Cloud infrastructure

Production hosting founders can trust — secure by default, repeatable environments that deploy the same way every time, with no fragile manual setup to unravel in a crisis.

terraformawsecsrails

The problem

Founders don’t want to think about servers — they want deploys that just work, an environment nobody has to reverse-engineer at 3am, and the confidence that customer data is locked down. Hand-built infrastructure is slow to reproduce, risky to change, and usually one undocumented setting away from a security gap.

What it does

Stands up the entire production environment from code — the app, database, caching, scaling, and scheduled jobs — with a matching staging copy so every change can be proven safely before it reaches customers. Because it’s all defined in code, it’s reviewable, auditable, and rebuildable from scratch.

Why it’s secure

Security isn’t a layer added at the end — it’s how the environment is shaped:

  • Nothing private is on the public internet. The database and cache live in private network segments with no public address. The only thing exposed is the load balancer, over HTTPS.
  • Database access is gated. Engineers reach the database through a short-lived, audited SSH tunnel — not an open port.
  • Secrets never live in the code. Credentials and API keys are stored in a managed secrets vault and injected at runtime, so nothing sensitive sits in the repo or in plain config.
  • Least privilege everywhere. Each service runs with its own narrowly-scoped permissions, and firewall rules allow only the exact traffic each component needs (load balancer → app → database, nothing more).
  • Encrypted in transit. TLS certificates are provisioned and renewed automatically; traffic is encrypted end to end.
  • Auditable by design. Every change goes through code review and leaves a history — no silent click-ops, and staging mirrors production so a security change is proven before it ships.

The main services

A typical environment is built from:

  • Compute — containerised app and background-worker services on managed, auto-scaling infrastructure (AWS ECS Fargate), so there are no servers to patch by hand.
  • Database — managed PostgreSQL (RDS) with automated backups and point-in-time recovery.
  • Cache / jobs — managed Redis (ElastiCache) for caching and background queues.
  • Networking — a private VPC, an application load balancer, and managed TLS certificates.
  • Access & secrets — least-privilege IAM roles, a secrets manager, and locked-down security groups.
  • Scheduling — scheduled (cron) tasks for recurring work, defined alongside everything else.
  • Environments — separate production and UAT stacks built from the same reusable modules.

Why it’s the infrastructure you need

Most early teams don’t need a platform team — they need this done once, correctly, and handed over in a form they can trust. Defining it in code means it’s repeatable (rebuild an environment in minutes), safe to change (prove it in UAT first), secure by default, and free of single-person tribal knowledge. It scales with the product instead of being rebuilt the first time traffic grows.

Outcome

Reliable, repeatable deploys; environments that can be rebuilt from scratch in minutes; security that holds up to scrutiny; and changes validated before they ever touch production.

← all work