Cloud & DevOps Engineer · Politecnico di Milano
I build Azure infrastructure with Terraform, Docker, Kubernetes and CI/CD pipelines. Six public projects that go from a single VM up to a full AKS GitOps platform, each one documented as I built it.
I'm a Computer Engineering student at Politecnico di Milano. I work mainly with Azure, Terraform, Linux, networking and containers, and I care about keeping infrastructure clean and easy to follow.
I work in steps. The first project was a single VM. After that came segmented networks, private access and high availability. The most recent one is an AKS GitOps platform: a FastAPI service packaged with Helm, reconciled by Flux, secured with Workload Identity and shipped through OIDC pipelines. Each project adds something the previous one didn't have.
I'm preparing for AZ-104 and CCNA. I'd rather learn a service by deploying it than by reading about it, so I turn each topic into a small build and write down what broke, what worked, and what I'd change for production. That includes a single-node AKS rollout problem I had to debug and fix.
I'm early in my career and honest about that. This site is meant to show how I work: how I structure a project, and how fast I get from an idea to infrastructure that runs.
The same flow runs through the stack: Git drives the change, OIDC removes long-lived credentials, the scanners gate the merge, Terraform builds the platform, and the runtime pulls images and secrets through managed identity. Each project hardens one more part of it.
Six Azure projects, in the order I built them. Each one takes on a new problem, from the first VM up to a Kubernetes GitOps platform, and gets a step closer to something I'd run in production.
A first IaC deployment: one ARM64 Linux VM on Azure with custom networking, NSG rules, SSH-key access and automated Nginx provisioning via cloud-init.
+adds the baseline: resource groups, VNet, subnet, SSH access and a repeatable path from code to a running VM.
A segmented two-tier Azure environment with separate management and web subnets, subnet-scoped NSGs, a dedicated admin VM and automated provisioning across multiple VMs.
+adds subnet separation and controlled access paths, with multi-VM provisioning that keeps the code readable.
Private-first infrastructure: no public VM IPs, Azure Bastion for admin access, Key Vault, Log Analytics and a modular Terraform structure with remote state.
+adds a private-by-default design, with Bastion for admin access, Key Vault for secrets and Log Analytics for logging.
A public Azure Load Balancer fronting two private ARM64 Ubuntu backends, with Bastion admin access, HTTP health probes, NSG security and cloud-init automation.
+adds the first high-availability pattern, using backend pools, health probes and traffic distribution.
A FastAPI service running on Azure Container Apps, shipped through GitHub Actions. Terraform builds the Azure side in three separate stacks, OIDC replaces stored credentials, images land in ACR, and Checkov and Trivy check every change before a smoke-tested deploy.
+adds a full CI/CD pipeline with no stored credentials, supply-chain scanning, managed identity, and a deploy that gets verified instead of assumed.
AcrPull onlyAn end-to-end Kubernetes platform on Azure, and the project I'm most proud of. Terraform provisions an AKS cluster with an OIDC issuer and Workload Identity. GitHub Actions builds a multi-arch image and pushes it to ACR. Flux then reconciles a Helm chart into the cluster, the pod reads its Key Vault secret through the Secrets Store CSI Driver, and a NetworkPolicy limits ingress. CI runs Python, Docker and Helm validation, and Checkov and Trivy scan every change.
+adds the Kubernetes operational layer: pods, probes, rollout strategy, Helm packaging, GitOps reconciliation, Workload Identity and real cluster troubleshooting.
latestOn a single-node cluster kept small to save cost, the default RollingUpdate tried to
start a second pod before stopping the first. The node didn't have enough CPU for both, the new pod
stayed Pending, and Helm timed out and rolled back. I made the deployment strategy
configurable in the chart and set Recreate for AKS dev. It's a deliberate trade-off
between zero-downtime and node capacity, and I wrote it up as an ADR.
Hardening toward a private AKS cluster, private endpoints for ACR & Key Vault, managed Prometheus / Grafana, policy enforcement (Kyverno / OPA Gatekeeper), Flux image automation and canary delivery. Tracked openly on GitHub.
Every item is tagged by how I've actually used it the core tools I lead with day-to-day, ones shipped in real projects, or foundational from my most recent work.
// the foundation under every layer
// from a single image to GitOps
// every change validated before it ships
// least privilege, no long-lived secrets
// know what the platform is doing
// scripting and daily tooling
Work I do alongside my studies. The focus is on clean records, accountability and reliable support.
Ongoing administrative and accounting support for a non-profit in the events and community space. I look after records, invoices, member data, reconciliation and reporting, and keep the back office organised while I study engineering.
Credentials and study tracks that line up with the projects I build in public.
What I'm working through now. Each topic connects to a project I'm building.
Identity, governance, monitoring and day-to-day administration labs beyond the fundamentals.
Routing, switching, VLANs, subnetting and troubleshooting, the foundation for real cloud network design.
Beyond first AKS deploys: probes, rollout strategies, NetworkPolicy and debugging real cluster issues.
Reconciliation, HelmRelease, Kustomization and moving toward image automation and progressive delivery.
Layered stacks, remote state, clean module boundaries and safer environment separation.
Private endpoints, policy enforcement (Kyverno / OPA), SBOM and image signing toward production hardening.
I deploy projects on real Azure and document them from setup to cleanup, including the destroy order, not just in a README.
Naming, modules, state, diagrams and commit history matter, because the next person has to be able to read it.
Identity, least privilege, private access and scanning come in early, even when the project is still small.
Looking around Milan / Varese, remote or hybrid. Best fit: Junior Cloud Engineer, Junior DevOps, Junior System Administrator, a cloud internship, or Cloud Operations and monitoring-focused roles.
Milan / Varese · remote · Italian native · English C1 · French conversational · German & Russian learning