[{"content":" Over a decade of enterprise infrastructure delivery — from field engineering to regional cloud and security leadership across five Asia-Pacific markets, with a consistent focus on outcomes that hold under operational pressure. I currently serve as Senior IT Officer at Scholastic Asia, leading regional infrastructure strategy, cloud modernization, and cross-country security and operations programs spanning Malaysia, Singapore, India, China, and the Philippines.\nDisciplines # Cloud Architecture \u0026amp; AWS Infrastructure as Code (Terraform) Enterprise Security \u0026amp; Compliance Multi-Site Network Modernization Reliability \u0026amp; Cost Optimization DevOps \u0026amp; CI/CD Governance Security Operations \u0026amp; SIEM Hybrid \u0026amp; On-Prem Infrastructure How I work: Architecture decisions are anchored to business goals, security is enforced by design rather than retrofitted, repeatable operations are automated, and everything critical to long-term maintainability is documented. I measure success by outcomes teams can own and sustain — not by effort or activity. The Work # Cloud \u0026amp; AWS Network \u0026amp; Security Homelab Privacy AWS Modernization\nA platform-wide restructuring of Scholastic Asia\u0026rsquo;s AWS environment — network segmentation, least-privilege IAM, and policy-driven deployment pipelines. Infrastructure moved from reactive, ad-hoc operations to a structured, Terraform-backed delivery model with a full audit trail on every change.\nAWS Resource Migration\nEnd-to-end migration of a business-critical application from deprecated Windows Server EC2 instances to Windows Server 2022 — covering fresh IIS and SQL Server provisioning, security hardening, and a three-environment promotion pipeline with zero unplanned downtime.\nCost Governance\nSustained cost reduction through instance rightsizing, lifecycle policy enforcement, and intelligent storage tiering — delivering measurable savings on recurring AWS operational spend.\nFive-Country Network Overhaul\nFull network modernization across all five Scholastic Asia locations — Cisco switching, Palo Alto NGFW deployment, FortiNAC for network access control, and SOC-ready telemetry integration into SolarWinds and IBM QRadar.\nCIS Controls v8 Enforcement\nLed enterprise-wide CIS Controls v8 implementation across cloud, network, identity, and endpoint control domains — establishing a measurable, auditable security baseline across the Asia region, with audit-ready evidence packages delivered for US InfoSEC validation.\n88TB Enterprise File Migration\nFull migration of 88TB of enterprise content from AWS-hosted Citrix ShareFile StorageZone to Dropbox Business — delivered within two months under active production load, with zero data integrity issues.\nGitOps-Driven Kubernetes\nA single-node Talos Linux cluster running as a production-discipline platform: Flux continuously reconciles all cluster state from Git, sealed secrets committed to the repository, wildcard TLS automated via cert-manager, and a unified Prometheus/Loki/Grafana observability stack covering the full stack.\nThe homelab is where patterns are validated before they reach enterprise infrastructure — GitOps workflows, security controls, and operational runbooks are tested here first.\nDigital Privacy as Practice\nPrivacy is not a product or a setting — it is an operational discipline applied consistently across tooling, communication, and infrastructure choices. The same principles that govern enterprise security posture apply to personal digital hygiene: least-privilege access, minimal data exposure, and deliberate control over identity and communication channels.\nThe Privacy Advocacy page covers the reasoning, the tools, and the practical steps in detail.\nOperating Principles # Principle Application Security by design Controls are built into architecture from the start — not layered on after the fact Code over console Every infrastructure change goes through a pipeline — no undocumented manual state Documentation as a deliverable Runbooks, architecture diagrams, and procedures are part of the work, not an afterthought Outcomes over activity Success is measured by what the team can own and sustain, not by hours or deliverables shipped Professional Journey # Each role below built on the last — from hands-on field engineering to enterprise-scale infrastructure leadership across cloud, networking, and security. Senior IT Officer 2021 – Present Scholastic Asia Leading regional IT infrastructure across five Asia-Pacific markets, with accountability for cloud architecture, security posture, and operational continuity at enterprise scale.\nArchitect and maintain AWS environments with security, resilience, and cost governance as core design principles. Direct cross-country network modernization, firewall migration, and SOC enablement programs. Drive CIS Controls v8 enforcement and deliver audit-ready compliance evidence for US InfoSEC validation. Lead major migrations and infrastructure transitions under active production load with zero service impact. IT Manager / System Integrator 2019 – 2021 PilotTV Philippines Shaped long-term IT strategy and unified a fragmented technology environment into a coherent, interoperable platform aligned to business operations.\nAssessed infrastructure maturity and planned future-state capabilities across the organization. Integrated disparate systems and applications to eliminate operational silos and improve reliability. Managed end-to-end integration projects from requirements through delivery, on scope and on schedule. IT Specialist 2016 – 2019 FocusMedia Audiovisual Inc. Owned day-to-day IT operations, maintaining endpoint performance, security compliance, and user account governance across the organization.\nDelivered technical support across hardware and software installation, configuration, and fault resolution. Administered user account lifecycle controls aligned with security policy and access governance standards. Managed software rollouts and system updates to sustain endpoint consistency and operational uptime. IT Field Engineer 2014 – 2016 eMechanics Computer \u0026amp; Peripherals Inc. Delivered on-site technical execution for mission-critical deployments across financial services infrastructure, where precision and uptime were non-negotiable.\nInstalled, configured, and network-integrated ATM and POS platforms at client sites nationwide. Executed preventive maintenance and system updates to maximize reliability and minimize service disruption. Coordinated with technical teams to triage and resolve field incidents within SLA windows. Remote Desktop Specialist 2013 Accenture Provided enterprise-grade remote technical support, building early foundations in structured problem-solving, security response, and end-user communication under pressure.\nResolved complex software issues remotely, reducing end-user downtime and escalation rates. Detected, removed, and remediated malware and cybersecurity threats across managed endpoints. Optimized system performance and stability through targeted diagnostics and tuning protocols. ","externalUrl":null,"permalink":"/aboutme/","section":"whilcayangyang.me","summary":"","title":"Infrastructure Leader — Cloud, Security \u0026 DevOps Across APAC","type":"page"},{"content":" A decade of enterprise infrastructure delivery — from field engineering to regional cloud and security leadership — built on a foundation of precision, governance, and outcomes that last. Technical Excellence # The disciplines below represent areas where I have delivered real outcomes in production environments — not certifications on paper, but capabilities applied under operational pressure across multi-site, multi-country enterprise infrastructure.\nAWS Terraform GitHub Actions Cybersecurity Networking Linux Kubernetes GitOps Cloud \u0026amp; Infrastructure DevOps \u0026amp; Automation Networking \u0026amp; Security Platform Engineering Capability Depth How I Apply It Amazon AWS Advanced Architecting multi-account environments with resilient networking, least-privilege IAM, and cost-managed operations at scale. Containerization Advanced Defining production container standards, securing image delivery pipelines, and optimizing runtime performance for reliable workloads. Linux Advanced Operating hardened Linux systems for high-availability workloads, performance tuning under load, and structured incident recovery. Observability \u0026amp; Monitoring Advanced Building metrics, log, and trace pipelines with proactive alerting, SLO alignment, and root-cause analysis capability. Capability Depth How I Apply It Terraform Advanced Delivering modular, policy-controlled Infrastructure as Code with remote state strategy and safe, auditable change promotion. GitHub Actions Advanced Designing enterprise CI/CD pipelines with reusable workflows, approval gates, and release governance built in from the start. Ansible Advanced Automating baseline configuration, patch orchestration, and compliance drift remediation across large fleet environments. Bash Scripting Expert Building robust automation for provisioning, operational diagnostics, and repeatable runbooks that reduce human error. Capability Depth How I Apply It Networking Expert