DevOps, backend engineering, and cloud-native deep dives
Get weekly DevOps insights, Kubernetes tips, and cloud-native tutorials delivered to your inbox.
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
How I built a fully GitOps-managed Kubernetes homelab on a single mini PC - from unboxing to production. Proxmox bare metal install, K3s cluster, HashiCorp Vault secrets, full observability, and Cloudflare Tunnel.
A practical, opinionated take on OpenTelemetry - why it matters, what it actually solves, and how to instrument across Kubernetes, Lambda, ECS, and EC2 without losing your mind.
Real-world lessons from automating AWS account provisioning with Control Tower, Service Catalog, and Terraform. The silent failures, IAM traps, and StackSet timing issues that cost us days.
A hands-on walkthrough of enabling AWS Control Tower, designing an OU structure, automating account provisioning via Service Catalog, and deploying security baselines - from zero to fully automated account vending in production.
A complete guide to setting up Spacelift for multi-team Terraform automation - from zero to production with spaces, dynamic stacks, OPA security policies in Rego, private module registry, and GitOps-driven infrastructure.
S3 backup/restore, direct connectivity, Parquet exports - none of them worked cleanly. Here's the full war story of migrating a production ClickHouse instance to Cloud, the version mismatch that broke everything, and the dumb-simple approach that actually got the job done.
Deep dive into Identity Aware Proxies - what they are, how they work, and how to implement them with GCP IAP, Pomerium, and OAuth2-Proxy. Includes Terraform and Kubernetes examples.
Most engineers massively undervalue themselves because no one taught them how to negotiate. Here's everything I've learned from negotiating salaries, contracts, titles, and more.
A comprehensive guide to migrating your Elasticsearch, Logstash, and Kibana stack from version 6.x to 8.x. Covers breaking changes, migration strategies, index compatibility, and zero-downtime approaches.
Platform engineering has become the most misunderstood role in tech. Everyone's building 'platforms' but few understand what actually makes one successful. Here's what I've learned building platforms for teams of 10 to 500.
AWS doesn't offer vertical autoscaling for Aurora – so we built it. CloudWatch Alarms, SNS, Lambda coordination, and the gotchas we hit in production.
A practical guide to breaking up monolithic Terraform state files, moving resources between states, and refactoring infrastructure safely. Includes real examples, scripts, and the exact commands we use.
A detailed guide on migrating Terraform from 0.11 to 1.11, covering HCL2 syntax changes, the S3 bucket resource split, state manipulation, and ensuring zero-drift upgrades.
A production-grade setup for Clawdbot on Hetzner Cloud with Terraform provisioning, proper SSH hardening, fail2ban, UFW, unattended-upgrades, and optional Tailscale – the stuff you actually need in prod.
A comprehensive guide to setting up Elastic Cloud (Elasticsearch Service), including deployment configuration, security setup, index lifecycle management, integrations, and cost optimization.
A detailed walkthrough for setting up Clawdbot on a Hetzner VPS from scratch – SSH hardening, firewall configuration, Tailscale, and WhatsApp Business integration using a dedicated number.
A detailed guide on deploying GitLab on AKS using Helm charts, with Azure SQL as the database backend. Covers architecture decisions, configuration, lessons learned, and the gotchas we hit in production.
How to calculate true cost-per-tenant in a shared infrastructure environment. Covers EKS with Karpenter, shared databases (Aurora, DynamoDB), and tools like OpenCost, CloudZero, and custom attribution approaches.
DORA metrics are the industry standard for measuring DevOps performance. Here's how to implement them properly, avoid common pitfalls, and actually use them to improve your team's delivery.
Every infrastructure decision I'd make again – and the ones I wouldn't – after running production workloads across fintech, open-source, IoT, and beyond.
MLOps is becoming a critical skill for DevOps engineers. Here's what matters: the infrastructure patterns, tooling, and operational practices that make ML systems work in production - from someone who learned the hard way.
How I diagnosed and fixed a Java application that kept crashing under load – from 'cannot create native thread' errors to properly tuned JVM settings, system limits, and right-sized EC2 instances.
On interview take-home tests that are suspiciously specific, contractors who get ghosted after detailed proposals, and learning to play the game without becoming bitter about it.
Compare Dragonfly and Redis for caching and data storage. Dragonfly's multi-threaded architecture vs Redis single-threaded model.
Scale MySQL horizontally with Vitess. Automatic sharding, online schema changes, and Kubernetes-native deployment for massive scale.
