A US-based call center technology company needed to modernize a legacy, self-managed infrastructure footprint into a secure cloud and DevOps platform. The client’s environment had to support fast software delivery while keeping governance, access control, observability, and SOC 2 compliance requirements consistent across development, production, shared services, and on-premises workloads.
HDWEBSOFT helped design and implement a hybrid platform that connected AWS EKS clusters, on-premises datacenter nodes in Las Vegas and DTLA, GitOps delivery, centralized identity, secrets management, CI/CD automation, and security monitoring into one auditable operating model.
Project Context
The client’s platform served call center operations where reliability, security, and delivery speed were all important. As the business grew, the legacy infrastructure model became harder to operate consistently, reflecting the planning, dependency, and operational risks common in legacy workload migration. Teams needed a cleaner way to provision environments, control access, deploy workloads, monitor incidents, and prove that infrastructure changes were deliberate and traceable.
The modernization goal was not only to move workloads to the cloud. The goal was to create a repeatable platform foundation that could support legacy migration, self-managed server modernization, Kubernetes-based operations, and compliance-driven delivery without slowing engineering teams down. SOC 2 control needs shaped the platform design from the start, including centralized logging, governed identity, consistent tagging, auditable infrastructure changes, and traceable access to operational tools.
Stakeholder Interview
“This project was challenging because the legacy IT environment did not have enough reliable documentation. Before we could design the migration path, we had to investigate the servers directly, collect operating system and package information, and understand which services were actually required for the running software.”
— Duy Duong, Senior DevOps at HDWEBSOFT
The discovery work went beyond reading diagrams or deployment notes. The team inspected legacy Linux servers, collected installed package inventories, reviewed running services, and mapped dependencies between infrastructure components and application behavior. Each package and service had to be assessed carefully: whether it was required for production workloads, supporting an operational dependency, or creating unnecessary maintenance and security risk.
This investigation helped turn an unclear self-managed environment into a migration plan that engineering, security, and operations teams could review. It also reduced the risk of moving undocumented assumptions into the new cloud platform.
Key Features
Secure Hybrid Cloud Foundation
The platform used AWS Organizations to separate management, shared platform services, development, production, and centralized log storage. This structure helped the team keep account boundaries clear while supporting different operational needs across environments.
Amazon EKS clusters supported development, production, and shared platform services. Development workloads used a cost-aware compute strategy, while production relied on stable on-demand capacity with Karpenter-based autoscaling. Shared services acted as a platform hub for centralized tools.
Networking was designed around governed connectivity between AWS and on-premises environments. The platform used VPC networking, peering, Direct Connect, NAT gateways, flow logs, and security baselines to support hybrid workloads across AWS and datacenter nodes.
Identity, Access, and Secrets Management
Okta served as the central identity provider across engineering and platform tools. It federated access into AWS IAM Identity Center, GitHub, Grafana, Datadog, Vault, Rancher, Flux UI, Jenkins, and endpoint security tooling.
HashiCorp Vault provided centralized secrets management for engineers, CI/CD pipelines, and Kubernetes workloads. Vault ran in high-availability mode on the shared-services EKS platform, while External Secrets Operator synchronized approved secrets into application namespaces.
The platform also used IAM Roles for Service Accounts to grant fine-grained AWS permissions to Kubernetes workloads. This reduced the need for broad credentials and made workload access easier to audit.
GitOps Application Delivery
FluxCD handled continuous reconciliation from Git. The platform used layered Kustomization dependencies so infrastructure, secrets, applications, observability, and security components could be rolled out in a controlled order.
Flux Image Toolkit automated image tag updates for selected services. This helped teams reduce manual release steps while keeping deployment behavior tied to reviewed source control changes.
Core platform services included ingress, DNS automation, certificate management, autoscaling, WebRTC TURN support, observability, and multi-cluster management. Together, these services gave application teams a consistent path from code to runtime.
CI/CD and Developer Experience
GitHub Actions used self-hosted runners on the shared-services EKS platform. Runner capacity could scale with demand, including spot-oriented capacity for cost-aware execution.
OpenTofu workflows supported plan and apply operations per infrastructure stack. Pull request plan comments, scheduled drift detection, and Vault-backed pipeline secrets helped make infrastructure changes more visible and deliberate.
Jenkins provided centralized build orchestration, while Nexus handled artifact storage. This allowed the platform to support both modern cloud-native delivery and existing build processes during the modernization journey.
Observability and Security Operations
The observability stack combined Grafana, Loki, Alloy, Datadog, and alerting workflows. This gave engineers a clearer view across cloud, Kubernetes, and hybrid infrastructure layers.
CrowdStrike Falcon endpoint protection was deployed across EKS clusters, while AWS GuardDuty added cloud-side threat detection. These controls helped the client strengthen its security posture while meeting SOC 2 compliance requirements.