Designing segmented, redundant network architectures with structured routing, firewall policy enforcement, and secure remote access. Cybersecurity Advanced Operating defense-in-depth controls with SIEM telemetry, detection engineering, and documented incident response processes. Cloudflare Advanced Securing edge delivery with Zero Trust access policies, WAF rule management, DNS governance, and performance optimization. Threat Modeling \u0026amp; Hardening Advanced Leading threat modeling sessions and platform hardening programs to reduce attack surface and enforce measurable secure baselines. Capability Depth How I Apply It Kubernetes Advanced Running production-grade workloads with namespaced isolation, RBAC least-privilege, resource governance, Helm-managed releases, and operational discipline applied consistently across every service. Talos Linux Advanced Provisioning Kubernetes nodes on an immutable, API-driven OS with no shell access and no manual state — the OS layer is as declarative and reproducible as the cluster above it. GitOps / Flux CD Advanced Enforcing Git as the single source of truth with continuous reconciliation via Flux — no manual kubectl apply, no configuration drift, every change traceable to a commit. Platform Security Advanced Layering security across the full stack: encrypted secrets committed to Git via Sealed Secrets, continuous vulnerability and misconfiguration scanning with Trivy Operator, and metrics surfaced to Prometheus for security-posture dashboards in Grafana. Professional Journey # Each role below built on the last — from hands-on field engineering to enterprise-scale infrastructure leadership across cloud, networking, and security. Senior IT Officer 2021 – Present Scholastic Asia Leading regional IT infrastructure across five Asia-Pacific markets, with accountability for cloud architecture, security posture, and operational continuity at enterprise scale.\nArchitect and maintain AWS environments with security, resilience, and cost governance as core design principles. Direct cross-country network modernization, firewall migration, and SOC enablement programs. Drive CIS Controls v8 enforcement and deliver audit-ready compliance evidence for US InfoSEC validation. Lead major migrations and infrastructure transitions under active production load with zero service impact. IT Manager / System Integrator 2019 – 2021 PilotTV Philippines Shaped long-term IT strategy and unified a fragmented technology environment into a coherent, interoperable platform aligned to business operations.\nAssessed infrastructure maturity and planned future-state capabilities across the organization. Integrated disparate systems and applications to eliminate operational silos and improve reliability. Managed end-to-end integration projects from requirements through delivery, on scope and on schedule. IT Specialist 2016 – 2019 FocusMedia Audiovisual Inc. Owned day-to-day IT operations, maintaining endpoint performance, security compliance, and user account governance across the organization.\nDelivered technical support across hardware and software installation, configuration, and fault resolution. Administered user account lifecycle controls aligned with security policy and access governance standards. Managed software rollouts and system updates to sustain endpoint consistency and operational uptime. IT Field Engineer 2014 – 2016 eMechanics Computer \u0026amp; Peripherals Inc. Delivered on-site technical execution for mission-critical deployments across financial services infrastructure, where precision and uptime were non-negotiable.\nInstalled, configured, and network-integrated ATM and POS platforms at client sites nationwide. Executed preventive maintenance and system updates to maximize reliability and minimize service disruption. Coordinated with technical teams to triage and resolve field incidents within SLA windows. Remote Desktop Specialist 2013 Accenture Provided enterprise-grade remote technical support, building early foundations in structured problem-solving, security response, and end-user communication under pressure.\nResolved complex software issues remotely, reducing end-user downtime and escalation rates. Detected, removed, and remediated malware and cybersecurity threats across managed endpoints. Optimized system performance and stability through targeted diagnostics and tuning protocols. ","externalUrl":null,"permalink":"/profile/","section":"whilcayangyang.me","summary":"","title":"A Decade of Enterprise Infrastructure Delivery","type":"page"},{"content":" Scholastic Asia AWS Implementation \u0026amp; Cost Optimization # A full AWS modernization program that moved the environment from reactive, ad-hoc cloud operations to structured, policy-driven infrastructure — with stronger security, lower costs, and auditable governance at every layer. AWS Architecture Terraform IaC CI/CD Governance Cost Optimization Security Hardening Objective: Redesign AWS architecture for performance, security, governance, and sustainable cost efficiency — replacing manual operations with policy-driven, code-first infrastructure delivery. Program Scope # This initiative modernized cloud foundations across networking architecture, provisioning standards, and cost governance controls. The environment moved from reactive operations — where changes were made manually and inconsistently — to a structured, policy-driven cloud platform where every change is deliberate, validated, and traceable.\nModernization Workstreams # VPC Redesign Infrastructure as Code Cost Optimization Security Hardening Network Architecture Restructuring\nThe existing VPC architecture had accumulated technical debt — overly permissive security groups, flat subnet design, and weak boundary enforcement. The redesign addressed all of it.\nKey changes implemented:\nClear separation of public and private subnets with appropriate routing boundaries Hardened route table design and explicit path controls between zones Optimized S3 gateway endpoint connectivity to eliminate unnecessary data egress Enforced stricter Network ACL policies at the subnet boundary level Applied least-privilege Security Group rules across all compute resources Outcome\nReduced exposure risk and lateral movement surface, improved workload isolation between tiers, and established a stronger, auditable network security baseline.\nTerraform-Driven Delivery Model\nManual infrastructure changes were replaced with a structured Terraform-based delivery model — every resource defined in code, every change going through a controlled pipeline.\nImplementation:\nRebuilt infrastructure using modular Terraform design patterns for reusability and clarity Source stored in Bitbucket with full change history and access controls Terraform plans executed through CI/CD pipelines — no manual console changes permitted Governance Effect\nEvery infrastructure change passed automated validation before reaching the environment. This eliminated configuration drift, reduced human error, and created a complete audit trail of every change made to the platform.\nOutcome\nInfrastructure became predictable, reproducible, and safe to change — the foundation for all future platform growth.\nSystematic Cost Reduction\nCloud costs had grown without governance controls. A structured audit and optimization program addressed both recurring waste and architectural inefficiency.\nOptimization actions taken:\nApplied EC2 Savings Plans to committed workloads for significant compute discounts Right-sized instance types based on actual utilization data — not assumed capacity Removed unused Elastic IP addresses accumulating idle charges Cleaned orphaned snapshots that were consuming storage without purpose Deleted stale AMIs no longer referenced by any active infrastructure Removed unattached EBS volumes left behind by terminated instances Transitioned S3 backup data to Glacier storage class for long-term cost reduction Result\nSignificant reduction in monthly AWS spend. Resource utilization efficiency improved, and cloud spending shifted from reactive consumption to managed, governed investment.\nSecurity Controls Strengthened\nSecurity improvements were applied across network policy, access governance, and attack surface reduction — not as a separate project, but embedded into the modernization itself.\nControls enforced:\nVPC Network ACL policy boundaries tightened at the subnet level Security Group rules reviewed and restricted to verified required access only Unused and orphaned resources removed to eliminate unnecessary attack surface IAM roles and policies audited and restructured under least-privilege principles Unmanaged or overly broad permissions revoked across all accounts Outcome\nThe AWS environment became more structured, auditable, and defensible — operating under a consistent least-privilege model with clearly defined access boundaries and no unnecessary exposure.