Rohan Aher

Senior Site Reliability Engineer

rohan.aher@infracloud.io

Summary

Experienced DevOps engineer with experience in planning, designing, implementing the Cloud
DevOps with microservices architecture and maintaining it on AWS/Azure/OCI/GCP Cloud
platforms in the Financial, Banking, Automotive and Blockchain industry.

Skills
● Kubernetes:
○ Master and Worker Nodes.
○ Control Plane Components: ETCD, API Server, Scheduler, Controller
○ Objects: Kubelet, Kubectl, KubeProxy, Pods, Deployments, Services, Stateful sets,
Network
○ Policies, Namespaces, Security, CSR generation, Ingress Controller, Ingress
Resource, RBAC at namespace and Cluster level
● Service Mesh Tools - Istio, LinkerD
● Kubernetes Automation Tools: Helm , Helm Chart, Kustomize
● CI/CD Tools - Jenkins , AWS DevOps(AWS CodePipeline, Code build, Code deploy),
ArgoCD.
● IaaC Tools - Terraform, Cloudformation
● Policy Engine tools: Kyverno , OPA
● GCP Services – Compute Engine, Google Kubernetes Engine, Redis, Artifact Registry, App
● Engine, VPC, Cloud Storage, Cloud SQL, Cloud Datastore, IAM, Stack Driver, Cloud DNS
● Azure Services – Virtual Machines, AKS, ACR, Virtual Networks, Application Gateway,
Storage Account
● AWS Services – EC2, ECS, EKS , IAM, VPC, S3, RDS, Route53, Lambda, CloudFront,
CloudTrail, CloudWatch, AWS DevOps, Security, Networking Services
● Docker - Docker Image, Docker Container, Pull and push image on Docker hub
● Monitoring Tool – Prometheus, Grafana
● VCS - GitHub, Bitbucket
● Configuration Management Tool: Ansible
● Installation and configuration of HTTP Server using Apache, Nginx, Mail Server using
Postfix, Exim,
● Database Server using My-SQL, Mariadb, Mongodb
● Installation and configuration of NFS and SAMBA Server
● Implementation of ISCSI Server for using ISCSI block devices as Remotedisks
● Installation and Configuration of RHEV Manager and RHEVHypervisor
● Managing Virtual Machines, Templates, Snapshots and Users
● Managing Files, Directories, Users, Groups and Permissions in Linux
 ● Operating System – RHEL 6/7, Centos 6/7, SUSE, Ubuntu, Debian, Windows 8/7/XP,
Windows Server 2012

Work Overview
InfraCloud Technologies - (Sept 2024 - Present)

● Recently joined InfraCloud technologies

● Undergoing bootcamp with InfraCloud

Forcepoint - (Oct 2023 - Sept 2024)

● Managing the organization product on multiple Cloud infrastructure and optimizing their
applications.
● Designing and implementing the secure Cloud architecture to connect their applications
internally using AWS and OCI Private Network Architecture using VPC Peering, Site to Site
VPN connection.
● Experience in implementing secure and highly available distributed microservices.
● Deploying their Cloud infrastructure using Terraform.
● Designing Helm Charts for their applications and deploying it through Gitops Tool i.e
ArgoCD on OKE and EKS Cluster.
● Centralizing multiple Clusters to deploy applications from a single source of point through
ArgoCD.
● Proposing best practices for security, resiliency, cost optimization design on AWS EKS and
Oracle OKE Clusters.
● Centralizing all the secrets inside AWS Secret Manager and managing it using External
Secrets Operator on K8s Clusters.
● Worked on monitoring architecture using Prometheus, Grafana Cloud.
● Integrating AWS RabbitMQ with EKS Cluster.
● Experience working with Redis Cache, Elastic-Search , Kibana and Cloudwatch for Logging
Architecture and storing caches.