Deploy NATS JetStream for messaging and streaming. Simpler than Kafka, faster than RabbitMQ, with persistence and exactly-once delivery.
Use Vertical Pod Autoscaler and Horizontal Pod Autoscaler together without conflicts. Includes KEDA integration and best practices.
Control how pods spread across nodes, zones, and regions. A deep dive into topology spread constraints for high availability and efficient resource utilization.
Implement automated cloud cost optimization with Kubecost and OpenCost. Track costs per team, rightsize resources, and automate savings.
The complete journey of containerising a Java JAR running on EC2 and deploying it to ECS Fargate – from local testing to Dockerfile, task definitions, networking, secrets management, and achieving production parity.
Master AWS Spot Instances in production. Handle interruptions gracefully, use mixed instance groups, and save 60-90% on compute costs.
Everyone wants to know the difference between Senior, Staff, and Principal. After holding all three titles, I can tell you the real differences aren't what most people think. It's not about years - it's about scope.
Master Karpenter for Kubernetes node autoscaling. Replace Cluster Autoscaler with faster, smarter provisioning. Includes cost optimization patterns.
The IC ladder looks appealing until you're at the top. Many senior engineers chase Principal titles without understanding what they're signing up for. Here's what nobody tells you.
Combine Kind, LocalStack, and Act for a complete local development environment. Test Kubernetes, AWS services, and CI pipelines without leaving your laptop.
Implement automated canary deployments with Flagger. Metrics-based promotion, automated rollback, and integration with Istio, Linkerd, and Gateway API.
After working across all three - tiny startups, hypergrowth scale-ups, and massive enterprises - I can tell you they're completely different jobs. Same title, same tech, completely different experience. Here's what each teaches you.
Implement SLO-based alerting with burn rate alerts. Move from noisy threshold alerts to meaningful reliability signals using error budgets.
Master OpenTelemetry Collector configuration. Build pipelines to transform metrics, filter traces, route logs, and reduce telemetry costs.
Everyone claims to have a blameless culture. Few actually do. Here's what real blamelessness looks like and why it's so difficult to achieve.
Implement chaos engineering in Kubernetes with LitmusChaos. Run pod failures, network chaos, and stress tests to validate system resilience.
Run AWS services locally for faster development and testing. A practical guide to LocalStack covering S3, Lambda, DynamoDB, SQS, and integration testing patterns.
How to authenticate GitHub Actions to AWS without storing secrets. OIDC federation explained, IAM role setup, and the token claims that control access.
I've done both. Multiple times. Here's the real trade-offs nobody talks about - the money, the time off problem, the boredom factor, and why your life situation matters more than you think.
Explore Port and Kratix for building internal developer platforms. Self-service infrastructure, developer workflows, and platform engineering patterns.
How to build an automated account vending machine using AWS Control Tower Account Factory, Service Catalog, CloudFormation StackSets, and Terraform – from request to fully provisioned account with SSO and IAM roles.
Build custom Backstage plugins for your internal developer portal. Create frontend components, backend APIs, and integrate with your existing tools.
Detailed comparison of Kyverno and OPA Gatekeeper for Kubernetes policy enforcement. Includes real examples, performance considerations, and migration guidance.
Stop pushing to test your workflows. Act lets you run GitHub Actions locally with instant feedback. Here's how to set it up and use it effectively.
Create custom cloud APIs with Crossplane Compositions. Abstract away complexity and give developers self-service infrastructure with guardrails.
Master AWS PrivateLink for private API access, cross-account connectivity, and SaaS integrations. Includes Terraform examples and multi-region patterns.
Master Gateway API with traffic splitting, header-based routing, cross-namespace references, and TLS passthrough. The future of Kubernetes ingress.
Tagging is the foundation of cloud governance, cost allocation, and automation. Here's how to implement tagging consistently across your infrastructure using context modules, policies, and automation.
Deploy Tailscale for secure connectivity across clouds, offices, and Kubernetes clusters. Zero-config VPN mesh with SSO integration and ACLs.
Deploy a service mesh without sidecars using Cilium. Get mTLS, traffic management, and observability powered by eBPF at the kernel level.
Remove secrets from your applications entirely with Secretless Broker. Inject database credentials, API keys, and certificates via sidecar without your app knowing they exist.
A battle-tested playbook for migrating CI/CD pipelines from Jenkins to GitHub Actions at scale. Covers OIDC authentication, parallel running, secrets migration, and the gotchas that will bite you.
Sign and verify container images without managing keys. A hands-on guide to Cosign, keyless signing, and enforcing signatures in Kubernetes.