\nImplementation Summary # Domain Actions Implemented Measurable Value Network Architecture Subnet separation, route hardening, ACL and Security Group enforcement Better segmentation, reduced exposure, stronger workload isolation Delivery Governance Terraform modules + Bitbucket + CI/CD pipeline validation No configuration drift, complete change audit trail, safer deployments Cost Management Savings Plans + lifecycle cleanup + storage class tiering Lower recurring spend, improved utilization, governed cloud investment Security Posture IAM review + access boundary tightening + resource cleanup More auditable, defensible environment under least-privilege model Business Impact # Improved platform reliability through cleaner architecture boundaries and consistent configuration. Reduced security risk through least-privilege enforcement, network hardening, and attack surface reduction. Lowered cloud run-rate cost through structured, systematic optimization across compute, storage, and network resources. Established a repeatable governance model for all future AWS growth — changes follow the same controlled, auditable process. Closing Notes # This implementation delivered a balanced AWS strategy: high-performing infrastructure, enforceable governance, stronger security controls, and sustainable cost efficiency — not as trade-offs against each other, but as outcomes that reinforce one another when the architecture is built right.\n","externalUrl":null,"permalink":"/projects/aws-cloud/","section":"Projects","summary":"","title":"From Reactive to Governed: AWS Modernization at Enterprise Scale","type":"projects"},{"content":" Citrix ShareFile StorageZone Migration to Dropbox Business (2025) # An end-to-end server-side migration of 88TB from a legacy Citrix ShareFile StorageZone on AWS to Dropbox Business — executed under a strict two-month timeline with zero service interruption and zero data loss. AWS EC2 + S3 Source PowerShell Automation Dropbox API Integration 88TB Migrated Governance-First Cutover Objective: Lead the full server and infrastructure migration of 88TB from AWS-hosted Citrix ShareFile StorageZone to Dropbox Business — with minimal disruption, strong integrity validation, and production-safe execution throughout. Source Environment and Constraints # The legacy environment being migrated was not a simple file share. It was an active enterprise storage platform under continuous production load.\nLegacy architecture:\nWindows Server on AWS EC2 Backend storage in Amazon S3 Citrix ShareFile StorageZone controller managing user access Active production traffic throughout the migration window Critical constraints that shaped every design decision:\n88TB of data across mixed file sizes and complex directory structures Continuous user access — no maintenance windows or service blackouts permitted Strict data integrity requirements with zero tolerance for loss or corruption Two-month delivery deadline with no timeline flexibility This required an engineered migration pipeline — not a basic file copy approach.\nMigration Architecture and Strategy # Execution Model Automation Framework API Integration Integrity Controls Server-Side Controlled Execution\nThe migration ran from a dedicated AWS Windows EC2 host co-located with the source data. This was a deliberate architectural choice, not a default.\nBenefits of running server-side:\nProximity to S3 source data eliminated egress latency and variability Centralized control over bandwidth utilization and transfer pacing Consolidated logging and operational monitoring in one place Avoided client-side transfer variability that would have introduced unpredictability at scale This approach gave the migration infrastructure-level predictability and control that no client-side tool could match.\nPowerShell Migration Engine\nA structured, purpose-built PowerShell framework was engineered from the ground up to handle the scale, duration, and complexity of this migration.\nDesign requirements:\nModular — components independently testable and replaceable Retry-capable — transient failures handled automatically without data loss Log-driven — structured output for real-time monitoring and post-run analysis API-integrated — direct Dropbox API interaction for deterministic transfer behavior Batch-optimized — parallel processing tuned for throughput within API and resource limits Core capabilities:\nRecursive directory parsing and structure replication Parallel transfer batching with configurable concurrency Metadata validation before and after transfer Checkpoint tracking for progress persistence Resume capability — interrupted runs restart exactly where they stopped Structured logging for every operation, success, and failure This framework ran continuously for two months with minimal manual intervention, handling tens of millions of file operations across 88TB of data.\nDropbox API Pipeline\nRather than relying on sync clients or desktop tools, the migration was implemented as a direct Dropbox API integration — treating the destination as a data pipeline endpoint.\nAPI pipeline capabilities:\nSecure authentication through token management and refresh handling Programmatic folder hierarchy creation matching the source structure File upload via controlled API workflows with response validation Return code capture for integrity confirmation on every transfer Structured error handling with automatic retry on transient failures Why API-driven matters at this scale:\nDeterministic transfer behavior — no sync client guessing or conflict resolution Stronger error visibility — every failure captured, categorized, and logged Controlled retry logic — failed transfers retried intelligently without duplicating successful ones Scalable batch processing — throughput tuned to stay within API rate limits while maximizing speed The migration functioned as a managed data pipeline, not a manual transfer task.\nData Validation and Throughput Control\nAt 88TB, integrity validation was not optional. Every safeguard was designed to catch failures before they became permanent data loss.\nIntegrity safeguards:\nPost-transfer file size validation against source records API-confirmed transfer success checks on every upload Structured failure logging with categorized error types Automated retries for all transient and recoverable failures Transfer state tracking enabling full resumability from any point Throughput was continuously tuned to balance competing constraints:\nMaximizing transfer speed within API rate limits Maintaining EC2 CPU, memory, and disk I/O within stable operating ranges Sustaining network throughput without destabilizing co-located workloads Preventing S3 read throttling under sustained high-volume access Result: 88TB transferred with zero critical data loss and no integrity failures reported.\nAWS Infrastructure Management # Running a sustained 88TB migration on AWS required careful infrastructure oversight throughout the two-month window:\nMonitoring EC2 CPU, memory, and disk I/O to detect degradation early Sustaining adequate network throughput without impacting other workloads Managing S3 read performance under continuous high-volume access Enforcing IAM least-privilege access scoped to migration operations only Tracking and managing cost impact of sustained data transfer at this scale The migration was completed without destabilizing any other AWS workloads running concurrently.\nSecurity and Compliance Hardening # Security controls in the Dropbox Business environment were configured and validated before user cutover — not after.\nControls established prior to onboarding:\nRole-based access control with appropriate permission mapping Folder-level permission alignment with the source access model Administrative governance policies and sharing restrictions Audit log configuration for ongoing access visibility Data access restrictions aligned with organizational policy This ensured that users were onboarded to a platform that was already secure and governed — not one being hardened in parallel with active user adoption.\nOperational Transition and Knowledge Transfer # Project delivery included long-term operational enablement, not just migration completion:\nDetailed migration documentation covering architecture, execution, and decisions Execution workflow diagrams for process understanding and future reference Failure handling procedures for common error scenarios Structured operational handover to internal IT and support teams User onboarding sessions to ensure smooth adoption of the new platform The goal was durable platform stability — not a migration that ended at cutover and left a knowledge vacuum.\nStrategic Impact # Capability Area Delivery Value Large-Scale Data Movement Engineered 88TB migration under production load within a two-month deadline Automation Architecture Purpose-built PowerShell framework with checkpointing, retry logic, and resumability API Engineering Deterministic Dropbox API pipeline with end-to-end validation and structured error handling Risk Management Continuous user access maintained throughout with zero data integrity failures Governance-First Adoption Access controls, audit logging, and policies configured before any user cutover Running from the infrastructure layer provided control, predictability, auditability, and measurable validation outcomes that no off-the-shelf migration tool could deliver at this scale.\nClosing Summary # This was not a lift-and-shift migration. It was a structured transformation of an enterprise storage platform under active production load — delivered through purpose-built automation, direct API integration, and disciplined governance at every stage.