Home / Services / AWS Architecture & Migration

Service 01 — AWS Architecture & Migration

The AWS account you'll still be running in five years.

From an empty account to a multi-region, multi-account organization — or the other direction, out of a legacy colo with the servers still running. We design for the team that will inherit it, not for the diagram.

Engagement length

6—16 weeks

Starting point

Greenfield or migration

Team you'll work with

2—3 senior engineers

First deliverable

48 hours

What's includedThe work itself

We design, provision, and hand over the entire AWS environment — not a reference architecture.

Four stages
of delivery

01

Account strategy & AWS Organizations setup

Landing zone designed to your team structure, not a template. Organizations, SCPs, Control Tower where it fits, per-team OUs, centralized logging, and the IAM boundary that will still make sense when you hire your next ten engineers.
02

Network architecture & connectivity

VPC design, Transit Gateway, hybrid connectivity. Site-to-site VPN or Direct Connect for on-prem workloads that aren't moving. Route tables documented. Egress controls wired up before anything goes near production data.
03

Compute, storage & data services

ECS, EKS, Lambda, Step Functions — chosen based on your team's operating experience, not the newest service page. S3 as source of truth, RDS / Aurora / DynamoDB where each earns its place.
04

Migration execution & cutover

Database Migration Service, Application Migration Service, and the boring parts: DNS strategy, cutover windows scheduled with your business, rollback plan approved before we run a single task.

DeliverablesWhat you'll have at the end

Documents your next engineer
can actually use.

Architecture diagram

Current state, target state, and the cutover path between them. Reviewed with your team, not filed.

ii.

Terraform / CDK modules

Modular, versioned, tested. Your repo, your CI. We don't keep the IP.

iii.

IAM & SCP baseline

Permission boundaries that work for the team you have, not a generic zero-trust posture.

iv.

Runbooks

Written during the build, with your on-call. Three real incidents walked through before we leave.

Cost model

Monthly spend forecast by service. Reserved Instance strategy. A plan, not a bill.

vi.

Handoff sessions

Three weeks of pair-ops with your team. We answer tickets. Your engineers drive.

StackWhat we build with

Tools chosen for your five-year horizon, not the newest service page.

Compute

ECS · EKS · Lambda · Fargate

Networking

VPC · Transit Gateway · PrivateLink

Data

S3 · RDS · Aurora · DynamoDB

Orchestration

Step Functions · EventBridge

IaC

Terraform · CloudFormation · CDK

Governance

Organizations · Control Tower · SCPs

Identity

IAM Identity Center · Cognito

Migration

DMS · MGN · Snowball

Case study2023 — present

Every engine streams telemetry into an MSSQL database from 2009. Analysts run reports overnight and pray.

We replaced an aerospace OEM's brittle monolith with a cloud-native lakehouse serving engineers and their airline customers from the same Redshift layer.

We started with the migration plan: two phases, eleven applications, zero downtime tolerance. The bulk of the work wasn't the compute — it was the data, the IAM boundary between two business units, and the CI the on-call team would inherit.

Sixteen weeks after kickoff the last colo rack was powered down. Their analysts kept their Power BI dashboards. Their engineers got a real-time feed for the first time. Reports that used to run overnight now finish before the coffee is cold.

A good fit if you —

Treat infrastructure as a first-class product.

Have a product team that'll still be here in three years, and you want them to own what we build.
Are moving off a legacy data center, a competitor cloud, or an AWS account that grew without a plan.
Need audit-grade IAM, network isolation, and a cost model your CFO can explain.
Would rather spend six weeks getting the foundation right than six months patching it.

Not a fit if you —

Are looking for the cheapest bid.

Are comparison-shopping four agencies on rate — we won't be the lowest number in the spreadsheet.
Want offshore junior engineers staffed at senior rates — we don't do that.
Need a throwaway proof-of-concept. Our work is designed for what comes after the POC.
Are primarily on Azure or GCP. AWS is our practice; we'll point you to someone better.

ProcessFrom first call to handoff

Four stages. Plain rules at each one.

Step 01

Discovery

48 hours from first call to architecture diagram + budget. If we can't deliver both in the same document, we refund the discovery fee.

ii.

Step 02

Architecture

Your team signs off before we provision a resource. Terraform, CloudFormation, or CDK — whichever your org will still be running in five years.

iii.

Step 03

Build & deploy

Everything ships under your AWS account, your IAM, your repo. We're contractors, not a SaaS. When we leave, you own every line.

iv.

Step 04

Handoff

Three weeks of pair-runbooking with your on-call. Then we go — unless you retain us for continued builds or incident support.

QuestionsCommonly asked

The honest answers.

What buyers ask us before signing

How much does a typical engagement cost?

Greenfield AWS foundations run $60–120k. Migrations from a legacy data center are quoted on scope — typically $150–400k for a mid-size environment. You get the architecture plan and the budget in the same 48 hours; if you don't sign, you don't owe us anything.

Do you work with our existing team, or replace them?

Work with. We pair with your engineers from day one. By week three of handoff they're driving and we're in the co-pilot seat. If you don't have internal AWS engineers yet, we'll help you hire the first one.

Can we start with a proof-of-concept?

Only if the POC is itself production-bound. We don't take on throwaway work — it's the one engagement type where our delivery standard costs more than the outcome is worth. We'll happily recommend a firm that does.

What if our industry has specific compliance requirements?

Banking (OSFI B-13), SOC 2, HIPAA, and aerospace data sovereignty are where we've shipped. We design the compliance posture into the architecture from day one, not as a bolt-on — and we hand you the evidence trail your auditor will accept.

Do we own the infrastructure code?

Yes. Every Terraform module, every pipeline, every IAM policy lands in your repository under your organization. We keep nothing proprietary. If we get hit by a bus, your team has everything they need.

Ready to design an AWS environment you'll still be running in five years?

First call is thirty minutes, on a Tuesday or Thursday, with two engineers — not a sales rep. If we're the wrong fit, we'll name someone better.

Start a project → See the work

Service 02

DevOps & CI/CD Pipelines

PR merge → multi-region prod in under 12 minutes, with the audit trail a regulator would accept.

→

Service 03

AI Integration & LLM Systems

Bedrock RAG that survived a Tier-1 bank's OSFI B-13 review in six weeks. Zero data egress.

→

Service 04

Big Data & Analytics

Lakehouses that serve engineers and external customers from the same pipeline. One source of truth.

→