In 2026, cloud and DevOps are no longer a strategy slide but an operational obligation. The reality for German SMEs: a Microsoft stack in the office, one data center in the basement, a second at a co-location provider, plus two or three SaaS tools whose data nobody fully keeps track of. When the hardware refresh is now due, the ERP has to be modernized, or management wants to become "AI-ready" — then there is no longer any way around an honest cloud strategy. This guide shows what a sound cloud and DevOps journey actually looks like for a 50- to 500-person SME: from the first workload audit through migration patterns, Infrastructure-as-Code, the Kubernetes decision, building CI/CD and observability, to FinOps discipline and a cloud-exit strategy. With real prices, real tool versions and no marketing fluff.
Why cloud + DevOps are indispensable for SMEs in 2026
The driving question is no longer "cloud yes or no", but "how cloud, at what pace and with what operating model". Three hard factors force the decision. First, hardware life cycles: the typical SME last invested in 2019/2020, the maintenance contracts expire in 2026/2027, and new servers from German distributors are 30 to 50 percent more expensive than before the pandemic due to the semiconductor crisis. Second, staffing costs: a decent Linux administrator costs 75,000 to 95,000 euros plus overhead in southern Germany — a cloud platform with 30 workloads runs on 0.5 of that position, whereas an in-house data center needs 2 to 3 full-time capacities just for patches, backups and hardware swaps. Third, software vendor drift: SAP, Microsoft, Oracle, Atlassian — all the major application vendors are actively shifting to the cloud, local licenses are becoming more expensive or being discontinued. Anyone still wanting to run SAP on-premise in 2028 will pay a clear premium over RISE with SAP.
On the other side stand the typical SME brakes: a grown ERP with custom extensions, management's data-protection concerns, a lack of cloud competence in the team, and the legitimate fear of cost explosion. A cleanly planned cloud-and-DevOps strategy addresses exactly these points: a step-by-step migration instead of a big bang, EU data residency by configuration, skill building through accompanying coaching models, and a binding FinOps regime from day one. So in 2026 the decision is no longer whether, but how disciplined.
Cloud models (public, private, hybrid, multi-cloud) — when each makes sense
Four architecture models dominate the market, and each has its use case.
Public cloud means multi-tenant with a hyperscaler (AWS, Azure, GCP) or an EU-sovereign provider (IONOS, OVHcloud, STACKIT, T-Systems). Resources are shared, billing is consumption-based. For 80 percent of SME workloads, public cloud is the right choice: no capital investment, immediate availability, global regions, a huge service catalog. Typical concerns (data residency, security, lock-in) are solvable with discipline — see further below.
Private cloud means dedicated infrastructure, either in your own data center (VMware, OpenStack, Proxmox, Nutanix) or as a rented single-tenant environment at a provider. Useful for workloads with hard latency requirements, very large data volumes with egress costs in the public cloud, or regulatory requirements that rule out multi-tenancy. The effort for hardware life cycle, patches and capacity planning remains entirely with the customer.
Hybrid cloud combines both worlds — a typical pattern in DACH SMEs: ERP and database cluster on-premise, web frontends, analytics workloads and dev/test environments in public cloud, connected via VPN or Direct Connect / ExpressRoute. Hybrid is the realistic intermediate migration stage for most SMEs — rarely a permanent target picture, but rather a 3- to 5-year transition phase.
Multi-cloud means the deliberate use of at least two hyperscalers. The marketing justification ("avoid vendor lock-in") rarely holds, because real portability is expensive and multi-cloud multiplies operational complexity. Real multi-cloud reasons are: a particular service is only available from one provider (Vertex AI for ML models, AWS Outposts for edge, Azure for M365 integration), regulatory separation between business areas, or geo-redundancy at the cloud-provider level. For 95 percent of SMEs, single-cloud is the right choice, complemented by clear exit preparation.
The three hyperscalers: AWS vs Azure vs GCP — strengths in the DACH market
The three big US providers do not differ primarily in the basic functions — compute, storage, database and network are delivered by all three at comparable quality. The differences lie in the depth of the specialized services and the natural synergies with the existing stack.
Amazon Web Services (AWS) has the broadest service catalog (over 240 services in 2026), the most mature third-party integration and the most learning resources. Strengths: EC2 with the largest variety of instances, S3 as the de-facto standard for object storage, Lambda as the pioneering serverless platform, RDS and Aurora as database workhorses. Weakness: AWS feels like the most American experience — the console is only partly available in German, support is in English by default, and identity integration with Active Directory is laborious.