\nThe result: 88TB migrated, users unaffected, data intact, and a new platform that was secure and operational from day one.\n","externalUrl":null,"permalink":"/projects/platform-migration/","section":"Projects","summary":"","title":"88TB, Zero Downtime: Enterprise File Platform Migration in Two Months","type":"projects"},{"content":" EC2 Windows Server Modernization: IIS and SQL Server Migration to Windows Server 2022 # A full-stack migration of a business-critical application running on deprecated Windows Server EC2 instances to Windows Server 2022 — provisioned fresh, hardened from the OS up, and promoted through three gated environments with zero unplanned downtime at cutover. AWS EC2 · Windows Server 2022 Terraform IaC IIS + SQL Server Migration Security Hardening Zero Downtime Cutover Objective: Replace deprecated Windows Server EC2 instances with a clean Windows Server 2022 environment — migrating IIS and SQL Server workloads, hardening the OS and application stack, and delivering IaC-backed infrastructure with full operational runbooks. The Problem # The application stack was running on EC2 instances with a deprecated Windows Server version — past end-of-support, no longer receiving security patches, and carrying the compliance and operational risk that comes with an EOL OS in production. The SQL Server and IIS configurations had accumulated undocumented changes over time, making the environment increasingly fragile.\nA side-by-side rebuild was the right call over an in-place upgrade: a fresh Windows Server 2022 environment could be hardened from scratch, validated independently in staging, and cut over to without risking the existing production instance until the new one was confirmed ready.\nThe brief was clear — no service interruption, no inherited configuration debt, and no undocumented environment handed to the operations team at the end.\nArchitecture # The new environment mirrors the existing AWS topology but on current, supported infrastructure. The deprecated EC2 instances are replaced by Windows Server 2022 equivalents, provisioned and configured from code.\nTier Design Decision Why Compute Fresh EC2 instances on Windows Server 2022 Clean OS baseline — no inherited configuration drift from the deprecated environment Load Balancer Application Load Balancer with TLS termination via ACM Certificate lifecycle automated; new instances registered without DNS disruption Application IIS on Windows Server 2022 in private subnets ALB-only ingress enforced — instances not directly internet-reachable Database SQL Server Standard on Windows Server 2022, isolated private subnet Port-restricted security group — accessible only from the application tier DNS Route 53 Cutover managed at DNS level — rollback possible without infrastructure changes Secrets AWS Secrets Manager Credentials removed from application config files and AMIs Delivery Workstreams # Infrastructure Build Environment Pipeline Infrastructure as Code Documentation Fresh EC2 — Built from Code, Hardened Before Application Deployment\nNew Windows Server 2022 EC2 instances were provisioned through Terraform — no manual console clicks, no inherited configuration from the deprecated environment. OS-level hardening was applied before any application software was installed:\nUnnecessary Windows roles and services disabled Remote access locked down to operational requirements only Windows Firewall rules configured per application tier Default IIS and server response headers stripped to prevent version disclosure SQL Server Migration\nSQL Server was installed and configured to production-grade standards on the new instances:\nProduction maintenance jobs, backup schedules, and SQL Agent configured from scratch SSIS installed and registered for data integration workflows Logins, linked servers, and SQL Agent job definitions migrated from the deprecated EC2 Backup and restore procedures validated end-to-end before promotion to UAT Data integrity verified through row count checks and key report reconciliation IIS Migration\nIIS was rebuilt on Windows Server 2022 and configured to operate correctly behind the Application Load Balancer:\nApplication pools with correct .NET runtime bindings URL Rewrite module installed to propagate X-Forwarded-For client IP headers from the ALB Application deployment process documented and validated in Dev before UAT promotion Response header hardening applied to remove version information from HTTP responses Three Gated Environments — No Skipping Stages\nThe migration ran across three environments with explicit acceptance criteria and team sign-off at each gate. The deprecated EC2 instances stayed in place throughout — the new Windows Server 2022 environment was validated entirely before any DNS cutover happened.\nDevelopment\nFresh EC2 instances stood up, SQL Server and IIS configured, application deployed. Smoke tests run to confirm the new environment was functionally equivalent to the deprecated one. No UAT promotion until this stage was clean.\nUAT / Staging\nFull functional and regression testing per application module. Performance baselines captured on the new Windows Server 2022 instances:\nCPU and memory utilization under representative load Disk latency under write-heavy SQL workloads SQL wait statistics compared against the deprecated environment baseline IIS response times per endpoint Data validation checks confirmed migrated SQL data matched the source exactly — row counts, key reports, and reconciliation outputs all verified before production sign-off.\nProduction\nCutover executed against a documented runbook. DNS was the cutover lever — traffic shifted to the new instances at the Route 53 level, with rollback possible by pointing DNS back to the deprecated EC2s without touching infrastructure. The runbook included explicit pass/fail validation criteria and sign-off gates at each phase.\nTerraform — Every Resource, Every Change\nAll EC2 instances, security groups, IAM roles, and supporting services are defined in Terraform, maintained in a Bitbucket repository, and deployed through a CI/CD pipeline to Terraform Cloud. Branching follows feature → dev → main.\nThis matters for a migration specifically because:\nThe new environment is reproducible from code — not a one-time manual build that can\u0026rsquo;t be reconstructed Configuration differences between Dev, UAT, and Production are visible in the Terraform codebase, not hidden in console state If the deprecated environment needs to be stood up again for any reason, the old configuration is in version history Any future Windows Server upgrade follows the same pipeline — not another undocumented manual rebuild Changes that don\u0026rsquo;t pass Terraform Cloud validation don\u0026rsquo;t reach the environment.\nRunbooks — Not Tribal Knowledge\nThe deprecated environment\u0026rsquo;s configuration had accumulated over time without documentation. The new environment was built in the opposite direction — documentation written alongside the build, stored in the central repository with versioning and approval workflow.\nCoverage:\nNetwork architecture — VPC, subnets, security groups, routing, DNS EC2 build — Windows Server 2022 configuration steps and OS hardening checklist SQL Server — installation settings, maintenance jobs, backup and restore procedures, migration steps from the deprecated instance IIS — feature installation, app pool configuration, bindings, deployment process Cutover plan — rollback procedure, DNS cutover steps, validation checklist, sign-off gates Monitoring — baseline metrics and alerting configuration The operations team inherits a living document, not a dependency on the people who ran the migration.\nKey Challenges # SSIS Subsystem Registration on Windows Server 2022 AMI SQL Server Integration Services installed without errors but failed to register in SQL Agent\u0026rsquo;s subsystem table on the provisioned AMI. Standard SSIS installation documentation does not cover this. Resolution required a manual insertion into the msdb subsystem table and a SQL Agent restart before SSIS job step types became selectable. This would have silently broken SSIS-dependent jobs post-cutover if not caught in Dev. ALB and IIS Header Propagation IIS on Windows Server 2022 does not natively process X-Forwarded-For headers injected by the Application Load Balancer. Without the URL Rewrite module configured, every client IP in application and access logs shows the ALB\u0026rsquo;s internal IP — not the originating client. The problem is invisible until you check logs after cutover. URL Rewrite configuration was validated explicitly during UAT. Configuration Drift Across Environments SQL Server job definitions, linked server configurations, and application connection strings drift quietly across environments when promotion is informal. A structured promotion checklist with explicit configuration tracking was required to catch discrepancies between Dev, UAT, and Production before they caused failures at cutover. Outcomes # Outcome Detail Deprecated OS retired Business-critical application moved off EOL Windows Server to Windows Server 2022 — patched, supported, and compliant Zero unplanned downtime Production cutover executed via DNS with rollback ready — deprecated EC2s remained available throughout the cutover window Clean security baseline Fresh OS build hardened before application deployment; credentials moved to Secrets Manager; server headers stripped Reproducible infrastructure New environment is fully defined in Terraform — any instance can be rebuilt from code, not reconstructed from memory Operational handover Full runbook coverage for every component — the team inherited documentation, not a dependency on the migration team Technologies Used # AWS EC2 · ALB · Route 53 ACM · Secrets Manager CloudWatch Windows Server 2022 · IIS · SQL Server Standard Terraform · Terraform Cloud Bitbucket · CI/CD Pipelines PowerShell · SSIS ","externalUrl":null,"permalink":"/projects/app-migration/","section":"Projects","summary":"","title":"Retiring Deprecated EC2: Windows Server Modernization with Zero Application Downtime","type":"projects"},{"content":" Scholastic Asia Cisco / Palo Alto Network Implementation (2023) # A full-stack enterprise network modernization across five Scholastic Asia locations — redesigning topology from the ground up, replacing legacy security platforms, and establishing centralized visibility and SOC-ready detection capability. 