· βοΈ Azure |
| Azure VPN (P2S) Runbook | Real-world Azure P2S VPN rollout: OpenVPN/Entra ID vs IKEv2, DNS strategy, and secure defaults. | π Networking Β· βοΈ Azure |
| Cloud-Secure Egress Policy | Lock down outbound Internet egress via central firewall/NVA chain with cutover & rollback docs. | π Network Security Β· βοΈ Azure |
| LogicMonitor Hybrid (Hyper-V β’ AWS β’ GCP) | Hybrid observability with collectors/agents and cloud integrations; CPU/Memory/Uptime alerting. | π LogicMonitor Β· βοΈ AWS Β· βοΈ GCP |
| UniFi Controller Cloud Migration | Migration from legacy hosting to cloud VM with DNS cutover, version pinning, Entra App Proxy (MFA/CA), and SSH host key audit controls. | βοΈ Cloud Β· π§° PowerShell Β· π§ Linux |
| Intune Kyocera Print Governance | Intune automation to enforce Kyocera-only printers, removing unmanaged drivers and enforcing compliance. | π₯οΈ Intune Β· π§° PowerShell |
- Identity & Access Governance (Multi-Cloud) β Designing and operating secure, auditable JIT access models across Entra ID PIM, AWS STS AssumeRole, and GCP Workload Identity Federation.
- Cloud Networking & Security β Enterprise SD-WAN / IPsec with HA & BGP, MTU tuning, hub-and-spoke design, firewall chaining, and deterministic egress patterns.
- Platform & Access Automation β PowerShell-driven automation for access workflows, infrastructure provisioning, Intune remediation, and operational tooling.
- Security Automation & SOC Integration β Sentinel and M365 playbooks for enrichment, triage, and routing alerts into operational channels (Teams / ticketing).
- Governance & Cost Control β Policy enforcement, tagging hygiene, drift detection, and accountability across cloud estates.
- Operational Resilience β Production-grade runbooks, health checks, backup validation, controlled cutovers, and deterministic rollback procedures.
- Designed and implemented identity-first access models that removed standing privileges across multi-cloud environments.
- Led multiple production migrations and cutovers (DNS, network, platform) using reversible change patterns and pre-validated rollback paths.
- Standardised cloud networking architectures (hub-and-spoke, firewall chaining, VPN / SD-WAN) to reduce operational risk and configuration drift.
- Built automation replacing manual access provisioning, onboarding flows, and environment configuration tasks.
- Authored operational runbooks used for on-call support, incident response, and long-term platform handover.
- Design for rollback first.
- Prefer small, reversible changes over high-risk deployments.
- Treat identity as the primary security boundary.
- Document systems so someone else can operate them at 3am.
- Automate only after the manual process is fully understood.
- Identity over network trust.
- Short-lived access over standing privilege.
- Evidence over assumptions.
- Safe defaults over permissive convenience.
- Production systems should fail predictably.
- Workload identity federation patterns across cloud providers
- Zero-trust network segmentation models
- Policy-as-code for access governance and platform controls
- Platform engineering workflows for repeatable environments
π§Ύ All documentation and code samples are redacted for confidentiality.
No secrets, IP addresses, or tenant identifiers are included.