Job Specifications
T+S
USC/GC
Azure Cloud Engineers who are located in the Wickliffe, OH area (Cleveland, OH area) for a hybrid 3-6 month contract
Purpose & Objectives
Engage a senior Azure specialist to stabilize, optimize, and mature our Azure environment, accelerate project delivery for Cloud Engineering, and uplift operational excellence and security in line with enterprise standards.
Objectives
Establish consistent governance, security baselines, and automation for Azure.
Improve operational reliability (availability, performance, monitoring, DR).
Reduce cloud cost with FinOps practices while preserving service levels.
Deliver repeatable IaC patterns that Cloud Engineers can self‑serve.
Ensure hybrid integration with on‑prem AD/Entra ID, Azure Stack HCI, and VDI/W365.
Scope of Services
Azure Governance & Security
Implement/validate Landing Zone standards (management groups, subscriptions, RBAC, policy assignments) and role separation for Prod/Non‑Prod.
Define and enforce Azure Policy/Initiatives for security, compliance, and tagging (e.g., allowed locations, SKU controls, backup, diagnostics, encryption, private endpoints).
Align Entra ID (Azure AD) Conditional Access, PIM/JIT, break‑glass, and tiering model for admin accounts; integrate with your PAW/Tools Server approach.
Harden Key Vault, managed identities, secrets rotation, and service principal governance.
Review and harden network security: NSGs/ASGs, Firewall/Private Link, DDoS, Just‑in‑Time (JIT) VM access.
Artifacts: Governance catalog, policy-as-code repo, RBAC matrix, admin access SOPs.
Platform Engineering (IaC, CI/CD, Automation)
Stand up/standardize Infrastructure as Code baselines (Bicep or Terraform) for VNets, subnets, routing, Private DNS, AKS/VMSS, Storage, Key Vault, App Services, SQL, Log Analytics.
Build Azure DevOps or GitHub Actions pipelines for plan/apply, linting, security scans, and environment promotions.
Create reusable module library (networking, compute, data, monitoring) with versioning and documentation.
Automate post‑deploy guardrails (policy remediation tasks, diagnostics, alerts).
Artifacts: IaC repositories, pipeline YAMLs, module docs, runbooks.
Networking & Hybrid Connectivity
Review and optimize ExpressRoute/VPN topology, hub‑and‑spoke, routing (UDR), and segmenting Prod/Non‑Prod.
Standardize Private Endpoints/Private Link usage and Private DNS zones strategy.
Validate identity and logon locality between Azure, on‑prem AD/Entra ID, and Horizon VDI: domain controller placement, Sites/Subnets, and Kerberos/SPN configurations for cloud‑hosted services.
Artifacts: Network reference architecture, IPAM and DNS plans, connectivity runbooks.
Windows 365 / VDI & Azure Stack HCI Touchpoints
Ensure Cloud PC network access, policy baselines, image lifecycle, and monitoring align with Azure guardrails.
For Azure Stack HCI/Arc‑enabled servers, standardize policy assignments, update rings, and monitoring integration.
Validate Horizon dependencies (SPNs, delegation, nearest DCs, DNS) for hybrid workloads.
Artifacts: Integration checklist, policy mappings, operational SOPs.
Deliverables
Azure Current‑State Assessment (PDF/Word): architecture, risks, and prioritized findings.
Governance & Security Baseline: policy-as-code, RBAC model, admin access SOPs.
IaC & Pipelines: reusable modules, environment pipelines, deployment documentation.
Operations Pack: monitoring dashboards, alert catalog, DR/backup runbooks, health checks.
Network & Hybrid Design: hub‑spoke reference, Private Link/DNS strategy, connectivity runbooks.
Executive Readout (PowerPoint): posture, KPI improvements, roadmap & budget asks.
Out of Scope (unless added by Change Order)
New third‑party tooling procurement and enterprise contract negotiations.
Major application refactors (beyond platform enablement and patterns).
Net‑new data governance programs (e.g., enterprise MDM, DLP)—advisory only.
Large‑scale tenant merges/splits or domain/forest consolidations.
Role Expectations & Ways of Working
Reporting Line: Takes guidance and priorities from the IT Operations Manager.
Collaboration: Partners with Cloud Engineers; pairs for enablement; coordinates with Security, Networking, and App teams.
Documentation‑first: Every change includes updated diagrams, runbooks, and PRs to IaC repos.
Change Control: Follows CAB; each change includes validated rollback and verification steps.
Required Skills & Experience
Deep hands‑on Azure: governance, policy, networking (ER/VPN),compute, storage, databases.
IaC (Bicep or Terraform), CI/CD (Azure DevOps or GitHub), PowerShell.
Hybrid identity (Entra ID + on‑prem AD), Private Link/DNS, Private endpoints.
Strong documentation and mentoring skills.
Access Requirements
Contributor/Owner (time‑bounded via PIM) on non‑prod; scoped elevated access in prod for deployments (with break‑glass if needed).
Azure DevOps/GitHub repo access and secrets stores (Key Vault) via managed identities.
Read access to