Microsoft Azure is the natural choice for DACH SMEs with a Microsoft stack. Anyone already using Active Directory, Microsoft 365, Windows Server and SQL Server saves 20 to 40 percent versus AWS through Azure Hybrid Benefit — the licenses can be carried into the cloud. Strengths: Entra ID (formerly Azure AD) as the identity hub, native integration with M365, Azure Arc for hybrid management, and a German frontend (console, docs, support). Weaknesses: service stability has historically been more volatile than AWS, and service naming is renamed more frequently (which quickly makes docs outdated).
Google Cloud Platform (GCP) is the smallest but technologically most ambitious of the three. Strengths: BigQuery as an analytical powerhouse (often cited as the only reason to use GCP at all), Vertex AI with access to Gemini models and open-source LLMs, Anthos for hybrid Kubernetes, and a pleasantly consistent API architecture. Weaknesses: a smaller service catalog, fewer DACH partnerships, a markedly weaker marketing presence in Germany.
Pragmatic rule of thumb for DACH SMEs in 2026: Microsoft-stack houses use Azure, data-heavy workloads go to GCP, for broad service variety and the best third-party integration you choose AWS. If none of these three reasons clearly applies, Azure is the sensible default for most DACH SMEs — simply because the Microsoft identity is already in place.
Which cloud fits your stack?
We review your workload inventory, existing licenses and skill profile in a free 30-minute conversation — and deliver a reasoned provider recommendation instead of vendor marketing.
Request cloud consultingCloud migration strategies (lift-and-shift, re-platform, re-architect, 6 R's)
The established migration taxonomy originally comes from Gartner and was popularized by AWS: the "6 R's". Each workload is assigned one of the six migration strategies, based on business value, technical maturity and modernization potential.
Retire — the simplest case: the workload is shut down. In every honest migration inventory it turns out that 5 to 15 percent of the servers are no longer actively used at all. The associated licenses, backups and maintenance costs are eliminated immediately. In our experience, this is the category with the best ROI per hour of analysis.
Retain — the workload stays on-premise for now. Reasons: regulatory restriction, latency to local machines, an upcoming decommissioning, or simply unresolved license questions. "Retain" is legitimate but should be given a review date — otherwise the server remains a special case forever.
Rehost (lift-and-shift) — the workload is moved into the cloud unchanged, typically as a VM. Tooling: AWS Application Migration Service, Azure Migrate, Google Migrate to Virtual Machines. Advantage: fastest migration, lowest risk. Disadvantage: no cloud cost optimization, no modernization gain. Useful for workloads that will be replaced anyway within 3 to 5 years.
Replatform — the workload is modernized with minimal changes. Classic pattern: SQL Server database from your own VM to Azure SQL Managed Instance, IIS web server to Azure App Service, Linux application into a Docker container. Patching, backup and high availability are handled by the cloud provider. The best compromise between effort and modernization gain — recommended for 40 to 60 percent of a typical migration portfolio.
Repurchase — the workload is replaced by a SaaS variant. A local CRM becomes Salesforce, in-house HR software becomes Personio, on-prem SharePoint becomes Microsoft 365, in-house helpdesk software becomes Zendesk or Freshdesk. Quick to implement, often with a noticeable jump in functionality — but data migration and interface adaptation should not be underestimated.
Refactor / re-architect — the workload is fundamentally rebuilt, typically as a container or serverless architecture. A monolithic application is split into microservices, batch jobs become Lambda functions, an on-premise message queue becomes a managed service. High effort (often 6 to 18 months per workload), but strategically valuable for core applications with a long lifespan.
In practice, an honest migration inventory yields a portfolio roughly of the following shape: 10 percent retire, 15 percent retain, 25 percent rehost (fast pace), 35 percent replatform (the backbone), 10 percent repurchase, 5 percent refactor. For a typical SME inventory this distribution takes 6 to 18 months and costs between 60,000 and 250,000 euros in consulting and migration work.
Infrastructure-as-Code (Terraform, Pulumi, OpenTofu, CDK)
Infrastructure-as-Code (IaC) means: every cloud resource — VM, subnet, database, IAM role, firewall rule — is described, reviewed and rolled out automatically as versioned code. Without IaC, serious cloud operations are not possible in 2026. Clicking in the console creates drift, forgotten resources and a missing audit trail.
Terraform (HashiCorp, from version 1.5 under the Business Source License BSL) has been the market leader for ten years with the broadest provider coverage (over 4,000 official and community providers in 2026). Strength: declarative HCL syntax, a huge ecosystem, robust state management with Terraform Cloud, Spacelift or self-hosted backends in S3. Weakness: the BSL license shift in 2023 forced many open-source projects and EU authorities to migrate.
