Associate Director - Infrastructure Architect (Cloud & Security)

Associate Director -GTS-(Build) Infrastructure Architect

 Roles & responsibilities
Role Purpose
Design, build, and govern secure, resilient, and scalable cloud/hybrid infrastructure on Microsoft Azure, integrating on‑prem and platform services. The role blends Infrastructure Architecture & Operations with Infrastructure Security & Compliance, ensuring Zero Trust, policy‑as‑code, and operational excellence across identity, network, compute, containers (AKS), storage, backup, observability, and disaster recovery
Key Responsibilities
A. Infrastructure Architecture & Operations 
Own the Azure landing zone (CAF‑aligned) and hub‑spoke network design (ExpressRoute/VPN, Private DNS, Private Endpoints).
Define standards for compute, storage, databases, and platform services (VM/VMSS, images, disks, files, backups, SQL/MI).
AKS Platform Ownership (Mandatory): 
Design AKS clusters (node pools, taints/tolerations, zoning, multi‑region DR), Azure CNI/Overlay networking, and ingress (NGINX/App Gateway).
Establish lifecycle practices for upgrades, autoscaling (HPA/VPA, Cluster Autoscaler), image management (ACR), and workload placement.
Integrate platform services (Key Vault, Managed Identities, Private Link) and ensure operational SLOs.
Lead modernization/migration for Windows/Linux workloads and data platforms; ensure resilience, cost efficiency, and operational readiness.
Establish BCDR strategy—RTO/RPO targets, automated recovery runbooks, DR rehearsals, and evidence packs.
Build observability: Azure Monitor, Log Analytics, Application Insights, synthetic checks, and incident runbooks.
Drive FinOps: tagging, showback/chargeback, rightsizing, reservations/savings plans, and lifecycle policies.
B. Infrastructure Security & Compliance 
Implement Zero Trust across identity, device, network, and data: RBAC, PIM, Conditional Access/MFA, workload identities.
Design network security: NSG/ASG, Azure Firewall/WAF, micro‑segmentation, DDoS Protection, egress control, DNS security.
AKS Security (Mandatory): 
Entra ID/RBAC integration, Pod Security Admission (PSA) baselines, Network Policies, secrets management and workload identity.
Container image scanning, supply‑chain security (Helm/OCI), baseline hardening, and Defender for Containers posture/threat protection.
Embed policy‑as‑code (Azure Policy/Blueprints) for guardrails, CIS/benchmarks, drift detection, and automated remediation.
Integrate Defender for Cloud and Microsoft Sentinel with tuned alerts, SOAR playbooks, and incident coordination.
Ensure compliance with enterprise policies and applicable standards (ISO 27001, SOC 2, GDPR/HIPAA where relevant).
C. Automation & DevOps (Shared)
Champion IaC using Terraform/Bicep—reusable modules, environment promotion, approvals in Azure DevOps/GitHub CI/CD.
Build image pipelines (Packer/Golden Images) and configuration baselines (DSC/Automanage).
Implement GitOps for AKS (Flux/Argo), pre‑deployment policy validation, and security scans.
D. Governance, Documentation & Stakeholder Management
Author reference architectures, standards, roadmaps, HLD/LLD/Technical Architecture Proposal, RACI, risk registers, and decision logs; enforce via design reviews.
Partner with platform engineering, security, app/dev, and risk/compliance to deliver secure‑by‑design outcomes and smooth operational handovers.
Mentor engineers/architects; lead threat modeling, resiliency reviews, incidents & escalations.