Mudrex (Dec 2022 - Till Oct 2023)

● Designed and implemented Cloud infrastructure and Micro-service Architecture on

AWS/GCP.
● Created reusable infrastructure code using Terraform modules.
● Planned and migrated AWS ECS based application to Google Kubernetes Engine for Dev
Environment.
● Designed and created Kustomize Code flow for internal applications.
● Adoption of GitOps Methodology for Pull based CI/CD approach using Git, ArgoCD,
Jenkins/GitHub Actions.
● Worked with Developer Teams for troubleshooting applications on Kubernetes.
● Configuring Application Alerts, SSO LDAP login, Policies for ArgoCD.
● Experience in working with Service Mesh tools such Istio and Linkerd.
● Integrating Monitoring and Logging solutions like: Prometheus, Grafana, Loki and Elastic
 Cloud on Kubernetes(ECK).
● Installing external apps into GKE/EKS Cluster using Helm chart in ArgoCD such as
(External DNS, Consul , MongoDB, Konga, Kong-gateway, CertManager, External Secrets,
Ingress Controllers,etc)
● Configured HPA and cluster autoscaling.
● Configuring Private Certificate on EKS using Vault PKI for internal domain resolving.
● EKS backup using Velero.
● Custom Networking on EKS.
● Worked with KubeCost for Cost monitoring and recommendations.
● Integration of AWS Private link for Cross AWS account private VPC connectivity to
connect APIs.
● Worked with Version Control System tool extensively: GitHub, BitBucket
● Exposure on Kubernetes Security: Network Policies, RBACs, Pod Security Policies,
Admission WebHooks, Supply Chain Securities, Audit logs, System Calls Restriction, Cloud
Service Accounts.
● Basic knowledge of Golang.

Cloudxchange.io (Jan 2021 – Dec 2022)

● Design and implementation of more than 20 AWS accounts using AWS landing zone to
centrally manage and govern the environment as resources grow using AWS Control
Tower, AWS Organization Unit, SCP, Direct Connect, Transit Gateway.
● Design and implementation of Azure Landing Zone with Multiple Azure Subscription,
Resource Group, Express Route Circuit, Vnet Transit Peering.
● Microservice Architecture.
○ Deployed Microservice Architecture on EKS in AWS.
○ Deployed and managed 30+ EKS Cluster through Terraform, eksctl and
Cloudformation.
○ Integrating Monitoring and Logging solutions: Prometheus, Metrics Server,
Grafana, AWS CloudWatch, AWS EFK Stack using AWS OpenSearch, Fluentbit,
Kibana.
○ Installing and updating Addons such as AWS Ingress Controller, EBS CSI Driver, EFS
CSI Driver, Fluentbit, Fluentd, Secret Manager CSI Driver using IRSA and defining
Affinity, Anti-Affinity, Resource Limits, Security Context, PVC/Secret/Configmap
mounting in YAML file for Pod deployment.
○ Configuring Cluster Autoscaling on EKS by deploying HPA, Cluster Autoscaler and
metrics server. Configuring EMR on EKS for Data Processing.
○ DevOps Integration – Azure DevOps with EKS and Jenkins with EKS for CICD
Pipeline and pulling Container Images from ECR.
● EKS Security:
○ Implementing Authentication and authorization on EKS Cluster for IAM user, IAM
Groups, IAM roles. Upgrading EKS Cluster, Worker Nodes, different Addons. and
moving workloads to new nodegroup.
○ RBACs – Roles, RoleBinding, Cluster Roles,Cluster Role Binding for Authorization.
○ Deploying EKS Cluster Custom CIS Benchmark AMI images for EKS Worker Nodes
using Packer tool.
○ Encrypting EKS Cluster,Nodes , EBS,EFS using AWS KMS AWS ACM and enabling
 Security Policy for strong CIPHERS to secure Host on ALB. Integrating WAF with
ALB.
○ Creating AWS Private Endpoints for different AWS for EKS Connectivity.
○ Enabling Cloudtrail logs for API activity.
○ Fixing VACA Scan reports for EKS Cluster using CIS Benchmark.
○ Integration of Secret Manager with EKS for storing Credentials and SSL Certificates
and Private keys using Kubernetes Secrets Store CSI Driver as an Addon.
○ EKS Backup using Velero tool.
● Kubernetes Security:
○ For static analysis of user workloads Kubernetes resources using Kubesec.
○ Seccomp Profiles for SYSCALLS restrictions.
○ Using kernel hardening tools such as AppArmor, seccomp
○ Deploying PSP, OPA, security context for Pod level Security.
○ Ensure immutability of containers at runtime.
○ Use Audit Logs to monitor access.
○ Restrict access to Kubernetes API using RBACs. Scan images for known
vulnerabilities.
○ Defining Falco Rules for EKS API logging. Creation and mounting Secrets on Pod.
● Analyze and made recommendation in areas of Cost Optimization, Performance, Security,
Fault tolerance and service limits using AWS Compute optimize, trusted advisor, billing
dashboard, budget alert, CloudWatch Log groups retention, backup policy, reserved
instance for EC2 and RDS, savings plan, Cost explorer, Billing tags enabling.
● Analyzing WAR (Well Architect Framework) questionnaires with Customer and fixing it.
● Implemented Network Firewalls at all layers using Security Groups, NACL, AWS/Azure
● WAF, 3rd party Firewalls – Palo-Alto, Checkpoint.
● Used CloudFormation/Terraform to create templates and provisioned resources..
● Leveraged IAM service to implement strong identity foundation and enforced least
privileges principal, credential management, including STS, MFA, Web Identity, SSO, AWS
Cross account access.
● Setup controls using preventive and detective Guardrails for unauthorized actions and
detected security weaknesses such as Unencrypted EBS volumes, SSH, etc.
● Enable versioning and configuring S3 lifecycle policies to backup and archived files in
Glacier.
● Scheduled regular backups by leveraging EC2 Lifecycle manager to create snapshots of
EBS volumes and define retention period as a cost saving measure on different
environments such as Production, Quality, Staging, UAT.
● Cloud Networking:
● AWS: VPC, Subnet, Route table, Internet Gateway, Nat Gateway, VPC Endpoint, VPC
Endpoint Services, Site to Site IPsec tunnel using Virtual Private gateway and customer
Gateway, VPC Peering, AWS Direct Connect, Transit Gateway, Bastion Host.
● Azure: Virtual Network, Subnets, Network Security Group, Site to Site IPsec tunnel using
Local Gateway and Network Gateway, ExpressRoute Circuit, VNet Peering and Transit
Peering, Endpoint, Endpoint Service.
● Oracle: Virtual Machines, VCN, Subnet, Route Table, Internet Gateway, Nat Gateway,
Dedicated Private connectivity using Fast Connect, Site to Site IPsec tunnel using
Customer and Virtual Private Gateway, VCN Peering.
● Classified and encrypted data with KMS, managed secrets, with Secret manager and
 Parameter store.
● Used Security services – including AWS – IAM SCP, IAM Roles, IAM Policy, AWS SSO,
Guard Duty, Macie, Detective, AWS config, AWS Inspector to generate detailed findings
and identify root cause of security
● Azure – User Service access, Azure Defender.