5 Countries Palo Alto NGFW FortiNAC SolarWinds + QRadar Resilience + Segmentation Objective: Redesign the network architecture across Scholastic Asia from hardware through configuration — increase security posture, centralize visibility, and eliminate single points of failure across all five sites. Regional Scope # This program covered simultaneous implementation across five countries, each requiring site-specific execution while maintaining a consistent architectural standard:\nMalaysia Singapore India China Philippines Coordinating across five countries, multiple time zones, and diverse local network conditions required structured program management alongside deep technical execution.\nProgram Goals # Modernize core and distribution network topology across all sites. Standardize infrastructure and security policy to a single consistent baseline. Improve resilience with redundancy and dual-path architecture at each location. Strengthen access control, threat detection, and SOC readiness. Centralize monitoring and logging for unified operational visibility. Modernization Workstreams # Topology Redesign Firewall Modernization Access Control Monitoring \u0026amp; SOC Network Architecture Restructuring\nThe legacy network across all five sites operated as flat, largely undifferentiated segments — a design that created both security risk and operational complexity. The redesign addressed the architecture at every layer.\nImplementation scope:\nCore and distribution topology redesign across all sites simultaneously IP re-segmentation and subnet standardization for consistency across countries Physical cable redundancy and dual-path resilience engineered into the architecture Hardware refresh paired with configuration standardization to eliminate legacy drift Architecture improvements delivered:\nMigration from legacy flat networks to structured, zone-based VLAN segmentation Dedicated isolation of user, server, management, voice, and guest network zones Elimination of lateral movement paths between user and server segments Outcome\nReduced lateral movement risk across all sites, improved operational clarity and fault isolation, and significantly increased network reliability under failure conditions.\nSecurity Platform Migration\nLegacy Cisco ASA firewalls were replaced with Palo Alto Networks Next-Generation Firewalls — a fundamental shift in security capability, not just a hardware refresh.\nMigration scope:\nDecommissioned legacy Cisco ASA platforms across all five locations Deployed Palo Alto NGFW with consistent policy baseline across sites Rebuilt inter-site connectivity with standardized IPSEC site-to-site tunnels Security capabilities unlocked:\nApplication-aware traffic filtering — decisions based on application, not just port Granular policy enforcement down to user and application identity Advanced threat prevention with signature and behavioral detection SSL inspection for encrypted traffic visibility Centralized policy governance and consistent rule management across all sites Outcome\nUnified security perimeter across all five Scholastic Asia offices, stronger encrypted inter-site communication, and dramatically improved policy consistency and auditability.\nNetwork Access Control Deployment\nLayer 2 access control was implemented using Fortinet FortiNAC — shifting device access policy from a reactive, implicit trust model to proactive, identity-verified enforcement.\nCapabilities enforced:\nDevice authentication required before any network access is granted Unauthorized or unmanaged devices automatically quarantined Role-based network access enforcement based on device identity and compliance status Endpoint compliance validation before access to sensitive network zones Outcome\nSecurity posture shifted from reactive detection to preventative enforcement at the network edge — unauthorized devices are blocked before they reach any internal resource, not discovered after the fact.\nVisibility and Detection Integration\nNetwork visibility was established by integrating infrastructure telemetry into centralized monitoring and SIEM platforms, enabling Security Operations Center workflows across all five countries.\nIntegration delivered:\nFull network device telemetry integrated into SolarWinds for operational health monitoring Palo Alto NGFW traffic logs forwarded to IBM QRadar for security event correlation SOC workflows enabled for vulnerability scanning, suspicious traffic investigation, and detection Packet-level visibility available for incident triage and forensic investigation QRadar capabilities enabled:\nCentralized log correlation across network, firewall, and infrastructure sources Suspicious traffic pattern analysis with rule-based alerting Threat intelligence mapping against observed network behaviour Vulnerability detection correlated across all monitored network devices Outcome\nTransitioned from infrastructure-managed operations with fragmented visibility to a SOC-observable network where threats can be detected, investigated, and responded to from a centralized platform.\nSecurity and Operations Model # Domain Legacy State Modernized State Segmentation Flat network segments with minimal zone isolation VLAN-based segmented architecture with enforced zone boundaries Perimeter Security Cisco ASA with limited application awareness Palo Alto NGFW with application-aware policy and centralized governance Inter-Site Connectivity Mixed legacy tunnels with inconsistent configuration Standardized IPSEC tunnels with consistent policy across all sites Access Control Limited edge validation, implicit device trust FortiNAC with device authentication and role-based enforcement Monitoring Partial network visibility, no centralized correlation SolarWinds + IBM QRadar integrated telemetry and SIEM correlation SOC Readiness Limited detection, no centralized analysis pipeline Centralized detection, correlation, and investigation capability Business and Technical Impact # Increased network resilience across five countries through redundant architecture and dual-path design Reduced attack surface through VLAN segmentation, policy hardening, and zero-trust access enforcement Eliminated legacy firewall risk by replacing Cisco ASA with Palo Alto NGFW across all sites Established centralized monitoring through SolarWinds and IBM QRadar SIEM integration Strengthened SOC readiness with the detection, correlation, and investigation infrastructure to support active security operations Closing Summary # This program delivered a coordinated, multi-country modernization of topology, firewall architecture, access control, and security observability. The result is a standardized, resilient, and security-first regional network foundation — designed for scale, continuous operations, and evolving threat response across all five Scholastic Asia sites.\n","externalUrl":null,"permalink":"/projects/networking/","section":"Projects","summary":"","title":"Five-Country Network Overhaul: Cisco, Palo Alto, and SOC-Ready Infrastructure","type":"projects"},{"content":" Enterprise Security Alignment: CIS Controls v8 Implementation Across Asia # A multi-country security enforcement program to align Scholastic Asia with global InfoSEC standards — through measurable CIS Controls v8 implementation, not just policy review. CIS Controls v8 Cloud + Endpoint Security QRadar + SolarWinds TACACS + RBAC Audit-Ready Evidence Objective: Standardize and enforce CIS Controls v8 across Asia infrastructure, cloud, network, and endpoints — then deliver evidence-based validation to the US InfoSEC team. Program Context # Item Details Company Scholastic Asia Duration 2023 – Present Scope Infrastructure, network, cloud, endpoint, and operational workflow standardization Governance Model Alignment with US headquarters InfoSEC baseline Security is not a tool. It is a discipline enforced through governance, measurable controls, and operational consistency.