Cloud Architect

Objectives & Outcomes

• Define and socialise target state architectures across Azure/AWS/GCP (networking, identity, landing zones, operations).
• Deliver reference architectures and reusable patterns for containerised, serverless, and data workloads.
• Establish/extend Cloud Landing Zones (policy, guardrails, RBAC, tagging, network segmentation).
• Lead migration and modernisation (re‑host/re‑platform/re‑factor) for priority applications.
• Implement IaC at scale (Terraform preferred; standard modules; pipelines).
• Build observability (logs, metrics, traces, SLOs) and resilience (HA, DR, RTO/RPO).
• Drive FinOps —cost transparency, budgets, showback/chargeback, right‑sizing.
• Embed security‑by‑design and compliance (CIS, NIST, ISO 27001, FCA/NHS/PCI as applicable).

Key Responsibilities

• Architecture & Design
• Produce HLDs/LLDs, diagrams, ADRs, non‑functional requirements, and traceability to business goals.
• Select and justify cloud services (compute, storage, data, AI/ML, integration).
• Define multi‑cloud connectivity (hub‑and‑spoke, transit gateways, ExpressRoute/Direct Connect/Cloud Interconnect, SD‑WAN).
• Design identity and access (Azure AD/Microsoft Entra, AWS IAM, GCP IAM; SSO; workload identities).
• Platform Engineering
• Standardise Terraform modules; enforce code quality, policy‑as‑code (OPA/Conftest/Azure Policy).
• Build/optimise Kubernetes platforms (AKS/EKS/GKE), service mesh (Istio/Linkerd), ingress, and autoscaling.
• Implement CI/CD (GitHub Actions/Azure DevOps/GitLab), environment promotion, secrets management, artifact repos.
• Security & Compliance
• Define guardrails (CIS benchmarks), cloud security posture management (Defender for Cloud, AWS Security Hub, GCP SCC).
• Vaulting and KMS (AWS KMS, Azure Key Vault, GCP KMS), key rotation, data classification & encryption.
• Threat modelling, zero trust patterns, vulnerability management, incident runbooks.
• Data & Integration
• Reference architectures for streaming/batch (Kafka/MSK, Event Hubs, Pub/Sub), data lakes, warehouses (BigQuery, Synapse, Redshift), ETL/ELT.
• API strategy (APIM/API Gateway/Apigee), messaging (SQS/SNS/Service Bus/PubSub), event‑driven design.
• Operations & Reliability
• Observability stack (CloudWatch/CloudTrail, Azure Monitor/Log Analytics, Cloud Logging/Monitoring; Prometheus/Grafana).
• DR/BCP architectures (cross‑region, multi‑region, backups, runbooks; tested failover).
• Performance testing, capacity planning, SLO/SLIs, error budgets.
• Governance & Cost
• Landing zone governance, tagging/labels, budget alerts, reserved/savings plans.
• Operating model definition (RACI), platform backlog, roadmap, and risk management.
• Stakeholder Management
• Run workshops, architecture reviews, and design clinics.
• Collaborate with InfoSec, Network, Data, and App teams; mentor engineers.

Required Experience

• 8+ years in cloud architecture/engineering; 3+ years multi‑cloud across Azure, AWS, and GCP .
• Proven delivery of enterprise landing zones , Kubernetes , IaC at scale, and secure network architectures .
• Strong track record in app migration/modernisation and cost optimisation .
• Comfortable in highly regulated environments (finance, healthcare, public sector) is a plus.

Technical Stack (Desired)

• Cloud: Azure (Resource Manager, Entra ID, Policy, Monitor), AWS (EC2, VPC, IAM, TGW), GCP (VPC, IAM, Interconnect).
• Networking: DNS, TLS/mTLS, BGP, NAT, WAF, CDN, private endpoints, service endpoints.
• Compute/Containers: AKS/EKS/GKE, ECS/Fargate, VMSS/ASG, serverless (Lambda, Azure Functions, Cloud Functions).
• IaC & Pipelines: Terraform (required), Terragrunt (nice), Helm, Kustomize, GitHub Actions, Azure DevOps, GitLab CI.
• Security: Defender for Cloud, Sentinel, AWS GuardDuty/Security Hub, GCP SCC, OPA, HashiCorp Vault, KMS.
• Data/Integration: Event Hubs/Kafka/PubSub, API Gateway/APIM/Apigee, Data Factory/Glue/Cloud Data Fusion, BigQuery/Synapse/Redshift.
• Observability: Prometheus/Grafana, OpenTelemetry, CloudWatch, Azure Monitor, Cloud Monitoring, ELK/Elastic.
• Scripting: Python/Bash/PowerShell; strong Git and code review practices.

Certifications (Nice to Have)

• Azure: AZ‑305 (Architect), AZ‑400 (DevOps)
• AWS: Solutions Architect Professional, DevOps Engineer
• GCP: Professional Cloud Architect, DevOps Engineer
• Security/Architecture: CISSP, CISM, TOGAF, CCSP
• FinOps: FinOps Certified Practitioner

Soft Skills

• Excellent communicator—able to translate complex architecture into clear, actionable plans.
• Pragmatic, delivery‑focused, and comfortable with ambiguity.
• Strong stakeholder management and mentoring capabilities.

Deliverables

• Cloud Target Operating Model & reference architectures.
• Landing zone designs and implementation (per cloud).
• Network & identity blueprints and runbooks.
• IaC repositories (Terraform modules, pipelines) with documentation.
• Security patterns (guardrails, policies, encryption standards).
• Observability standards (dashboards, alerts, SLOs).
• Application migration plans (waves, dependency maps) and executed milestones.
• FinOps reports and cost optimisation recommendations.

KPIs / Success Measures

• % workloads onboarded to landing zones with guardrails enforced.
• Mean time to provision environments (baseline vs target).
• % policy compliance (CIS/NIST) and critical vulnerabilities remediated.
• Cost savings realised (rightsizing, reservations), forecast accuracy.
• DR test pass rate; RTO/RPO compliance.
• Uptime/SLO adherence and incident reduction.

Ways of Working

• Hybrid : 2–3 days per week in Oxford; flexibility during key milestones.
• Cadence : Weekly architecture forum, sprint rituals with squads, monthly exec updates.
• Documentation : Diagrams (Draw.io/Visio), ADRs in Git, Confluence/SharePoint.
• Tooling Access : Provided by client (SSO, VPN, repositories).