Implement admission control policies with OPA Gatekeeper. Enforce security standards, naming conventions, resource limits, and compliance requirements at the cluster level.
Running databases on Kubernetes is controversial. Sometimes it's the right call, sometimes it's a disaster waiting to happen. Here's how to decide, and how to do it properly if you choose to proceed.
Deep dive into eBPF-based security tools - Cilium, Falco, and Tetragon. Learn how to implement runtime security, network policies, and threat detection at the kernel level.
Deep dive into SPIFFE and SPIRE for workload identity. Replace shared secrets with cryptographic identity for service-to-service authentication. Includes Kubernetes deployment and mTLS examples.
A comprehensive guide to deploying Spotify's Backstage developer portal on AWS ECS Fargate with PostgreSQL RDS, Cognito authentication, and proper production hardening.
Advanced Terraform practices covering testing strategies, CI/CD pipelines, security hardening, drift detection, and team collaboration patterns for infrastructure as code at scale.
Build a production-ready database backup system using Kubernetes CronJobs, PostgreSQL, and S3. Includes a complete local testing environment with KIND and LocalStack.
A practical guide to building an ETL pipeline that extracts weather data from OpenWeatherMap, transforms it with pandas, and loads it into PostgreSQL. Includes Airflow orchestration with email notifications.
A comprehensive guide to Terraform best practices covering project organisation, state management, module design, and foundational patterns for scalable infrastructure as code.
Set up a Security Operations Center lab environment using Docker. Includes Elasticsearch, Kibana, Cribl Stream for log routing, and simulated log generators for hands-on security analysis practice.
The RTO push isn't about productivity. The data is clear: remote work works. What's really happening is a fight over control, real estate, and management inability to adapt.
How we used AWS DMS with database views, partitioned replication tasks, and Terraform to migrate event sourcing data from on-prem SQL Server and Oracle to DynamoDB – the architecture, the gotchas, and production Terraform you can reuse.
Build a lightweight Kubernetes cluster on three Raspberry Pi 5 devices. Step-by-step guide covering K3s installation, cluster configuration, and deployment testing.
Why your Kubernetes cluster is wide open by default, and the single NetworkPolicy that changes everything. Copy, paste, deploy, sleep better.
Your dependencies are an attack vector. Here's how to secure your software supply chain with Sigstore, SLSA frameworks, SBOMs, and admission policies that actually work.
Deploy containerised applications to AWS Lambda or Fargate with a simple YAML config. No infrastructure code required - just define your containers and deploy.
You don't need Google's budget to practice SRE. Here's how to implement Site Reliability Engineering principles with a small team and limited resources.
Cloud cost management isn't just for finance. Here's how engineering teams can build cost awareness into their workflow without slowing down delivery.
How to enforce Pod Security Standards using the built-in Pod Security Admission controller. Covers Privileged, Baseline, and Restricted profiles, migration from PSPs, namespace labeling, and exemptions.
Debug distroless and minimal containers in production without redeploying. Ephemeral containers let you attach debugging tools to running pods - here's how to use them effectively.
AWS offers NAT Gateways as the default, fully managed solution for letting private subnet resources reach the internet. However, NAT Gateways can be pricey: Hourly cost: ~₹3.75/hour (varies by region) Data transfer cost: Additional ₹3.75/GB on top of standard data transfer For small dev/test environments or personal labs, these costs can add up quickly. In contrast, a NAT Instance is just a normal EC2 instance configured to perform IP forwarding and NAT. It’s typically much cheaper to run a small instance (`t3.micro`) than a NAT Gateway, especially if your traffic volume is modest.
How to use External Secrets Operator to sync AWS Secrets Manager secrets to Kubernetes. Covers SecretStore, ExternalSecret, IAM with IRSA, templating, and production patterns.
Documentation is often treated as junior work. That's backwards. The most impactful documentation comes from senior engineers, and writing it is a force multiplier for your expertise.
A deep dive into why external DNS resolution in Kubernetes can be painfully slow, how the default ndots:5 setting causes unnecessary lookups, and practical fixes that actually work.
NAT Gateways are the silent budget killer in AWS. Here's how to reduce costs with NAT instances, VPC endpoints, IPv6, and architectural changes - with real numbers and trade-offs.
How to ensure sidecar containers are ready before your main app starts. Covers startupProbe, postStart hooks, and why readinessProbe doesn't do what you think.
The idea of the 10x engineer has done more harm than good. What actually matters is team multipliers - engineers who make everyone around them better.