\nStrategic Mandate # This program was executed as a technical enforcement initiative — not a compliance checkbox exercise. Controls were implemented in the environment, validated with evidence, and continuously maintained.\nCore mandates:\nAudit Asia environments against CIS Controls v8 requirements. Identify control gaps, misconfigurations, and operational weaknesses. Enforce remediation at the infrastructure and endpoint levels. Produce documented, auditable proof for InfoSEC validation. Align all Asia entities with the global security baseline. CIS Controls v8 Enforcement Model # Assessment \u0026amp; Gap Closure Cloud Security Network Monitoring Identity Hardening Endpoint Security Governance Evidence Control Translation to Implementation\nSecurity frameworks only create value when they are converted into specific, measurable technical actions. Every CIS control was mapped to concrete infrastructure changes — not left as abstract policy intent.\nMapped CIS control intent to infrastructure-level actions and configuration requirements Converted control requirements into technical checklists with defined acceptance criteria Prioritized gaps by risk severity and operational impact Assigned remediation ownership across regional teams with clear accountability Enforcement Principle\nEvery control required measurable, reproducible evidence — not verbal confirmation or assumed compliance.\nPlatform Integrated: Wiz\nCloud security posture management was established through continuous monitoring rather than periodic manual reviews.\nBuilt a comprehensive cloud asset inventory with full visibility across the AWS estate Enabled continuous vulnerability detection against misconfiguration and exposure risks Monitored cloud configurations against the CIS benchmark baseline in near real-time Applied risk-based prioritization to direct remediation effort where it mattered most Outcome\nAsia AWS environments moved from periodic manual review cycles to continuous, automated cloud posture monitoring — closing the visibility gap between audits.\nMonitoring and SIEM Integration\nNetwork visibility was established by centralizing infrastructure telemetry into enterprise monitoring and detection platforms.\nIntegrated full network device telemetry into SolarWinds for operational visibility Centralized log collection and correlation in IBM QRadar Forwarded Palo Alto NGFW traffic logs to QRadar for security event analysis Enabled packet-level visibility for investigation and triage workflows Outcome\nImproved event correlation, suspicious traffic detection, and SOC-level visibility — with significantly reduced blind spots across the Asia network estate.\nAccess Control Enforcement\nPrivileged access to network and infrastructure systems was hardened from shared, unmanaged credentials to centrally governed, role-based authentication.\nEnforced Cisco device authentication through TACACS+ for all administrative access Standardized role-based access control (RBAC) across network operations Removed unmanaged shared local accounts that lacked individual accountability Strengthened credential lifecycle governance and rotation practices Outcome\nAdministrative accountability improved significantly across all privileged access paths — every action attributable to an individual identity.\nRegional Security Agent Standardization\nEndpoint compliance was enforced by deploying and validating approved security agents across the entire Asia user device fleet.\nProofpoint DLP — data loss prevention policy enforcement SentinelOne — endpoint detection and response (EDR) across all managed devices Cisco Umbrella — DNS-layer security and threat blocking at the endpoint level Compliance Requirement\nAll endpoints were required to run approved security agents, report status to centralized management consoles, and remain continuously visible in compliance dashboards — no exceptions.\nDocumentation for Validation\nEvidence packages were built to be auditable, reproducible, and defensible — not assembled last-minute before a review.\nConfiguration validation screenshots and system state captures Policy export records demonstrating applied control settings Workflow and methodology documentation describing the enforcement process Gap remediation reports with proof of closure at the control level Outcome\nComplete evidence packages were submitted to US InfoSEC for validation, establishing an audit-ready regional compliance posture that could be revisited and verified at any time.\nCentralized Platform Strategy # Asia leveraged US-managed centralized security platforms rather than duplicating regional tooling — a deliberate choice that improved consistency while reducing operational overhead. Execution required:\nCross-region integration planning and connectivity design Policy alignment with enterprise-wide security standards Secure network connectivity for agent communication and telemetry forwarding Coordinated agent rollout with compatibility validation across device types Zero-downtime enforcement across active business operations in five countries Measurable Impact # Security Domain Enforcement Outcome Configuration Baseline Standardized CIS-aligned control baseline across all Asia entities Vulnerability Coverage Continuous cloud and infrastructure detection replacing periodic reviews Logging and Correlation Centralized multi-source visibility through IBM QRadar SIEM Access Governance Hardened authentication and RBAC enforcement across privileged paths Endpoint Compliance Region-wide security agent standardization and continuous compliance visibility Audit Readiness Documented, evidence-backed proof for US InfoSEC validation Non-compliant configurations were identified, remediated, and verified through repeatable control workflows — not acknowledged and left open.\nLeadership and Execution # This initiative required cross-country coordination, deep technical execution across multiple control domains, and continuous collaboration with US InfoSEC — all while maintaining uninterrupted business continuity across five Asia-Pacific markets.\nTransformation areas included:\nInfrastructure control enforcement and hardening Cloud security posture management and continuous monitoring Network telemetry integration and detection capability Endpoint compliance standardization at scale Governance documentation and audit evidence delivery Closing Perspective # Security maturity does not come from deploying tools. It comes from enforcing standards consistently, validating controls with evidence, and building a posture that holds up under scrutiny.\nThe CIS Controls v8 program across Scholastic Asia established a defensible, measurable, and auditable security framework — one that continues to evolve as threats and control requirements change.\n","externalUrl":null,"permalink":"/projects/cis/","section":"Projects","summary":"","title":"Beyond Policy: CIS Controls v8 Enforcement Across Five Asia-Pacific Markets","type":"projects"},{"content":" Talos Linux On-Prem — GitOps, Production Discipline # A single-node Talos Linux cluster run as a GitOps platform: Flux continuously reconciles cluster state from Git, and no manual kubectl apply ever touches production. Sealed secrets, wildcard TLS automation, MetalLB load balancing, middleware-enforced security headers, and a unified Prometheus/Loki/Grafana observability stack complete the picture. GitOps — Flux CD Talos Linux / Kubernetes Sealed Secrets + TLS Traefik Ingress Prometheus + Loki Cloudflare Tunnel VolSync Backup Design Principle: The Git repository is the single source of truth. Flux enforces it. No manual cluster changes — if it isn\u0026rsquo;t in Git, it doesn\u0026rsquo;t exist in the cluster. Architecture Overview # The cluster runs on bare-metal on-prem hardware provisioned declaratively with Talos Linux — an immutable, API-driven OS purpose-built for Kubernetes. Node configuration is fully codified and applied via a task runner; there is no SSH access, no shell login, and no manual OS-level state. Flux (flux-system) watches the Git repository and reconciles every manifest, Helm release, and Kustomization automatically. All service exposure is handled by Traefik as the single ingress point, with MetalLB assigning external IPs for LoadBalancer services. Cloudflare Tunnel (cloudflared) provides public reachability without opening inbound firewall ports.\nLayer Component Namespace GitOps Flux CD flux-system Secret encryption sealed-secrets kube-system TLS issuance cert-manager cert-manager TLS distribution reflector kube-system Ingress Traefik traefik Load balancer MetalLB metallb-system Home dashboard Homepage homepage DNS sink AdGuard Home adguard Media server Jellyfin jellyfin File sharing Pairdrop pairdrop Password manager Vaultwarden + PostgreSQL vaultwarden Dev environment code-server code-server Infra dashboard Portainer portainer Static site Caddy caddy Public tunnel cloudflared cloudflared Metrics Prometheus monitoring Dashboards Grafana monitoring Log aggregation Loki (single-binary) monitoring Log collection Alloy (DaemonSet) monitoring Alerting AlertManager monitoring Security scanning Trivy Operator trivy-system Backup/restore VolSync volsync-system Platform Breakdown # GitOps Infrastructure Services Security Observability Flux CD — Continuous Reconciliation\nFlux runs in the flux-system namespace and is the operational core of the cluster. It watches the Git repository for changes and continuously reconciles the actual cluster state against the declared state. Every manifest, Helm release, and Kustomization layer is managed through Flux — not applied manually.