OpenTofu is the Linux Foundation fork of Terraform 1.5 under the original MPL 2.0. API-compatible with Terraform, it can directly use existing Terraform state files and modules. For new projects under EU procurement rules or open-source obligations, OpenTofu is the pragmatic choice in 2026. Provider coverage is slightly behind Terraform, but all hyperscalers are supported.
Pulumi uses real programming languages instead of HCL — TypeScript, Python, Go, .NET, Java. Advantage: native loops, conditions, modularization with language constructs, good testing options with standard frameworks. Useful for developer-driven teams with complex infrastructure logic. Disadvantage: a smaller community, fewer examples, a higher barrier to entry.
AWS CDK, Azure Bicep and Google Cloud Deployment Manager are the vendor-specific tools. CDK compiles TypeScript/Python into CloudFormation templates, Bicep is a significantly more pleasant abstraction over ARM templates. Both are excellent for single-cloud setups but fail at multi-cloud requirements. For DACH SMEs with an Azure stack, Bicep is a serious alternative to Terraform — a shorter learning curve, native tool integration.
Our recommendation for 2026: OpenTofu with the AzureRM or AWS provider as the default, complemented by Atlantis or Terraform Cloud for the plan-approval workflow, and tflint plus Checkov as pre-commit validation. Anyone running Microsoft-only with no multi-cloud worry is also well served with Bicep.
Containers & Kubernetes — when it makes sense, when it's overkill
Kubernetes is the undisputed platform for container orchestration in 2026 — and at the same time the tool with the highest hype-to-practice ratio among SMEs. The honest question is not "do we need Kubernetes", but "do we need the operational complexity that Kubernetes brings".
When Kubernetes makes sense: when you run 20 or more independent services, need multi-region availability, want to keep hybrid workloads portable between cloud and on-premise, or run a pronounced microservice architecture. In these cases Kubernetes delivers real value: a unified deployment API, automatic service discovery, self-healing, rolling updates without downtime.
When Kubernetes is overkill: when you have fewer than 10 services, need only one region, and the team does not already bring container experience. The operational effort of a production Kubernetes cluster realistically amounts to 0.5 to 1 full-time position — cluster upgrades every 4 months, network-policy maintenance, certificate rotation, RBAC, storage-CSI drivers. Anyone who cannot shoulder this effort runs with outdated clusters (and therefore insecure ones).
The container alternatives are mature in 2026 and the better choice for many SMEs: AWS App Runner (containers without orchestrator visibility, auto-scaling, HTTPS termination), Azure Container Apps (based on Kubernetes and KEDA, but abstracted as PaaS), Google Cloud Run (the pioneer of container serverless), and for pure web workloads App Service or AWS Elastic Beanstalk. These services deliver 80 percent of the container benefit at 20 percent of the operational complexity.
When Kubernetes is the right choice, then managed Kubernetes instead of self-hosted: AWS EKS, Azure AKS, Google GKE — the control plane is operated by the cloud provider, you only take care of the worker nodes and workloads. GKE Autopilot goes one step further and also takes over worker-node management. Self-hosted Kubernetes (kubeadm, k3s, RKE2) has a place in 2026 only in very specific hybrid or edge scenarios.
Complementing the Kubernetes choice: Helm as the package manager (the standard for most open-source components), Kustomize for environment overlays, External Secrets Operator for connecting to HashiCorp Vault, AWS Secrets Manager or Azure Key Vault, and Cilium as a Container Network Interface with an integrated network-policy and observability layer.
CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins, ArgoCD)
Continuous Integration and Continuous Deployment are the central nervous system of modern software delivery. Every commit is tested automatically, every merge produces an artifact, every artifact is potentially deployable. Among SMEs in 2026 we see four dominant tooling families.
GitHub Actions is the de-facto standard for teams that already use GitHub as their code host. Strengths: tight integration with pull requests, a huge marketplace of open-source actions, simple YAML syntax, good secrets management with Environments and OpenID Connect federation to AWS/Azure/GCP (no more long-lived keys needed). Weakness: setting up self-hosted runners for sensitive workloads is not trivial.
GitLab CI delivers comparable pipeline functionality with the advantages of an integrated platform (issues, merge requests, container registry, package registry, security scanning, all in one). For SMEs with an on-premise requirement, the self-hosted GitLab Community or Enterprise Edition is a serious choice, especially when EU data residency is a hard point.