Running out of IP addresses in AWS EKS can be a subtle yet critical issue. It often manifests as pods stuck in a pending state or nodes failing to join the cluster, leading to deployment bottlenecks and potential downtime. Understanding the root cause and implementing effective solutions is essential for maintaining cluster health and scalability. Now, there are many ways to fix this, but this is one way.
How to use VPC Endpoints to access AWS services without internet gateways or NAT. Covers Gateway vs Interface endpoints, PrivateLink, endpoint policies, cost optimization, and production Terraform patterns.
Most incident processes are theatre. Here's how to build incident management that reduces downtime, prevents recurrence, and doesn't burn out your team.
Technical guide for upgrading managed Kubernetes clusters across GKE, EKS, and AKS
The questions that separate senior engineers from those who memorised tutorials. Real interview failures, what interviewers are actually looking for, and how to answer with depth.
How to use SCPs to set permission guardrails across your AWS Organization. Covers SCP evaluation logic, deny vs allow strategies, common patterns, and production-ready Terraform examples.
How to use AWS Config Rules to detect compliance violations and automatically remediate them using SSM Automation documents. Covers managed rules, custom rules, remediation actions, and complete Terraform examples.
Comprehensive guide for safely upgrading GKE clusters with minimal downtime and robust rollback procedures
Most meetings are information broadcasts disguised as collaboration. Learn when to meet, when to write, and how to save everyone's time.
OpenTelemetry unifies traces, metrics, and logs under one standard. This guide covers how to instrument your applications, set up collectors, and actually make sense of the data.
How to use ECS external deployment controllers and task sets for manual blue/green deployments – the setup, the CLI commands, the Terraform, and an honest assessment of when it's worth the complexity.
Gateway API is the successor to Ingress, bringing role-oriented design, native traffic splitting, and cross-namespace routing. This post compares both APIs, when to migrate, and practical migration patterns.
A comprehensive guide to hardening your Clawdbot installation and integrating with Google Workspace, GitHub, and Notion – turning your AI assistant into a productivity powerhouse.
How to use Amazon RDS Proxy to handle database connections from Lambda functions at scale. Covers connection pooling, IAM authentication, Terraform setup, and the gotchas you'll hit in production.
Two major cluster crashes, migrating from kops to EKS, slashing compute costs with Karpenter, and the observability stack we rebuilt three times.
eBPF is transforming how we observe, secure, and network Linux systems. This guide covers the fundamentals, practical use cases beyond Cilium, and how to start writing your own eBPF programs.
A practical guide to connecting to PostgreSQL databases in Kubernetes – exec into pods, VPN access, SOCKS5 proxies, pg_dump, kubectl cp and getting data out when you need it.
How a 'safe' AMI upgrade led to traffic drops, zombie log files, and disk exhaustion – and the debugging journey that followed. A real incident from on-call, with technical details and lessons learned.
Certifications have become a checkbox exercise. They don't prove competence, and they often distract from what actually matters: building things and solving real problems.
Most Kubernetes clusters waste 50-70% of their resources. Here's how to measure what you're actually using, fix the worst offenders, and automate the process - without breaking production.
Service meshes promise observability, security, and traffic management. But which one should you choose? A practical comparison based on running all three in production.
Complete guide to building immutable AMIs with Packer in production - CI/CD pipelines, Terraform ASG integration, rollback strategies, maintenance workflows, and security hardening.
How to use AWS Managed Prefix Lists to eliminate hardcoded CIDR blocks in security groups and route tables. Covers AWS-managed prefixes, customer-managed lists for data centres, and production Terraform patterns.
A practical guide to building an IDP that developers actually want to use. Covers the build vs buy decision, Backstage implementation, and the organisational changes required for success.
A hands-on guide to implementing GitOps with ArgoCD. Covers installation, application management, sync strategies, secrets handling, and the patterns that actually work in production.
How DNS UDP's 512-byte limit caps responses at ~8 A records, breaking service discovery for scaled ECS/CloudMap workloads – and the sidecar solution to bypass it.
Daily standups were meant to improve communication. Instead, they've become status meetings that waste time and interrupt deep work. There's a better way.
How we migrated our CDN to AWS CloudFront at Trainline
Extend your private API Gateway with secure access from other VPCs using PrivateLink and enforce IAM-based authentication.
Kubernetes is an incredible technology that solves real problems. But for most startups, it's the wrong tool. Here's how to know when you're ready - and what to use instead.