\nThe reconciliation loop means configuration drift is impossible to sustain: any manual kubectl apply or in-cluster edit is overwritten on the next sync cycle.\nFlux components in use:\nController Role source-controller Pulls from Git and Helm repositories, produces versioned artifacts kustomize-controller Applies Kustomization stacks in dependency order helm-controller Manages HelmRelease CRDs — upgrades, rollbacks, values reconciliation notification-controller Emits events on reconciliation success/failure Repository Layout\nAll cluster configuration is structured so Flux\u0026rsquo;s Kustomize controller can resolve dependencies in the correct order — CRDs before controllers, controllers before workloads. SealedSecret manifests are committed alongside their consuming Deployments; plaintext secrets never appear in the repository.\nNode Provisioning — Talos Linux\nTalos Linux is an immutable, minimal OS with no shell, no SSH, and no package manager — all configuration is applied through a declarative machine config over a secured API. Node provisioning is fully automated via a task runner that codifies every step: generating machine configs, applying patches, and bootstrapping the cluster. Key configuration concerns (network settings, kernel parameters, kubelet flags, and cluster extras) are expressed as structured patches rather than imperative commands.\nThis model means the OS layer is as auditable and reproducible as the Kubernetes layer above it — any node can be re-provisioned from scratch without manual intervention.\nSecret Management\nSealed Secrets runs in kube-system and handles encryption of all cluster secrets. Raw Kubernetes Secret manifests are never committed to Git — only SealedSecret CRDs encrypted with the controller\u0026rsquo;s public key. This makes the GitOps repository safe to store in version control without exposing credentials.\nTLS — cert-manager\ncert-manager issues a single wildcard certificate via Cloudflare DNS-01 challenge. The resulting secret is automatically mirrored by reflector into every service namespace declared in the Certificate\u0026rsquo;s annotations.\nAll IngressRoute and Ingress resources reference the same TLS secret — no manual secret copying, no per-namespace certificate requests.\nIngress — Traefik\nTraefik runs in the traefik namespace and is the single ingress controller for all services. Middleware definitions (security headers, rate limiting, IP allowlisting) are declared in a ConfigMap mounted as a file provider inside the Traefik pod and referenced in annotations.\nLoad Balancer — MetalLB\nMetalLB runs in the metallb-system namespace and assigns external IPs to LoadBalancer-type services. This enables services like AdGuard Home to receive a stable, LAN-reachable IP without relying on NodePort or host networking.\nPublic Tunnel — cloudflared\ncloudflared in the cloudflared namespace creates an outbound-only Cloudflare Tunnel with two replicas for high availability. Public services route through this tunnel — no inbound firewall rules required, no exposed NodePorts. Internal-only services remain behind the IP allowlist middleware and are never reachable externally.\nPVC Backup — VolSync\nVolSync runs in the volsync-system namespace and handles asynchronous replication of PersistentVolumeClaim data off-cluster. Each stateful workload declares a ReplicationSource CRD that schedules periodic snapshots and pushes them to an external destination. A corresponding ReplicationDestination CRD allows point-in-time restore by pulling a named snapshot back into a fresh PVC.\nDNS — AdGuard Home\nAdGuard Home (adguard namespace) serves as the local DNS resolver and ad/tracker sink for the LAN. It receives a dedicated external IP via MetalLB and listens on port 53, making it the network-wide DNS server. Upstream resolvers are configured for encrypted DNS-over-HTTPS.\nMedia — Jellyfin\nJellyfin (jellyfin namespace) is the self-hosted media server. Accessible internally via Traefik IngressRoute with the wildcard TLS cert.\nFile Sharing — Pairdrop\nPairdrop (pairdrop namespace) provides local wireless file transfers — a self-hosted alternative to AirDrop that works across platforms on the same network.\nPassword Manager — Vaultwarden + PostgreSQL\nVaultwarden runs in the vaultwarden namespace backed by a PostgreSQL instance in the same namespace. Provides a self-hosted Bitwarden-compatible password manager. Data is persistent via a PersistentVolumeClaim; PostgreSQL credentials are managed through sealed-secrets. SMTP is handled via an external mail relay.\nDev Environment — code-server\ncode-server (code-server namespace) exposes VS Code as a web application. Uses a relaxed CSP/frame policy via a dedicated Traefik middleware to allow the VS Code web UI to function correctly.\nHome Dashboard — Homepage\nHomepage (homepage namespace) serves as the service launcher — a configurable start page with widgets for each self-hosted service and a live Kubernetes cluster widget showing pod/node status.\nInfra Dashboard — Portainer\nPortainer (portainer namespace) provides a visual interface for cluster and container lifecycle management, running in Kubernetes mode.\nStatic Site — Caddy\nCaddy (caddy namespace) serves the static site using raw manifests only, with content synced from a local build. Sits behind Traefik for TLS termination and routing.\nSecurity Scanning — Trivy Operator\nTrivy Operator runs in the trivy-system namespace and provides continuous in-cluster scanning across four domains:\nScan type What it covers Vulnerability Container image CVEs against upstream advisory DBs Config audit Kubernetes manifest misconfigurations (e.g. privileged containers, missing resource limits) RBAC assessment Overly permissive roles and bindings across namespaces Secret scanning Hardcoded credentials and tokens in workload specs Results are surfaced as Kubernetes CRDs (VulnerabilityReport, ConfigAuditReport, RbacAssessmentReport, ExposedSecretReport) and exposed as Prometheus metrics — scraped by the existing Prometheus instance in monitoring and visible in Grafana.\nTraefik Middleware Chain\nMiddlewares are defined in a ConfigMap mounted as a file provider inside the Traefik pod and referenced in IngressRoute annotations.\nMiddleware Purpose secure-headers HSTS, frameDeny, nosniff, referrer-policy code-server-headers Relaxed CSP/frame policy for VS Code web UI rate-limit Request rate limiting with burst tolerance ip-allowlist LAN + cluster CIDR only All internal services apply the IP allowlist — requests from outside the LAN or cluster CIDR are rejected at the ingress layer before reaching any application. Public services exposed through cloudflared bypass the allowlist via a dedicated IngressRoute entry.\nSecret Lifecycle\nAll secrets follow this flow:\nGenerate or retrieve credential Encrypt with kubeseal using the controller\u0026rsquo;s public key Commit SealedSecret manifest to Git Flux detects the commit and syncs; controller decrypts and creates the Secret in-cluster No plaintext secrets in Git. No manual kubectl create secret commands. Every secret change has a Git commit as its audit trail.\nTLS Flow\ncert-manager (DNS-01 via Cloudflare API) └─ issues: wildcard TLS secret (in cert-manager ns) └─ reflector mirrors → all service namespaces └─ IngressRoute references mirrored TLS secret cert-manager handles automatic renewal. reflector handles propagation. Services reference the secret by name — zero manual intervention on cert rotation.\nMetrics — Prometheus\nPrometheus (monitoring namespace) scrapes metrics from all cluster workloads and the underlying nodes. Configured with multiple replicas and extended retention. Service monitors are declared as ServiceMonitor CRDs co-located with their target deployments. Trivy Operator security scan results are also exposed as Prometheus metrics, making security posture visible alongside infrastructure health.\nDashboards — Grafana\nGrafana (monitoring namespace) provides dashboards for both metrics (Prometheus datasource) and logs (Loki datasource pre-configured). Accessible internally via Traefik.\nLog Aggregation — Loki\nLoki runs in single-binary mode in the monitoring namespace — appropriate for single-node homelab scale without the operational overhead of microservices mode. Configured with short retention suitable for local-path storage.\nLog Collection — Alloy\nGrafana Alloy runs as a DaemonSet in the monitoring namespace, collecting logs from all pods across the cluster and forwarding them to Loki. Alloy replaces the deprecated promtail. Configuration is declared as a ConfigMap and managed in Git.\nAlerting — AlertManager\nAlertManager (monitoring namespace) handles alert routing from Prometheus with multiple replicas for reliability. Alert rules are defined as PrometheusRule CRDs and version-controlled alongside the rest of the cluster configuration. Routing is configured for Slack with separate channels for critical and warning severity.