I led the architecture and delivery of a complete GCP cloud foundation for a global aerospace manufacturer as they exited on-premises datacenters and migrated their core manufacturing, ERP, MES, and PLM workloads to cloud. This was a complex, multi-platform engagement — the estate included traditional VMware, IBM Power systems running MES and manufacturing line applications, SAP ERP, and bare metal nodes requiring dedicated infrastructure.
The engagement was co-delivered with Google Professional Services (PSO), giving me direct access to GCP product teams and the ability to architect across GCVE (VMware), IP4G (IBM Power), and GCNV (NetApp volumes) natively within the GCP environment. I designed the network security layer using Palo Alto NGFWs in a hub-spoke topology with F5 BIG-IP HA for application load balancing, managed all IaC through Terraform across four specialized repos, and drove delivery through to production.
GCP Foundation Design
- Multi-region org hierarchy: folders, projects, IAM, and billing structure
- Shared VPC with hub-spoke topology across Canada East and West
- Private Service Connect and Cloud DNS for on-premises and Google API connectivity
- Cloud Armor WAF policies and Cloud Logging / Monitoring stack
- VPC Service Controls for data perimeter around sensitive workloads
Network Security Layer
- Palo Alto NGFW deployed as active-passive HA clusters in each region
- All inter-spoke and north-south traffic routed through NGFW inspection
- F5 BIG-IP HA pair for application-layer load balancing (LTM + AFM)
- Microsegmentation policies aligned to manufacturing zone separation
- Panorama-managed policy-as-code for consistent firewall rule deployment
Workload Migration Paths
- GCVE for VMware-based workloads — preserved guest OS and tooling
- IP4G (IBM Power on GCP) for MES and manufacturing line applications on POWER9
- Bare Metal Solution (BMS) for workloads requiring dedicated physical infrastructure
- GCNV (Google Cloud NetApp Volumes) for NFS-attached storage with snapshot policies
- Lift-and-shift foundation with targeted re-platform opportunities identified
SAP, MES & PLM Architecture
- SAP ERP architecture on GCVE — leveraged GCP's SAP-certified infrastructure
- MES (Manufacturing Execution System) on IP4G — maintained POWER architecture
- PLM (Product Lifecycle Mgmt) migrated to GCP Compute Engine with persistent disk tiering
- Cross-workload latency analysis to validate proximity between SAP / MES / PLM layers
- Backup and DR design using Cloud Storage for RPO/RTO targets per workload tier
Terraform Multi-Repo Strategy
- Repo 1: GCP Org foundation — IAM, billing, folders, shared VPC
- Repo 2: Network connectivity — VPN, Interconnect, DNS, firewall policy
- Repo 3: GCVE clusters — vSphere infrastructure declared as Terraform resources
- Repo 4: Application infrastructure — Compute Engine, Cloud SQL, GKE namespaces
- Remote state in GCS buckets with workspace-per-environment isolation
CI/CD & Change Management
- GitLab CI pipelines for plan/apply gating with approval gates per environment
- Pre-commit hooks for tflint, tfsec, and terraform fmt enforcement
- Module registry for shared network and compute building blocks
- Drift detection scheduled runs with alerting to Cloud Monitoring
- Environment promotion model: dev → staging → prod with plan diffs reviewed in MR
Joint Architecture Reviews
Weekly design sessions with Google PSO architects to validate GCVE cluster sizing, IP4G connectivity topology, and GCNV volume layout against GCP reference architectures.
Product Access & Escalation
Co-delivery with PSO provided direct escalation paths to GCP product teams for GCVE and IP4G issues not yet documented in public GA features.
Security & Compliance Reviews
Collaborated with PSO on VPC Service Controls configuration and Cloud Armor policies to meet the client's aerospace-industry compliance requirements.
Deliverable Alignment
Coordinated deliverable scopes to avoid duplication — PSO owned landing zone reference docs; I owned Terraform implementation and migration wave plans.
Foundation Architecture
Designed the full GCP org hierarchy, shared VPC topology, and IAM model from blank account to production-ready state across two Canadian regions.
Multi-Platform Migration Design
Architected migration paths across GCVE, IP4G, BMS, and GCNV — matching each workload to the appropriate GCP infrastructure primitive based on technical requirements.
Network Security
Designed and deployed Palo Alto NGFW HA clusters and F5 BIG-IP HA pairs; established zone-based segmentation and Panorama policy-as-code workflows.
IaC Ownership
Authored all four Terraform repos, established CI/CD pipeline, module registry, and drift detection — resulting in a fully codified infrastructure baseline.
PSO Coordination & Delivery
Managed interface with Google PSO team — aligned deliverables, participated in joint architecture reviews, and escalated GCVE/IP4G issues to GCP product teams.
| Deliverable | Description | Format |
|---|---|---|
| GCP Landing Zone Architecture | Full org design, VPC topology, IAM model, and security baseline documentation | PPTX + PDF |
| Terraform Infrastructure Repos ×4 | Foundation, connectivity, GCVE, and application-layer IaC codebases with CI/CD pipelines | GitLab |
| Network Security Design | Palo Alto NGFW topology, F5 BIG-IP HA design, and zone segmentation policy documentation | Visio + PDF |
| Multi-Platform Migration Plan | Wave-by-wave migration schedule with workload-to-platform mapping (GCVE/IP4G/BMS/GCNV) | XLSX |
| SAP/MES/PLM Architecture Guide | Workload-specific architecture with latency analysis, storage tiering, and DR design | DOCX + PPTX |
| Operational Runbooks | Day-2 operational procedures for GCVE management, Terraform deployments, and NGFW updates | Confluence |