Azure DevOps · Platform Engineering

Robert Rothermel CI/CD and Azure platform engineering for regulated, compliance-driven environments.

Five years of production Azure: I led an on-premises datacenter → Azure migration, built the CI/CD pipeline that took releases from ~2 hours to ~20 minutes, and implemented the cloud-side SOC 2 controls that pass an auditor's review. My focus now: compliance-grounded pipelines and private, policy-governed Azure landing-zone design for regulated environments.

Azure AKS · App Service · Front Door · Private Networking IaC Bicep · Terraform · Pulumi CI/CD Azure DevOps · GitHub Actions Compliance SOC 2 · Entra · Defender
01

What I do

The intersection most Azure DevOps candidates only cover half of: shipping pipelines and making them survive an audit.

Azure platform & migration

Designed and executed an on-prem datacenter → Azure migration for production SaaS workloads — subscriptions, networking, Azure DevOps, and cutover. Now building private hub-and-spoke landing zones with private endpoints and policy guardrails.

CI/CD that gates itself

Multi-stage Azure DevOps pipelines with canary slots, telemetry health gates that fail closed, and automatic promote-or-rollback. The go/no-go decision is made by data, not a human watching a dashboard.

Compliance, built in

SOC 2 cloud controls — Entra identity, conditional access, Defender, change-management gates — implemented so the pipeline produces the audit evidence instead of someone assembling it after the fact.

02

Selected engineering work

Clean-room builds and system designs — runnable repositories, not slideware. Each isolates one hard problem from production-grade Azure DevOps work.

◇ CI/CD · Build artifact

Canary Deployment with Automated Health Gating

Ships a .NET app to an Azure App Service canary slot, routes 10% of live traffic, then promotes or rolls back automatically based on Application Insights telemetry — no human in the go/no-go loop.

Demonstrates: a telemetry gate that fails closed — insufficient signal defaults to rollback, never promotion. The clean-room design of the pipeline that cut my production release time from ~2h to ~20m — companion to the node-CVE build below.
Azure DevOps YAMLBicepApp Insights / KQLASP.NET Core 8PowerShell 7
Design + reference pattern Read the design →
◇ AKS · Security · SOC 2

Gated AKS Node-CVE Remediation

Treats a CVE-patched AKS node image as a promotable, gated artifact — staged, canaried in a tainted prod nodepool, regression-tested, PDB-protected on promotion, then verified against Defender — instead of an in-place --node-image-only upgrade that makes production the first place the new image runs.

Demonstrates: compliance-grounded automation. A clean-room reference implementation whose stages map to SOC 2 controls — CC7.1, CC8.1, CC6.x, A1.x — with every reduction in rigor approver-gated and logged as risk-acceptance.
AKSDefender for ContainersKubernetes (PDB)BicepKQL gateSOC 2 TSC
Bicep · 8 PowerShell gates · k8s · KQL · Pester · SOC 2 map Repo & write-up →
◇ Architecture · System design

Blue/Green Private Azure Landing Zone

A private-only hub-and-spoke design connecting Databricks, two AKS clusters, and three Container Apps environments — all PaaS via private endpoints, no public IPs, east-west forced through an Azure Firewall, blue/green cutover as a single Pulumi config flip.

Demonstrates: senior architecture judgment — choosing the blue/green seam by where state is cheap, central private-DNS strategy, CNI-overlay IP planning, and CrossGuard policy-as-code enforcing "private-only."
Pulumi (C# / AzureNative)Hub-and-spokePrivate EndpointsPrivate DNSAKS · ACA · Databricks
Design doc + component plan Read the design →
◇ IaC · Hands-on lab

Terraform: State, Drift & Refactor Lab

A single stack that chains the mechanics that actually break real Terraform estates — backend state locking, for_each/dynamic, validated variables, import of out-of-band resources, refresh-only vs. apply drift handling, and a zero-diff module refactor with moved blocks.