Jenkins is still in use in many SME houses, often grown historically. Strengths: maximum flexibility, a huge plugin library. Weaknesses: high maintenance effort, plugin security updates must be actively maintained, and the declarative pipeline definition was added later and never feels quite right. Anyone wanting to newly introduce Jenkins in 2026 should be able to justify it well — for most new setups, GitHub Actions or GitLab CI are clearly superior.
ArgoCD and Flux are the two dominant GitOps tools for Kubernetes deployments. They complement classic CI (build, test, push to the image repository) with a declarative CD layer: the desired cluster state resides in Git, an agent in the cluster continuously synchronizes against Git. Benefits: a complete audit trail, automatic rollbacks via Git revert, nobody needs direct kubectl access to production. For teams with more than three developers and Kubernetes in use, GitOps is best practice in 2026.
Mandatory components of a serious pipeline in 2026: unit tests with a coverage gate, static code analysis (SonarQube, GitHub CodeQL, semgrep), software composition analysis for third-party dependencies (Dependabot, Renovate, Snyk), container image scanning (Trivy, Grype), infrastructure drift checks (Checkov, tfsec, terrascan), and signed artifacts via Cosign or Sigstore. Anyone lacking these building blocks does not deliver a compliance-capable software pipeline in 2026.
Reepa Solutions Approach — cloud migration + DevOps coaching
Migration + coaching instead of migration alone
We have been doing cloud migrations for DACH SMEs since 2018. Our model differs from the typical consulting approach in one central point: we don't just migrate, we enable your team to run the cloud independently in parallel. After 6 to 12 months of migration, your infrastructure is in the cloud — and your operations crew can develop it further on their own, without permanent dependence on consultants.
In concrete terms, this means: every migration sprint is carried out in pair mode, your administrator sits with our cloud architect at the same screen, every IaC change is reviewed together, every architecture decision is documented and filed in the internal wiki. The result: after the project ends, no "black-box setup", but a fully understood system with documented architecture and a team that can operate it.
Our typical engagement follows four building blocks. Discovery (4 to 8 weeks): a complete workload inventory, categorization by the 6 R's, an architecture sketch, target cost calculation, a risk register. Delivers a solid basis for decisions instead of vague estimates. Foundation (4 to 6 weeks): a cloud landing zone with IAM, network, logging, backup policies, cost management — the platform base on which all further workloads land. Migration sprints (2 to 6 weeks per wave): 5 to 15 workloads per wave, with a test and cutover plan. Operations handover (4 to 8 weeks): SRE practices, runbooks, on-call rotation, post-mortem format, FinOps dashboard.
In addition, we offer cloud-security validation via our platform Reepa Security — we continuously check your cloud configuration for misconfiguration (IAM over-permissions, public S3 buckets, missing encryption, open security groups). More on this in the chapter "Security in the cloud" and in the cybersecurity pillar.
Observability + monitoring (Prometheus, Grafana, OpenTelemetry, Datadog)
Observability — the ability to understand the behavior of a system from the outside — rests in 2026 on three pillars: metrics (numerical time series such as request rate, error rate, latency), logs (textual event records) and traces (distributed call chains between services). Anyone who neglects one of these three pillars flies blind when things catch fire.
Open-source stack: Prometheus for metrics, Grafana for visualization and alerts, Loki or OpenSearch for logs, Tempo or Jaeger for traces. Connected via OpenTelemetry as a vendor-neutral instrumentation standard. Advantage: no vendor lock-in, guaranteed EU data residency (self-hosted), cheap at large data volumes. Disadvantage: you have to run the stack yourself — typically 0.3 to 0.5 full-time capacity.
Managed SaaS: Datadog, Grafana Cloud, New Relic, Honeycomb, Dynatrace. Advantage: immediate availability, ready-made dashboards, integrated AI correlation, no operational overhead. Disadvantage: costs scale with data volume — for larger workloads, quickly four- to five-digit per month. In addition, these are US providers with Schrems II implications for sensitive data.
Cloud-native: CloudWatch (AWS), Azure Monitor, Google Cloud Operations. Sufficient for basic monitoring of the cloud resources themselves, but quickly becomes expensive and unwieldy for application performance monitoring. For a real cross-service trace analysis, the cloud-native tools are not yet at Datadog level in 2026.
Our recommendation for DACH SMEs: OpenTelemetry as the instrumentation layer (future-proof, vendor-neutral), beneath it either an open-source stack (for cost control) or Grafana Cloud (for minimal operational effort at moderate volumes). Datadog is excellent, but price-wise only attractive for larger SMEs (from 200 people).
