DevOps
Migrated a single-region SaaS onto a cross-region, cross-account EKS foundation with deterministic IaC, secure overlays, and Airflow-driven data movement.
DevOps
3 regions
Regional Coverage
A vertical SaaS scale-up with about 60 engineers and customers in three regions. Production lived in one AWS account, in one region, with infrastructure scripts that had drifted from reality over four years of "just one more change". Compliance was beginning to ask awkward data-residency questions, and the team had quietly imposed a feature freeze on net-new tenants while leadership decided what to do about the platform.
The challenge
A scale-up SaaS had outgrown a single-region deployment. New EU customers needed local data residency, US customers needed lower latency, and the existing operations team was already stretched thin keeping one cluster healthy — let alone three.
Approach
Two-week discovery to map current state, document drift, and agree the target topology — three regions across three accounts, with a hub account for shared services and a spoke per region.
Wrote the entire foundation in Terraform with reusable modules for VPCs, EKS clusters, and IAM trust relationships; nothing was created click-ops.
Established a secure network overlay (Transit Gateway + private endpoints) so cross-region service calls never traversed the public internet.
Built an Airflow-based ETL pipeline for the cross-region data movement that compliance had previously forbidden because it could not be audited.
Migrated workloads region-by-region with zero customer-visible downtime, fronted by a global Route 53 latency-based routing policy.
The solution
A cross-region, cross-account Kubernetes platform on AWS EKS, with deterministic provisioning via Terraform, secure overlays via Transit Gateway, and Airflow-driven data movement that finally gave the data team the audit trail they’d been asking for.
Deployments are now declarative and identical across regions; drift is detected on every PR; and the on-call rotation handles three regions with the same headcount that previously struggled with one.
Regional Coverage
Deployment Speed
Infrastructure Drift
Reflections
The scariest part of the project was admitting how much was undocumented. Every region added forced a level of rigour the team had been deferring for years; once that rigour existed, the third region was trivially easier than the second. The regional shape is now a routine pattern, not an act of bravery.
Continue exploring
Engagements are scoped around outcomes, not hours. The fastest path is a short discovery call—no slides, just questions.
