Experience : 11-20 Years

Job Location : Bangalore /Hyderabad

Role Purpose :

Design, build, and govern secure, resilient, and scalable cloud/hybrid infrastructure on Microsoft Azure , integrating on- prem and platform services.

The role blends Infrastructure Architecture & Operations with Infrastructure Security & Compliance, ensuring Zero Trust, policy- as- code, and operational excellence across identity, network, compute, containers (AKS) , storage, backup, observability, and disaster recovery

Key Responsibilities :

A. Infrastructure Architecture & Operations :

- Own the Azure landing zone (CAF- aligned) and hub- spoke network design (ExpressRoute/VPN, Private DNS, Private Endpoints ).

- Define standards for compute, storage, databases, and platform services (VM/VMSS, images, disks, files, backups, SQL/MI).

AKS Platform Ownership (Mandatory) :

- Design AKS clusters (node pools, taints/tolerations, zoning, multi- region DR), Azure CNI/Overlay networking, and ingress (NGINX/App Gateway).

- Establish lifecycle practices for upgrades, autoscaling (HPA/VPA, Cluster Autoscaler), image management ( ACR ), and workload placement.

- Integrate platform services (Key Vault, Managed Identities, Private Link) and ensure operational SLOs.

- Lead modernization/migration for Windows/Linux workloads and data platforms; ensure resilience, cost efficiency, and operational readiness.

- Establish BCDR strategy-RTO/RPO targets, automated recovery runbooks, DR rehearsals, and evidence packs.

- Build observability : Azure Monitor, Log Analytics, Application Insights, synthetic checks, and incident runbooks.

- Drive FinOps : tagging, showback/chargeback, rightsizing, reservations/savings plans, and lifecycle policies.

B. Infrastructure Security & Compliance :

- Implement Zero Trust across identity, device, network, and data : RBAC, PIM, Conditional Access/MFA, workload identities.

- Design network security : NSG/ASG, Azure Firewall/WAF, micro- segmentation, DDoS Protection, egress control, DNS security.

- AKS Security (Mandatory) :

1. Entra ID/RBAC integration, Pod Security Admission (PSA) baselines, Network Policies , secrets management and workload identity .

2. Container image scanning, supply- chain security (Helm/OCI), baseline hardening, and Defender for Containers posture/threat protection.

- Embed policy- as- code (Azure Policy/Blueprints) for guardrails, CIS/benchmarks, drift detection, and automated remediation.

- Integrate Defender for Cloud and Microsoft Sentinel with tuned alerts, SOAR playbooks, and incident coordination.

- Ensure compliance with enterprise policies and applicable standards (ISO 27001, SOC 2, GDPR/HIPAA where relevant).

C. Automation & DevOps (Shared) :

- Champion IaC using Terraform/Bicep -reusable modules, environment promotion, approvals in Azure DevOps/GitHub CI/CD.

- Build image pipelines (Packer/Golden Images) and configuration baselines (DSC/Automanage).

- Implement GitOps for AKS ( Flux/Argo ), pre- deployment policy validation, and security scans.

D. Governance, Documentation & Stakeholder Management :

- Author reference architectures, standards, roadmaps , HLD/LLD/Technical Architecture Proposal, RACI, risk registers, and decision logs; enforce via design reviews.

- Partner with platform engineering, security, app/dev, and risk/compliance to deliver secure- by- design outcomes and smooth operational handovers.

- Mentor engineers/architects; lead threat modeling, resiliency reviews, incidents & escalations.

- Education : Bachelor's in computer science, Information Technology, or related field.

- Experience : 10-14 years overall; 6+ years in Azure/hybrid infrastructure and 3-5 years in infrastructure security architecture; hands on AKS platform ownership in production is required.

Certifications (preferred) :

- Microsoft : AZ 305 (Solutions Architect), AZ 500 (Security Engineer), SC 100 (Cybersecurity Architect), AZ-104(Azure Administrator Associate).

Mandatory technical & functional skills :

Infrastructure Core (Mandatory) :

- Azure subscriptions/management groups; CAF Landing Zones, hub spoke networking, ExpressRoute/S2S VPN.

- Compute & OS : Windows Server/Linux, image management (Packer), VMSS, patching automation.

- Storage & Data : disks/storage accounts, files/shares, backup/restore; integration with SQL MI/Cosmos DB (platform perspective).

Azure Kubernetes Service (AKS) (Mandatory) :

- Cluster design & lifecycle (upgrades, node pools, autoscaling, zoning, DR), Azure CNI/Overlay, service networking, ingress controllers.

- Workload packaging & deployment (Helm/OCI), registry management (ACR), quotas/requests/limits, scheduling.

- Observability (Container Insights, Prometheus/Grafana), capacity planning, and reliability practices.

- Hybrid Integration : Entra ID/AD, GPO, MECM/Intune, identity sync, and on prem connectivity.

Infrastructure Security Core (Mandatory) :

- Identity security : RBAC, PIM, Conditional Access, workload identities; secure key/secret management (Key Vault/CMK).

- Network security : NSG/ASG, Azure Firewall/WAF, micro segmentation, Private Link, DDoS Protection; egress/DNS controls.

AKS Security (Mandatory) :

- Entra ID/RBAC, PSA baselines, Network Policies, secrets via CSI/Key Vault, workload identity; container image scanning and policy enforcement (Gatekeeper/Kyverno).

- Defender for Containers and Defender for Cloud posture/threat management; Sentinel SIEM/SOAR integration.

- Compliance & governance : Azure Policy/Blueprints, CIS baselines, evidence collection/attestation.

Automation, Observability & Documentation :

- Terraform/Bicep, Azure DevOps/GitHub pipelines, GitOps for AKS (Flux/Argo).

- Azure Monitor/Log Analytics/Kusto, action groups, runbooks, SRE practices (SLO/SLI, error budgets).

- Strong documentation and executive ready communication via ArchiMate/Visio/PowerPoint.