Objectives & Outcomes
* Define and socialise target state architectures across Azure/AWS/GCP (networking, identity, landing zones, operations).
* Deliver reference architectures and reusable patterns for containerised, serverless, and data workloads.
* Establish/extend Cloud Landing Zones (policy, guardrails, RBAC, tagging, network segmentation).
* Lead migration and modernisation (re‑host/re‑platform/re‑factor) for priority applications.
* Implement IaC at scale (Terraform preferred; standard modules; pipelines).
* Build observability (logs, metrics, traces, SLOs) and resilience (HA, DR, RTO/RPO).
* Drive FinOps—cost transparency, budgets, showback/chargeback, right‑sizing.
* Embed security‑by‑design and compliance (CIS, NIST, ISO 27001, FCA/NHS/PCI as applicable).
Key Responsibilities
* Architecture & Design
* Produce HLDs/LLDs, diagrams, ADRs, non‑functional requirements, and traceability to business goals.
* Select and justify cloud services (compute, storage, data, AI/ML, integration).
* Define multi‑cloud connectivity (hub‑and‑spoke, transit gateways, ExpressRoute/Direct Connect/Cloud Interconnect, SD‑WAN).
* Design identity and access (Azure AD/Microsoft Entra, AWS IAM, GCP IAM; SSO; workload identities).
* Platform Engineering
* Standardise Terraform modules; enforce code quality, policy‑as‑code (OPA/Conftest/Azure Policy).
* Build/optimise Kubernetes platforms (AKS/EKS/GKE), service mesh (Istio/Linkerd), ingress, and autoscaling.
* Implement CI/CD (GitHub Actions/Azure DevOps/GitLab), environment promotion, secrets management, artifact repos.
* Security & Compliance
* Define guardrails (CIS benchmarks), cloud security posture management (Defender for Cloud, AWS Security Hub, GCP SCC).
* Vaulting and KMS (AWS KMS, Azure Key Vault, GCP KMS), key rotation, data classification & encryption.
* Threat modelling, zero trust patterns, vulnerability management, incident runbooks.
* Data & Integration
* Reference architectures for streaming/batch (Kafka/MSK, Event Hubs, Pub/Sub), data lakes, warehouses (BigQuery, Synapse, Redshift), ETL/ELT.
* API strategy (APIM/API Gateway/Apigee), messaging (SQS/SNS/Service Bus/PubSub), event‑driven design.
* Operations & Reliability
* Observability stack (CloudWatch/CloudTrail, Azure Monitor/Log Analytics, Cloud Logging/Monitoring; Prometheus/Grafana).
* DR/BCP architectures (cross‑region, multi‑region, backups, runbooks; tested failover).
* Performance testing, capacity planning, SLO/SLIs, error budgets.
* Governance & Cost
* Landing zone governance, tagging/labels, budget alerts, reserved/savings plans.
* Operating model definition (RACI), platform backlog, roadmap, and risk management.
* Stakeholder Management
* Run workshops, architecture reviews, and design clinics.
* Collaborate with InfoSec, Network, Data, and App teams; mentor engineers.
Required Experience
* 8+ years in cloud architecture/engineering; 3+ years multi‑cloud across Azure, AWS, and GCP.
* Proven delivery of enterprise landing zones, Kubernetes, IaC at scale, and secure network architectures.
* Strong track record in app migration/modernisation and cost optimisation.
* Comfortable in highly regulated environments (finance, healthcare, public sector) is a plus.
Technical Stack (Desired)
* Cloud: Azure (Resource Manager, Entra ID, Policy, Monitor), AWS (EC2, VPC, IAM, TGW), GCP (VPC, IAM, Interconnect).
* Networking: DNS, TLS/mTLS, BGP, NAT, WAF, CDN, private endpoints, service endpoints.
* Compute/Containers: AKS/EKS/GKE, ECS/Fargate, VMSS/ASG, serverless (Lambda, Azure Functions, Cloud Functions).
* IaC & Pipelines: Terraform (required), Terragrunt (nice), Helm, Kustomize, GitHub Actions, Azure DevOps, GitLab CI.
* Security: Defender for Cloud, Sentinel, AWS GuardDuty/Security Hub, GCP SCC, OPA, HashiCorp Vault, KMS.
* Data/Integration: Event Hubs/Kafka/PubSub, API Gateway/APIM/Apigee, Data Factory/Glue/Cloud Data Fusion, BigQuery/Synapse/Redshift.
* Observability: Prometheus/Grafana, OpenTelemetry, CloudWatch, Azure Monitor, Cloud Monitoring, ELK/Elastic.
* Scripting: Python/Bash/PowerShell; strong Git and code review practices.
Certifications (Nice to Have)
* Azure: AZ‑305 (Architect), AZ‑400 (DevOps)
* AWS: Solutions Architect Professional, DevOps Engineer
* GCP: Professional Cloud Architect, DevOps Engineer
* Security/Architecture: CISSP, CISM, TOGAF, CCSP
* FinOps: FinOps Certified Practitioner
Soft Skills
* Excellent communicator—able to translate complex architecture into clear, actionable plans.
* Pragmatic, delivery‑focused, and comfortable with ambiguity.
* Strong stakeholder management and mentoring capabilities.
Deliverables
* Cloud Target Operating Model & reference architectures.
* Landing zone designs and implementation (per cloud).
* Network & identity blueprints and runbooks.
* IaC repositories (Terraform modules, pipelines) with documentation.
* Security patterns (guardrails, policies, encryption standards).
* Observability standards (dashboards, alerts, SLOs).
* Application migration plans (waves, dependency maps) and executed milestones.
* FinOps reports and cost optimisation recommendations.
KPIs / Success Measures
* % workloads onboarded to landing zones with guardrails enforced.
* Mean time to provision environments (baseline vs target).
* % policy compliance (CIS/NIST) and critical vulnerabilities remediated.
* Cost savings realised (rightsizing, reservations), forecast accuracy.
* DR test pass rate; RTO/RPO compliance.
* Uptime/SLO adherence and incident reduction.
Ways of Working
* Hybrid: 2–3 days per week in Oxford; flexibility during key milestones.
* Cadence: Weekly architecture forum, sprint rituals with squads, monthly exec updates.
* Documentation: Diagrams (Draw.io/Visio), ADRs in Git, Confluence/SharePoint.
* Tooling Access: Provided by client (SSO, VPN, repositories).