Stable and secure IT infrastructure for a growing business
from chaos to order in a few weeks
The starting point was a struggling infrastructure, rising costs of on‑premise servers and an increasingly expensive public cloud after the VMware licensing changes in 2025–2026. At the same time, traffic and load were growing fast, backups were not distributed, there was a single web server as a one point of failure, only basic service and log monitoring and a complex certificate setup for both customers and the company itself.
The business was growing quickly, but the infrastructure could not keep up. It needed a stable and scalable platform for a globally distributed team and customers around the world.
Project goals
The main goals were:
- select an alternative cloud provider,
- migrate the infrastructure in the shortest possible time,
- keep the migration fully transparent for end users (no downtime, no forced password changes),
- increase automation and autonomy of the systems.
This project is a natural continuation of our previous work described in “Transparent migration of web and mail services without password changes, downtime or user pain”, where we focused on the migration itself.
Discovery – understanding what we really have
We started with a detailed IT discovery phase:
- full inventory of domains, certificates, mailboxes and services,
- analysis of the current infrastructure, VPN connections and daily/hourly load patterns,
- identification of gaps in backup, monitoring and security.
We treated discovery as a classic planning phase – roughly 80% of the effort went into analysis and planning, 20% into execution. This approach was key to delivering the expected outcome.
Choosing the cloud – why Kamatera
We evaluated all major cloud providers: AWS, Azure, IBM Cloud, Alibaba Cloud, Google Cloud and several smaller vendors. Each of them had strengths and weaknesses, so we backed the decision with a SWOT analysis and the classic project management triangle (scope, time, cost).
In the end we selected Kamatera, an Israeli cloud provider, because it combines mature tooling, solid infrastructure, competitive pricing and ease of configuration. Looking back, it proved to be a good choice, even though we had to go through a few inevitable escalations on the way.
Hybrid architecture instead of “all‑in cloud”
The new infrastructure was designed as a hybrid solution: public cloud plus a local on‑premise datacenter, connected via secure VPN tunnels, with HAProxy acting as a central entry point for web and mail traffic.
Why hybrid?
- increased security and data confidentiality,
- flexibility – maintenance work can be done live, without frequent service windows,
- better cost control – cloud is powerful, but definitely not free.
To make cloud usage efficient we:
- cleaned up and reduced the environment (decommissioned unused or duplicate services),
- separated production from test environments,
- consolidated multiple tools on fewer servers with different usage patterns throughout the day, so servers deliver real value instead of just spinning fans.
Migration plan – milestones and tests
Based on the discovery report we prepared a detailed migration plan describing:
- what should be moved and in which order,
- what the dependencies are,
- which tests must be executed after each milestone.
Every step ended with tests that guaranteed the change would not cause downtime or service disruption for end users. The guiding principle was simple: the migration must remain invisible to the business.
Building the new environment
Once the cloud provider had been selected, building the new infrastructure was relatively straightforward. Cloud tools were mature enough to let us build a migration‑ready environment within a few hours. The key elements were the HAProxy front-end and secure VPN technologies connecting the cloud to the local on‑premise datacenter.
Execution – safe cut‑over
The execution phase relied on careful risk management (including positive risks – optimisation opportunities), frequent intermediate tests, an experienced engineering team and modern tooling, including advanced language models (AI) assisting with log and documentation analysis.
As a result, the number of user‑reported issues dropped, services became faster and more efficient and there was less noise coming from the environment.
Optimisation and Hypercare
Immediately after the cut‑over we entered the Hypercare phase – intensive monitoring and optimisation. Internet access is protected by Fortinet, and from there traffic goes to the public cloud with HAProxy and backup datacenters with traffic balancing.
The environment is supported by distributed backups and disaster recovery, fast VPN links, high‑performance and secure on‑premise servers using Docker and FreeBSD jails. Monitoring is based on Nagios, extended with analysis from a custom AI model.
All of this, within the agreed time and budget, increased service performance by more than four times compared to the previous infrastructure. Optimisation – effectively Business As Usual – is an ongoing process, with performance and service quality strongly supported by engineers and AI tools to maximise stability and efficiency while keeping costs under control wherever it is safe from a risk perspective.