\nThe full observability pipeline: Alloy → Loki for logs, Prometheus → AlertManager for metric-based alerts, Grafana for unified visibility.\nLessons Applied # These principles emerged from running this cluster under real conditions:\nGitOps is the only sane operational model — Flux makes drift impossible and every change auditable. Without it, cluster state diverges from documentation faster than documentation gets updated. Immutable OS, immutable cluster — Talos Linux eliminates an entire category of undocumented state. There is no shell to log into and make a one-off change that never makes it back to Git. Namespace isolation is not optional — one misconfigured deployment should not be able to reach secrets in another namespace. Automate TLS end-to-end or suffer cert rot — cert-manager + reflector eliminates an entire class of silent failures. Seal secrets before they touch Git — retrofitting secret hygiene is painful and leaves audit trail gaps. Single ingress controller, one middleware source of truth — proliferating ingress patterns create inconsistent security postures. Build the observability stack first — deploying Prometheus and Loki before services means every deployment is observable from day one. File providers for Traefik middleware — avoids CRD sprawl and keeps middleware definitions reviewable in a single ConfigMap. MetalLB unlocks clean service exposure — assigning stable external IPs to LoadBalancer services (especially DNS) avoids NodePort hacks and keeps routing predictable. Closing Thoughts # This cluster is a GitOps-first engineering platform built on Talos Linux. The OS is declarative. Flux is the enforcer: the Git repository is the cluster. Every secret is sealed, every service terminates TLS from the same wildcard cert, and every log line flows to Loki.\nThe discipline isn\u0026rsquo;t complexity for its own sake — it\u0026rsquo;s what makes a single-node homelab operationally honest: no undocumented state, no forgotten manual changes, no certificates expiring unnoticed. If it isn\u0026rsquo;t in Git, it doesn\u0026rsquo;t run.\n","externalUrl":null,"permalink":"/homelab/","section":"whilcayangyang.me","summary":"","title":"Homelab as a Platform: GitOps-Driven Kubernetes with Production Discipline","type":"page"},{"content":" Privacy Advocacy and Why Internet Privacy Matters # Internet privacy is not about hiding wrongdoing. It is about preserving dignity, autonomy, and safety in a world where data collection is relentless, invisible, and permanent. Digital Safety Data Protection Surveillance Awareness Open Internet Values Practical Security Core position: Privacy is a basic right and a modern security requirement. Strong privacy practices reduce risk for individuals, families, and organizations alike. Why Privacy Matters # Privacy protects more than personal secrets. It protects control — over your identity, your data, and your choices.\nPersonal safety: Exposed personal data enables stalking, fraud, doxxing, and targeted social engineering. Financial security: Data leaks and account takeovers translate directly into monetary loss. Freedom of thought: Pervasive tracking creates a chilling effect on research, speech, and expression. Professional integrity: An overexposed digital footprint can damage reputation and career opportunities. Family protection: Children and household members inherit the risks created by weak privacy hygiene. The case for privacy is not paranoia. It is risk management.\nThe Cost of Ignoring Privacy # Risk Area Common Exposure Potential Impact Identity Reused emails and weak passwords Account compromise and impersonation Tracking Ad-tech profiling and behavioral telemetry Manipulation, targeting, and loss of autonomy Communication Unencrypted or unverified channels Data interception and information leakage Infrastructure Misconfigured cloud and endpoint settings Unauthorized access and service disruption Metadata Location, timing, and usage patterns Targeted attacks and social engineering Each row above represents a real attack vector — not a hypothetical. These risks affect individuals, families, and organizations every day.\nPrivacy Advocacy Principles # Privacy by default: Secure settings should be the starting point, not an optional extra. Least privilege access: Users, applications, and systems should have only the access they actually need. Data minimization: Collect, retain, and share only what is strictly necessary. Transparency and accountability: People should understand what is collected, where it goes, and why. Defense in depth: Layered controls are always stronger than reliance on a single tool or policy. Practical Privacy Framework # Identity Communication Devices \u0026amp; Network Cloud \u0026amp; Data Identity Protection\nYour identity is the entry point to everything else. Protecting it is the highest-leverage privacy investment you can make.\nUse a password manager and generate unique, strong passwords for every account. Enable multi-factor authentication on all critical services — especially email, finance, and primary accounts. Use email aliases to protect your real inbox address from exposure and spam. Regularly audit account recovery methods, active sessions, and connected third-party apps. Communication Security\nUnprotected communication is readable by anyone with access to the path it travels.\nPrefer end-to-end encrypted messaging and email where the risk justifies it. Separate personal, work, and high-risk communication into distinct channels. Avoid sharing sensitive information over platforms you do not control or trust. Verify sender identity before following links, opening attachments, or acting on requests. Endpoint and Network Hygiene\nUnpatched devices and open networks are consistent entry points for attackers.\nKeep all operating systems and applications updated — patches close known attack paths. Remove unused software and services to reduce attack surface. Use DNS filtering and network-level protections to block trackers and malicious domains at the source. Isolate IoT devices and risky workloads from your trusted home or office network. Use a VPN thoughtfully — understand your threat model before choosing one. Data and Cloud Governance\nData you store or share is only as protected as the controls around it.\nEncrypt sensitive data both in transit and at rest. Apply role-based access controls and review permissions periodically — access accumulates over time. Enable audit logging and monitor for unusual access patterns before incidents occur. Define explicit backup, data retention, and secure deletion policies — and test them. Recommended Privacy Tools and Platforms # The following services are aligned with a privacy-first operating model and are used or evaluated based on open-source credentials, transparency reports, and technical design — not marketing.\nProton Encrypted email, VPN, password management, and secure cloud storage — all under a zero-knowledge architecture. SimpleLogin Email aliasing that protects your real inbox identity from exposure, spam, and data broker harvesting. Vaultwarden Lightweight, self-hosted Bitwarden-compatible password manager. Full control, no third-party dependency. Pi-hole Network-wide DNS filtering that blocks ads, trackers, and malicious domains before they reach any device. MikroTik Powerful, flexible network hardware enabling enterprise-grade segmentation, firewall policy, and access control at home. Fedora Open-source Linux platform with a strong security posture, transparent development, and no vendor lock-in. LibreWolf Privacy-hardened Firefox fork with stronger defaults, reduced telemetry, and no proprietary dependencies. Privacy Is an Ongoing Practice # Privacy is not a one-time configuration. It is an operational discipline that evolves alongside your devices, services, habits, and threat landscape.\nA privacy-first mindset produces compounding benefits over time:\nReduced unnecessary exposure across all surfaces Greater control over your digital identity and data Improved long-term security resilience against evolving threats Stronger trust in both personal and professional environments Closing Note # Privacy advocacy is ultimately about protecting people — not just data. The goal is practical, sustainable digital freedom: secure systems, informed choices, and responsible use of technology.\nYou do not need to be a security expert to benefit from stronger privacy practices. You just need to start.\n","externalUrl":null,"permalink":"/privacy/","section":"whilcayangyang.me","summary":"","title":"Why Privacy Is Not Optional: A Practitioner's Case for Digital Autonomy","type":"page"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"","externalUrl":null,"permalink":"/categories/","section":"Categories","summary":"","title":"Categories","type":"categories"},{"content":"","externalUrl":null,"permalink":"/projects/","section":"Projects","summary":"","title":"Projects","type":"projects"},{"content":"","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":" About Me Not just hosted — this site is:\nRunning Kubernetes |\nSecured by Cloudflare ","externalUrl":null,"permalink":"/","section":"whilcayangyang.me","summary":"","title":"whilcayangyang.me","type":"page"}]