 Roles & responsibilities
Role Purpose
Design, build, and govern secure, resilient, and scalable cloud/hybrid infrastructure on Microsoft Azure, integrating on‑prem and platform services. The role blends Infrastructure Architecture & Operations with Infrastructure Security & Compliance, ensuring Zero Trust, policy‑as‑code, and operational excellence across identity, network, compute, containers (AKS), storage, backup, observability, and disaster recovery
Key Responsibilities
A. Infrastructure Architecture & Operations 
Own the Azure landing zone (CAF‑aligned) and hub‑spoke network design (ExpressRoute/VPN, Private DNS, Private Endpoints).
Define standards for compute, storage, databases, and platform services (VM/VMSS, images, disks, files, backups, SQL/MI).
AKS Platform Ownership (Mandatory): 
Design AKS clusters (node pools, taints/tolerations, zoning, multi‑region DR), Azure CNI/Overlay networking, and ingress (NGINX/App Gateway).
Establish lifecycle practices for upgrades, autoscaling (HPA/VPA, Cluster Autoscaler), image management (ACR), and workload placement.
Integrate platform services (Key Vault, Managed Identities, Private Link) and ensure operational SLOs.
Lead modernization/migration for Windows/Linux workloads and data platforms; ensure resilience, cost efficiency, and operational readiness.
Establish BCDR strategy—RTO/RPO targets, automated recovery runbooks, DR rehearsals, and evidence packs.
Build observability: Azure Monitor, Log Analytics, Application Insights, synthetic checks, and incident runbooks.
Drive FinOps: tagging, showback/chargeback, rightsizing, reservations/savings plans, and lifecycle policies.
B. Infrastructure Security & Compliance 
Implement Zero Trust across identity, device, network, and data: RBAC, PIM, Conditional Access/MFA, workload identities.
Design network security: NSG/ASG, Azure Firewall/WAF, micro‑segmentation, DDoS Protection, egress control, DNS security.
AKS Security (Mandatory): 
Entra ID/RBAC integration, Pod Security Admission (PSA) baselines, Network Policies, secrets management and workload identity.
Container image scanning, supply‑chain security (Helm/OCI), baseline hardening, and Defender for Containers posture/threat protection.
Embed policy‑as‑code (Azure Policy/Blueprints) for guardrails, CIS/benchmarks, drift detection, and automated remediation.
Integrate Defender for Cloud and Microsoft Sentinel with tuned alerts, SOAR playbooks, and incident coordination.
Ensure compliance with enterprise policies and applicable standards (ISO 27001, SOC 2, GDPR/HIPAA where relevant).
C. Automation & DevOps (Shared)
Champion IaC using Terraform/Bicep—reusable modules, environment promotion, approvals in Azure DevOps/GitHub CI/CD.
Build image pipelines (Packer/Golden Images) and configuration baselines (DSC/Automanage).
Implement GitOps for AKS (Flux/Argo), pre‑deployment policy validation, and security scans.
D. Governance, Documentation & Stakeholder Management
Author reference architectures, standards, roadmaps, HLD/LLD/Technical Architecture Proposal, RACI, risk registers, and decision logs; enforce via design reviews.
Partner with platform engineering, security, app/dev, and risk/compliance to deliver secure‑by‑design outcomes and smooth operational handovers.
Mentor engineers/architects; lead threat modeling, resiliency reviews, incidents & escalations.

Mandatory  technical & functional skills
Infrastructure Core (Mandatory)
Azure subscriptions/management groups; CAF Landing Zones, hub spoke networking, ExpressRoute/S2S VPN.
Compute & OS: Windows Server/Linux, image management (Packer), VMSS, patching automation.
Storage & Data: disks/storage accounts, files/shares, backup/restore; integration with SQL MI/Cosmos DB (platform perspective).
Azure Kubernetes Service (AKS) – Mandatory: 
Cluster design & lifecycle (upgrades, node pools, autoscaling, zoning, DR), Azure CNI/Overlay, service networking, ingress controllers.
Workload packaging & deployment (Helm/OCI), registry management (ACR), quotas/requests/limits, scheduling.
Observability (Container Insights, Prometheus/Grafana), capacity planning, and reliability practices.
Hybrid Integration: Entra ID/AD, GPO, MECM/Intune, identity sync, and on prem connectivity.
Infrastructure Security Core (Mandatory)
Identity security: RBAC, PIM, Conditional Access, workload identities; secure key/secret management (Key Vault/CMK).
Network security: NSG/ASG, Azure Firewall/WAF, micro segmentation, Private Link, DDoS Protection; egress/DNS controls.
AKS Security – Mandatory: 
Entra ID/RBAC, PSA baselines, Network Policies, secrets via CSI/Key Vault, workload identity; container image scanning and policy enforcement (Gatekeeper/Kyverno).
Defender for Containers and Defender for Cloud posture/threat management; Sentinel SIEM/SOAR integration.
Compliance & governance: Azure Policy/Blueprints, CIS baselines, evidence collection/attestation.
Automation, Observability & Documentation
Terraform/Bicep, Azure DevOps/GitHub pipelines, GitOps for AKS (Flux/Argo).
Azure Monitor/Log Analytics/Kusto, action groups, runbooks, SRE practices (SLO/SLI, error budgets).
Strong documentation and executive ready communication via ArchiMate/Visio/PowerPoint.

 

 This role is for you if you have  the below
Education: Bachelor’s in computer science, Information Technology, or related field.
Experience: 10–14 years overall; 6+ years in Azure/hybrid infrastructure and 3–5 years in infrastructure security architecture; hands on AKS platform ownership in production is required.
Certifications (preferred): 
- Microsoft: AZ 305 (Solutions Architect), AZ 500 (Security Engineer), SC 100 (Cybersecurity Architect), AZ-104(Azure Administrator Associate).

 

Experience Level

Mid Level