This role is suited to an architect who is equally comfortable whiteboarding a target-state AWS Landing Zone architecture with a CTO and sitting with an engineering team to resolve a blast-radius dependency conflict the night before a cutover.
Key Responsibilities
Architecture & Technical Leadership
Design and own the target-state cloud architecture for DC Exit / DC Consolidation programmes on AWS, including compute (EC2, ECS, EKS), storage (EBS, EFS, S3), networking (VPC, Transit Gateway), identity (IAM, AWS SSO), and security (AWS Security Hub, GuardDuty, SCPs)
Lead application and infrastructure discovery using AWS Application Discovery Service (ADS), Migration Evaluator, and dependency mapping to produce migration-ready groupings and blast radius analysis
Define migration patterns (rehost via AWS MGN, replatform to RDS/EKS, refactor to Lambda/containers, retire, replace with SaaS) per workload with clear technical rationale and risk assessment
Produce Architecture Decision Records (ADRs), High-Level Designs (HLDs), and Low-Level Designs (LLDs) to programme-grade quality, aligned to the AWS Well-Architected Framework
Govern architectural consistency across migration waves and enforce AWS Landing Zone / Control Tower guardrails throughout the transition
Licensing Portability & Compliance
Lead licensing portability strategy for DC exit — BYOL (Bring Your Own Licence) for Windows Server and SQL Server on EC2, AWS Licence Manager configuration, OEM licence impact analysis, and SPLA transition planning for MSP-operated environments moving to AWS
Advise on AWS Dedicated Hosts as the mechanism for BYOL compliance for Windows Server and SQL Server (per-socket/per-core licence models), ensuring licence counts are correctly mapped to Dedicated Host instance families
Design licence governance controls using AWS Licence Manager rules, resource tagging strategies via AWS Config, and integration with third-party SAM tooling (Flexera, Snow Software) to prevent compliance drift post-migration
Engage the AWS account team and AWS Partner Network (APN) to maximise programme value through AWS Migration Acceleration Programme (MAP) funding, AWS Credits, and AWS Professional Services co-delivery
Network Transformation
Design target-state hybrid network architectures on AWS: AWS Transit Gateway (TGW) as the centralised routing hub, AWS Direct Connect (dedicated and hosted connections), Site-to-Site VPN as failover, and SD-WAN integration with TGW Connect
Define internet egress and traffic inspection strategy for the post-DC state, replacing DC-based security perimeters with AWS Network Firewall, AWS Gateway Load Balancer (GWLB) with third-party NVAs (Palo Alto, Fortinet), and AWS WAF
Lead DNS transformation planning — Amazon Route 53 Private Hosted Zones, Route 53 Resolver (inbound/outbound endpoints), split-horizon DNS — and IP addressing strategy for migration with minimal re-IP using AWS IPAM
Design VPC architecture across accounts and regions: hub-and-spoke or flat TGW models, VPC sharing via AWS RAM, and PrivateLink for service consumption without public exposure
Ensure latency-sensitive workloads (ERP, payments, OT/SCADA) are isolated in dedicated VPCs with appropriate Direct Connect SIFs and QoS, and their connectivity requirements validated pre-cutover
Migration Programme Delivery
Own the migration wave plan using AWS Migration Hub as the central tracking plane — sequencing, dependency groupings, rollback criteria, and cutover playbooks across programmes of 500+ workloads
Lead rehost migrations using AWS Application Migration Service (MGN) for agent-based lift-and-shift, and AWS Server Migration Service (SMS) or AWS VMware Cloud on AWS (VMC) for VMware estate migration
Define and enforce go/no-go criteria for each migration wave, including pre-flight AWS MGN replication lag thresholds, post-cutover smoke test suites, and DNS TTL management during cutover windows
Manage and resolve technical blockers across infrastructure, networking, security, and application teams during wave execution
Ensure regulated workloads (financial services, public sector) are handled with appropriate regulatory notifications, BCP/DR evidence updated in AWS Resilience Hub, and audit trails via AWS CloudTrail
FinOps & Cost Governance
Build pre-migration cost models using AWS Migration Evaluator and AWS Pricing Calculator, incorporating BYOL savings on Dedicated Hosts, Savings Plans and Reserved Instance pricing, S3 storage tiering, and data transfer / egress cost assumptions
Establish a FinOps operating model — visibility via AWS Cost Explorer and Cost and Usage Reports (CUR), accountability through AWS account-level tagging and chargeback, optimisation via Compute Optimizer and Savings Plans, governance via AWS Budgets and anomaly detection
Conduct post-migration right-sizing reviews using AWS Compute Optimizer recommendations and Trusted Advisor checks to close the gap between business case projections and actual AWS spend
Stakeholder & Vendor Management
Act as the primary technical authority for client stakeholders up to CTO / CIO level, translating complex AWS architectural decisions into clear business outcomes
Lead multi-vendor technical governance — defining interface agreements, RACI frameworks, and joint testing protocols across SIs, MSPs, and AWS
Manage AWS account team, network vendors (Direct Connect providers, SD-WAN), and third-party migration tooling vendors as an integrated programme team
Required Skills & Experience
Essential
8+ years of experience in cloud architecture, with a significant portion focused on large-scale migration programmes (DC Exit, DC consolidation, or cloud-first transformation) on AWS
Deep hands-on expertise in AWS compute and migration services: EC2 (including Dedicated Hosts for BYOL), AWS Application Migration Service (MGN), AWS Migration Hub, AWS Application Discovery Service (ADS), and AWS Database Migration Service (DMS)
Demonstrable expertise in AWS licensing portability: BYOL on Dedicated Hosts (Windows Server and SQL Server per-socket/per-core models), AWS Licence Manager configuration, OEM licence restrictions, and SPLA transition planning for MSP colo environments
Network transformation experience: AWS Transit Gateway, Direct Connect (dedicated and hosted), VPC design (hub-and-spoke, shared VPCs), Route 53 Resolver, AWS Network Firewall, and SD-WAN integration with TGW Connect
Proven experience designing and executing migration wave plans for estates of 500+ VMs in enterprise or regulated environments, using AWS Migration Hub as the tracking plane
AWS Landing Zone / Control Tower design and guardrail enforcement across multi-account organisations
FinOps experience: AWS Cost Explorer, Cost and Usage Reports (CUR), Compute Optimizer, Savings Plans, and pre-migration cost modelling using AWS Migration Evaluator
Strong technical documentation skills — ADRs, HLDs, LLDs, cutover playbooks, and AWS Well-Architected Review outputs to consulting-grade standard
Experience operating in multi-vendor programme environments (SI, MSP, AWS account team triangles)
Highly Desirable
Hands-on experience with VMware Cloud on AWS (VMC on AWS) as a migration accelerator for VMware-heavy DC estates
Experience with AWS Outposts for hybrid workloads that cannot fully exit on-prem, and AWS Local Zones for latency-sensitive edge workloads
Experience with third-party migration tooling: Zerto on AWS, Carbonite Migrate, CloudEndure (now MGN), or PlateSpin
Container and modernisation experience: Amazon EKS, Amazon ECS, AWS App2Container (A2C) for containerising legacy applications during DC exit
Azure exposure — useful for programmes with workloads that are split across hyperscalers