Demonstrates: IaC fluency beyond "terraform apply" — the state-hygiene and refactoring discipline that separates a cert from hands-on capability.
Terraform 1.10+State / lockingModules & movedLocalStack
Lab repo + runbook Repo & write-up →

Build artifacts are independent clean-room demonstrations of patterns I've shipped in production, isolated so the mechanics are easy to review. They are not the property of any prior employer. Repository links shared on request.

03

Experience

Workforce- and visitor-management SaaS for regulated and compliance-driven industries — offshore drilling, manufacturing, healthcare, and union-restricted facilities.

DevOps Engineer — Savance, LLC
Commerce, MI · Nov 2019 – Jul 2023
Sole DevOps / platform engineer — owned the Azure migration, CI/CD, the SOC 2 program, and product integrations end to end.
  • Led the on-premises datacenter → Azure lift-and-shift as program owner — designed the migration, stood up the App Service + Azure SQL environment, chose Azure Front Door (WAF) over Azure Firewall, and ran production cutovers with monitoring and validation (including an Azure SQL query-optimizer fix: 20 min → sub-second).
  • Built and operated the Microsoft-stack CI/CD pipeline in Azure DevOps, cutting production releases from ~2 hours of manual deploy-and-verify to ~20 minutes; sole Azure DevOps administrator for branch policies, access, and release gating.
  • Drove the company's SOC 2 program — hosted the internal audits on a GRC platform (Sprinto), implemented org-wide MFA and Azure AD Conditional Access, least-privilege RBAC, Snyk code scanning, and TLS hardening, and drove the PCI "stop storing card data" decision.
  • Shipped software: led a background-check database + API integration, architected an access-control event-ingest service (Windows service / Linux container), drove an Angular 14 modernization, and built a reusable C# USB device library stable across sleep/restart/port changes on 70+ mustering tablets.
  • Owned the hardware integration portfolio (Brivo, Kantech, C-Cure, Lenel, Genetec, AMAG + Gemalto/DYMO/RFIdeas SDKs), automated kiosk provisioning in PowerShell (~30 → ~3 min/unit), and stood up Datadog RUM / Application Insights observability.
Software Support / Implementation Engineer — Savance, LLC
Commerce, MI · Aug 2018 – Nov 2019
  • Primary technical contact for new-customer rollouts and administrator onboarding across on-prem IIS, SQL Server, and Windows; built SSRS reporting and authored 40+ knowledge-base articles that cut repeat tickets.
Career Break — Family Caregiving
2023 – 2025
  • Stepped away from full-time work to care for a family member who has since passed away; completed an M.S. in Information Technology (ASU) and stayed current through hands-on IaC, AKS, and CI/CD projects. Fully refocused on infrastructure ownership since.
04

Credentials & stack

Re-establishing a current, legible baseline after the break — paired with the hands-on builds above so it's never "certified but never shipped it."

Earned
Microsoft Certified: Azure Administrator Associate
AZ-104 · certified June 2026 · verify ↗
In progress
Microsoft Certified: Azure DevOps Engineer Expert
AZ-400 · authored a 600-question study bank from the official path
Prep
HashiCorp Certified: Terraform Associate (003/004)
hands-on lab built; cert is filter-clearing, the repo is the proof
Earned
M.S., Information Technology
Focus: Information Systems Management · Arizona State University
Azure
AKSApp ServiceFront Door (WAF)VNet / Private EndpointsEntra ID (Azure AD)Azure SQLDefender for CloudMonitor / App Insights / KQLKey Vault
IaC & CI/CD
BicepTerraformPulumiAzure DevOps PipelinesGitHub ActionsOPA / Policy-as-code
Languages
C# / .NETPowerShellPythonBashT-SQLKQL
Security & compliance
SOC 2 (TSC)Conditional Access / MFARBAC / IAMGRC automation (Sprinto)SnykTLS hardening

Let's talk infrastructure.

Open to senior Azure DevOps / platform engineering roles. If you're modernizing pipelines, standing up a private Azure landing zone, or prepping a SOC 2 audit, I can take ownership from day one.