Mactores (Sep 2018 – Feb 2019)

● Creation of Linux/Windows instances in AWS, GCP and Azure and configuring it as per
requirement.
● Installing Web Server, i.e Apache, Tomcat on Linux and IIS on Windows Servers,
● Installing and configuring NFS on Linux Servers.
● LVM Configuration on Linux Servers.
● Setting Cron jobs for Backup to be stored in S3 Bucket.
● Configuring AWS CloudWatch Alarm on Linux and Windows instance for CPU, Memory,
Disk Utilization, etc. through JSON script.
● Cloud Networking on AWS/GCP/Azure.

Geeks Technologies (Feb 2017 - Mar 2018)

● Experience in troubleshooting the issues related to APACHE, MYSQL , MAIL Server.
● Server Hardening on a new Linux server through SSH with respect to company defined
policies.
● Worked on different panels like cPanel /WHM, Plesk, Heart-Internet.
● Migration of accounts from one cPanel to another cPanel and Server to Server.
● Basic Tasks on SolusVM and Virtualizor.
● AWS Infrastructure management:
○ EC2: Instance Creation, AMI Creation, EBS Volume Creation and attaching to
instance.
○ IAM: User creation, policy creation, Role creation, Programmatic Access to users.
○ CloudWatch: Configuring CloudWatch Alarm with SNS Topic for CPU Utilization,
System Status, Instance Status, Networks from AWS Console
○ S3: Creating S3 buckets for storing backups and logs

Certifications

● Certified Kubernetes Administrator. (LF-vb7zo3wc01)

● Prometheus Certified Associate. (LF-y2zd5cqgxc)
● Certified Kubernetes Security Specialist. (LF-4xb78zow90)
● AWS Certified Security – Specialty. (R34D2M9JMJBEQ9WW)
● AWS Certified Solutions Architect - Associate Level. (TG33D5VCL111QZCS)
● RED HAT Certified Engineer. (160-191-524)
● RED HAT Certified System Administrator. (160-191-524)
● Istio Service Mesh by KodeKloud (758B8EF4DF-736CEACA91-736CEACA91)