About the Role
You will own the cloud foundation the AI platform runs on—including account structure, network topology, identity model, multi-region deployment strategy, and financial governance to keep cloud spend predictable as the platform scales across clients.
You’ll design infrastructure that is secure by default, reproducible, and scalable, while enabling enterprise customers to deploy the platform within their own cloud environments—without requiring custom, one-off builds each time.
Key Responsibilities
- Own the cloud foundation
- Design and maintain account structures, organizational hierarchies, and baseline configurations that provide a secure, governed, and scalable environment. Enable consistent and safe provisioning of new environments.
- Lead network architecture design
- Define topology connecting internal services, customer environments, and partners. Ensure proper tenant isolation, private connectivity, and scalability across multi-region and multi-cloud environments.
- Own cloud identity & access management (IAM)
- Establish secure authentication models for services and users. Enforce least-privilege access and enable secure identity federation with enterprise customers.
- Drive multi-region and resilience strategy
- Design deployment topology, failover mechanisms, and disaster recovery processes. Ensure RTO and RPO targets are defined, tested, and reliable.
- Ensure data residency and compliance
- Implement infrastructure-level controls to guarantee data remains within specified geographic boundaries, with auditability built in.
- Enable Bring-Your-Own-Cloud (BYOC) deployments
- Create repeatable, scalable deployment patterns that allow customers to run the platform in their own cloud environments without forking infrastructure code.
- Own cloud security posture
- Implement and manage threat detection, compliance, and audit logging at the cloud layer. Ensure security is embedded into the platform foundation—not added later.
Required Qualifications
- 5+ years of cloud engineering experience, with deep expertise in at least one major cloud platform (AWS, Azure, or GCP) and working knowledge of another
- Proven experience designing multi-account / multi-subscription architectures (landing zones, account vending, governance frameworks)
- Strong background in network design at scale, including:
- VPC/VNet architecture, peering, transit gateways
- PrivateLink / Private Endpoints
- Direct Connect / ExpressRoute
- DNS and certificate management
- Hands-on experience with cloud IAM:
- Role and policy design
- Cross-account access
- Federated identity
- Least-privilege enforcement
- Experience building and operating multi-region systems, with defined and tested RTO/RPO targets
- Expertise in Infrastructure as Code (Terraform or Pulumi) across multi-account, multi-environment deployments with safe promotion and rollback strategies
- Experience with cloud-native security tooling, such as:
- AWS: GuardDuty, Security Hub, CloudTrail
- Azure: Defender for Cloud
- GCP: Security Command Center
Preferred Qualifications
- Experience delivering Bring-Your-Own-Cloud (BYOC) deployments across multiple customer environments
- Strong multi-cloud expertise (e.g., AWS + Azure or GCP at depth, not just familiarity)
- Experience with hybrid connectivity:
- BGP routing
- IPsec VPN
- Direct Connect or ExpressRoute
- Advanced cloud certifications (e.g., AWS Solutions Architect Professional, Azure Solutions Architect Expert, Google Cloud Professional Architect)
- Experience with confidential computing or trusted execution environments
- Contributions to open-source infrastructure tools (e.g., Terraform providers, Pulumi packages, Crossplane)
