• Docker images: Multi-stage builds, minimal/distroless bases, non-root, SBOMs (Syft), image signing (Cosign).
• Kubernetes: EKS/AKS (or ECS/Fargate). HPA/KEDA, PodDisruptionBudgets, anti-affinity.
• Service mesh: mTLS, traffic policies, canary (Istio/Linkerd or AWS App Mesh).
• Config & secrets: 12-factor configs; AWS Secrets Manager / Azure Key Vault / Vault.
• Deployments: Blue/green or progressive (Argo Rollouts/Flagger), health checks, graceful shutdown.

• Choose the right bus: Kafka/Event Hubs for streaming; RabbitMQ/Service Bus for work queues; SNS+SQS/EventBridge for fan-out/integration events.
• Delivery semantics: At-least-once + idempotency; key-based partitioning; DLQs + reprocessing.
• Event design: Immutable facts, schema governance (Avro/JSON Schema), versioned topics, consumer groups.

For telco/real-time signaling (USSD, SIP, SS7/INAP/CAP) we complement microservices with JAIN SLEE (JSLEE) for deterministic low-latency event processing using SBBs.

• Integration: SLEE handles network/resource adapters; business logic/reporting in microservices; bridge via Kafka or gRPC.
• Practices: Resource Adapters for SIP/SS7, activity context separation, active-active clustering, and central observability.

• Gateways: Kong/NGINX, AWS API Gateway/ALB, Azure API Management; JWT/OIDC (Keycloak/Cognito/Entra), quotas, WAF, caching, request validation.
• API styles: REST, GraphQL, gRPC (for low-latency S2S).
• Zero trust: mTLS between services, SPIFFE/SPIRE or mesh identities; least privilege per service.

• Shift-left: SAST/DAST (CodeQL/ZAP), dependency scans (Dependabot), container scans (Trivy/Grype).
• Policy as code: OPA/Gatekeeper or Kyverno; image signing; namespace quotas; Pod Security standards.
• Keys & encryption: KMS/Key Vault; TLS everywhere; encrypt at rest/in transit.
• Compliance: PCI DSS for payment flows; audit logging, immutable storage, tokenization, data minimization.

• Telemetry: OpenTelemetry SDKs; Prometheus/Grafana, ELK/OpenSearch, CloudWatch/X-Ray or Azure Monitor/App Insights.
• SLOs & alerts: SLI/SLO for latency/error/saturation; actionable alerts with runbooks and on-call rotations.
• Load & chaos: K6/Gatling; chaos experiments (Litmus/Chaos Mesh).

• Pipelines: GitHub Actions/GitLab CI, AWS CodePipeline or Azure DevOps; trunk-based with short-lived branches.
• IaC: Terraform/Pulumi modules; per-env workspaces; reviewable plans; drift detection.
• Environments: Dev→QA→UAT→Prod; promote artifacts, not rebuilds; environment parity.

• Architecture Vision: Business goals, stakeholder map, high-level target state.
• Business/Data/App/Tech Architecture: Capability maps, service boundaries, data flows, runtime topology.
• Opportunities & Solutions: Build/buy, carve-outs, migration waves.
• Migration Planning: Backlog, dependencies, cost model, risks.
• Implementation Governance: ADRs, checklists, gates.
• Change Management: Continuous compliance and tech-debt burn-down.

AWS Reference

• Compute/Containers: EKS or ECS/Fargate; Lambda for glue.
• Edge: Route 53, CloudFront, ALB/NLB, API Gateway, WAF.
• Data: Aurora/RDS, DynamoDB, ElastiCache (Redis), OpenSearch, S3 (+ Lake Formation), Redshift.
• Messaging: MSK (Kafka), SNS/SQS, EventBridge, Kinesis.
• Security: IAM, KMS, Secrets Manager, Cognito, GuardDuty.
• Observability: CloudWatch/X-Ray, OTel, Prometheus/Grafana (AMP/AMG).
• CI/CD & IaC: CodeBuild/CodePipeline or GitHub Actions; Terraform.

Azure Reference

• Compute/Containers: AKS, Container Apps, Functions.
• Edge: Front Door, App Gateway (WAF), Traffic Manager, API Management.
• Data: SQL Database/MI, Cosmos DB, Azure Cache for Redis, Cognitive Search, Data Lake + Synapse.
• Messaging: Service Bus, Event Hubs, Event Grid.
• Security: Entra ID, Key Vault, Defender for Cloud, Managed Identities.
• Observability: Azure Monitor, Log Analytics, App Insights, OTel.
• CI/CD & IaC: Azure DevOps/GitHub Actions; Bicep/Terraform.

• Availability: Multi-AZ/Zone, graceful degradation, RTO/RPO, backups + restore tests.
• Performance: P95/P99 budgets, capacity plans, autoscaling triggers.
• Cost: FinOps dashboards, right-sizing, reserved/savings plans, per-service allocation.
• Data: Lineage, retention, privacy controls, masking/tokenization, residency.

1. Week 1 — Discovery & Vision: Stakeholder workshops, goals, constraints, NFRs.
2. Weeks 2–3 — Target Architecture: Service map, data flows, security model, platform choices.
3. Weeks 4–5 — Reference Builds: Golden Docker image, CI/CD, API gateway, observability stack.
4. Week 6 — NFR Validation: Load tests, chaos drills, security scans, cost model.
5. Weeks 7–8 — Handover: Roadmap, ADRs, runbooks, training, implementation backlog.