In the first part of our Container Networking Deep Dive, we explore how to set up a single network namespace inside a VM and connect it to the host using a veth pair.
In the second part of our Container Networking Deep Dive, we connect two network namespaces via a bridge on the same Linux host.
A step-by-step guide to setting up a Kafka cluster on a local Kind cluster using the Strimzi operator, with optional Terraform provisioning.
Deep Dive into EC2 Networking: ENIs, IP Addressing and Deployment Architectures
How to setup a private network for your EKS cluster with Twingate
How we automated Dynatrace alerting configuration using custom Ansible roles - covering alert profiles, problem notifications, metric events, and maintenance windows across multiple environments.
Using GKE DNS-based endpoints for Secure cluster access
In this blog, we configure mutual TLS (mTLS) using Gateway API on GKE, securing ingress traffic with client certificate validation.
A hands-on guide to configuring AWS Route 53 for latency-based routing across multiple regions, incorporating health checks for automatic failover.
Secure Your Kubernetes with SPIFFE + SPIRE: Zero-Trust Identity for Workloads
AWS EKS defaults to the VPC CNI plugin, assigning VPC IPs to pods via ENIs. While straightforward, this setup limits pod density per node and consumes VPC IPs rapidly. To overcome these constraints, deploying Calico with IPIP or BGP offers a scalable alternative.
DNS spoofing in Kubernetes remains a critical threat, enabling attackers to redirect traffic, intercept data, or disrupt services. This article explores how such attacks occur and outlines strategies to prevent them.
Running Kubernetes clusters privately is a growing best practice. In this blog, I'll walk you through deploying a private AKS cluster on Azure with no public API endpoint, and enabling secure access via Twingate VPN, which provides identity-based access without opening up your network.
In this blog, I'll walk you through setting up a full-featured Apache Pulsar playground using kind (Kubernetes in Docker). Whether you're testing Pulsar for learning or demoing a real pub/sub model with admin tools and monitoring, this setup gives you everything.
The complete journey: client-side vs server-side apply, admission controllers, etcd persistence, controller reconciliation, scheduler binding, and kubelet container creation. Every step traced.
Online EBS volume resizing for running instances – the IaC way with Terraform and ASG instance refresh, plus the manual escape hatch when you need it now. No reboot required.
How I built a GitHub Action to manage blue/green and canary deployments by dynamically updating Traefik weighted services – with SigV4 authentication, YAML configuration, and a generator API.
A complete walkthrough of setting up mutual TLS with Traefik and Smallstep CA – from certificate generation to client authentication. Includes local DNS, ACME integration, and a working demo you can deploy.
Crossplane + LocalStack on kind: 100 % Local AWS Infrastructure-as-Code
Falco Kubernetes Lab: Runtime Threat Detection with Prometheus & Grafana
In this deep dive, we set up a secure, production-ready CI/CD pipeline from GitHub Actions to GKE using Workload Identity Federation—no secrets needed.
Learn how to deploy a secure, private-only API Gateway inside your VPC using interface endpoints, resource policies, and VPC integration.
A hands-on technical guide to implementing AWS PrivateLink between VPCs using Terraform.
How packets actually flow in Kubernetes – from veth pairs to CNI plugins to kube-proxy modes. With AWS/EKS context throughout.
A hands-on article on deploying an application on Kubernetes with Fargate.
How to get started in DevOps?
An end-to-end guide for baking a Vault AMI using Packer and deploying a Vault EC2 instance on AWS.
In the first part of our ECS Fargate Deep Dive, we break down what happens behind the scenes when you run a task on Fargate — Firecracker microVMs, ENIs, IAM and the hidden host fleet.
In the second part of our ECS Fargate Deep Dive, we get hands-on with Firecracker — the lightweight VMM that powers Fargate — and simulate task isolation and networking locally.
Solving the AWS OIDC Chicken-and-Egg Problem with GitHub Actions
A production-focused deep dive into how BGP actually behaves over AWS Direct Connect – route selection, failover, ASN design, MEDs, prepending, blackholing scenarios, and the real-world issues teams hit at scale.
Deep dive into Helm's --atomic, --wait, and --cleanup-on-fail flags. How they work, when to use them, the CI/CD pipeline trap that catches everyone, and production-ready deployment patterns.
You can't use Terraform to create the S3 bucket that stores Terraform state. Here's how to bootstrap your remote backend properly, plus the philosophical reason this pattern exists everywhere in software.
An end-to-end guide for creating a lab container for DevOps training.
A look at the ever-changing landscape of modern applications