Technical Challenges
Coordinating Several Automation Layers
The platform involved infrastructure as code, GitOps, configuration management, CI/CD, secrets management, and security automation. These layers had to work together across several repositories without creating hidden dependencies or unclear ownership.
Governing Multiple Environments at Scale
Development, production, shared services, centralized logging, and management accounts each had different needs. The challenge was to keep access, tagging, network controls, logging, and deployment rules consistent without making the platform too rigid for engineering teams.
Managing Hybrid Cloud Operations
The modernization included both AWS and on-premises datacenter workloads. Supporting EKS, Proxmox, Rancher-managed clusters, and legacy operational patterns required careful integration between cloud networking, identity, deployment, and monitoring.
Reducing Documentation and Inventory Drift
Legacy systems often create drift between what is documented and what actually runs. The client needed Git-backed definitions, automated checks, and repeatable provisioning so the platform could stay understandable as it changed.
Balancing Cost, Reliability, and Stability
The team needed to optimize compute cost without weakening production reliability. This required a practical capacity strategy across spot-oriented workloads, on-demand production capacity, autoscaling rules, and operational safeguards.
Supporting SOC 2 Compliance Under Rapid Change
The platform had to meet SOC 2 compliance requirements while still allowing teams to ship quickly. Infrastructure changes, access flows, secrets usage, and operational events had to be traceable and governed. The platform also needed consistent evidence points for audits, including change history, access control records, centralized logs, and drift detection outputs.
Solutions
Clear Separation of Concerns
HDWEBSOFT helped separate platform responsibilities across infrastructure, secrets, workloads, observability, and security layers. Documented integration contracts made it easier for teams to understand which system owned each part of the delivery flow.
Modular Infrastructure as Code
OpenTofu stacks were organized around isolated state boundaries and automated CI gates. Pull request plan comments helped reviewers understand infrastructure changes before approval, while scheduled drift detection highlighted differences between declared and actual infrastructure.
Layered GitOps Reconciliation
FluxCD was organized with explicit dependencies between platform layers. This reduced rollout risk and made recovery simpler because changes could be reviewed, applied, reverted, and traced through Git.
Unified Identity and Access Governance
Okta SSO federation gave engineers and operators a centralized access model across cloud and platform tools. AWS IAM Identity Center, Vault, GitHub, Grafana, Datadog, Rancher, Jenkins, and other systems could follow a more consistent identity pattern.
Cost-Aware Kubernetes Platform Design
Karpenter helped the platform adapt compute capacity to workload needs. Development workloads could use cost-aware capacity, while production stayed aligned with reliability requirements.
Vault-Backed CI/CD Pipelines
CI/CD workflows used Vault-backed authentication for sensitive pipeline operations. This supported safer infrastructure delivery without exposing broad, long-lived secrets to build systems.
Business Outcomes
Safer and Faster Delivery
Pull request-reviewed OpenTofu plans, GitOps reconciliation, and automated drift detection made infrastructure changes more deliberate and auditable. Engineers could reproduce environments from Git, roll back through source control, and diagnose issues from a clearer change history.
Stronger Security and SOC 2 Compliance
Centralized SSO, governed AWS access, Vault-based secrets management, endpoint protection, centralized logging, security monitoring, and Git-backed infrastructure records helped the platform meet SOC 2 compliance requirements while supporting day-to-day engineering work.
Better Cost Control Without Sacrificing Reliability
Karpenter and environment-specific capacity strategies helped the client optimize compute usage. Development workloads could use cost-aware infrastructure, while production workloads kept the stability needed for call center operations.
Improved Observability and Incident Response
Grafana, Loki, Alloy, Datadog, GuardDuty, and endpoint security alerts gave teams a stronger operational view across cloud and hybrid infrastructure. This improved the team’s ability to detect, investigate, and respond to platform issues.
Modernized Platform Foundation
The project created a stronger foundation for legacy infrastructure migration, self-managed server modernization, cloud operations, and future DevOps automation. Instead of relying on disconnected operational processes, the client gained a more governed platform model for secure call center delivery.
Conclusion
This DevOps modernization project helped a US-based call center technology company move from legacy, self-managed infrastructure toward a secure hybrid cloud platform. By combining AWS, Kubernetes, GitOps, centralized identity, secrets management, observability, security controls, and compliance-oriented platform governance, HDWEBSOFT supported a delivery model that was faster, more auditable, and aligned with SOC 2 compliance requirements.
If your team is modernizing legacy infrastructure or preparing a secure cloud platform for audit-ready delivery, explore HDWEBSOFT’s DevOps services or contact us to discuss the right platform roadmap.
Explore related work
Continue with related case studies, services, industries, and regional delivery experience.