Regardless of the tool: define Service Level Objectives (SLOs) — measurable availability and latency targets per critical service — and monitor them continuously. An SLO of "99.5 percent availability over 30 days" is a mandatory component of every production application in 2026. Alert thresholds and error budgets derive from the SLO — without this foundation, monitoring becomes a symptom show.
FinOps — getting cloud costs under control
The most common cloud disappointment in SMEs: after 12 months the bill is twice as high as calculated. The causes are rarely dramatic — usually creeping forgetfulness. Unused VMs, undeleted snapshots, oversized instances, S3 buckets in the expensive standard tier, database backups at full size instead of incremental. FinOps is the discipline that prevents exactly this.
Three FinOps levers deliver, in our project experience, 80 percent of the savings.
Right-sizing. Most cloud instances are 30 to 50 percent oversized — typically a t3.large that uses only 15 percent CPU, or a D8s_v5 that has shown single-digit utilization for months. Tools: AWS Compute Optimizer, Azure Advisor, Google Recommender. Procedure: observe utilization for 30 days, reduce to the next smaller instance, monitor for a week, reduce further if applicable. Savings typically 25 to 40 percent.
Reserved Instances / Savings Plans. For stable workloads (production databases, always-on services), book one- or three-year reservations instead of On-Demand. Discounts: AWS Savings Plans up to 72 percent, Azure Reserved VM Instances up to 65 percent, GCP Committed Use Discounts up to 70 percent. Prerequisite: a stable baseline load. Anyone applying reservations to volatile workloads pays for unused capacity.
Storage tiering and cleanup. S3 Intelligent-Tiering automatically moves rarely used objects into cheaper classes (40 to 95 percent savings versus standard). Azure Cool and Archive are comparable. On top comes the classic cleanup: old EBS snapshots, unused disk images, forgotten Lambda versions, old container images in the registry. Typically 10 to 15 percent of every cloud bill is pure resource junk.
In addition, you need cost allocation via tagging (every resource carries cost center, project, owner as a tag — otherwise no attribution is possible), budget alerts at account and project level, and a monthly FinOps review with the responsible teams. Tools: AWS Cost Explorer plus Cost Anomaly Detection, Azure Cost Management, GCP Cost Management, or vendor-neutral Vantage, Cloudability, CloudHealth.
Security in the cloud (brief overview)
Cloud security is a topic of its own, which we cover in detail in the full cybersecurity pillar. Here are the most important points for cloud and DevOps leads in condensed form.
Shared responsibility model: the cloud provider is responsible for the security "of the cloud" (hardware, hypervisor, network backbone, data center). You are responsible for the security "in the cloud" (IAM configuration, data encryption, application hardening, network rules). Anyone who does not know the model makes false assumptions — such as that "the cloud is secure".
The typical cloud misconfiguration classics from our audits: publicly readable S3 buckets with personal data, IAM roles with AdministratorAccess and without MFA, Lambda functions with hardcoded secrets, security groups with 0.0.0.0/0 on management ports, disabled CloudTrail or Activity logs, missing encryption on RDS and EBS volumes. Each individual point is automatically checkable with IaC and a CSPM solution (Cloud Security Posture Management) — Reepa Security takes over this validation as a continuous platform.
Identity obligation: in 2026, nobody in a production cloud may still work with long-lived access keys. AWS IAM Identity Center, Azure Entra ID and Google Cloud Identity in combination with Workload Identity Federation and OIDC replace static keys with short-lived tokens. CI/CD pipelines authenticate via OpenID Connect federation, employees via SSO with MFA. Anyone still handing out access keys in 2026 has a security problem with an expiry date.
GDPR + EU data residency
The question "are we even allowed to process personal data in the cloud" is solvable in 2026 — but not with a click-and-forget setup. Three layers must be clean.
Data processing agreement (DPA). For every cloud provider that processes personal data on your behalf, you need a DPA under Article 28 GDPR. AWS, Azure, Google and the EU-sovereign providers supply standard DPAs. The EU Commission's Standard Contractual Clauses (SCC) from 2021 are the legal basis for the transfer to the USA — they must be explicitly included.
Data residency. Configure region restrictions technically: the AWS Organizations service with Service Control Policies, Azure Policy with permitted regions, GCP Organization Policy Constraints. Data does not leave the EU economic area without explicit approval. For most workloads, the EU regions Frankfurt, Dublin, Amsterdam, Paris or Zurich are fully sufficient.
Schrems II risk. Even with an EU-region choice, the theoretical risk remains that US authorities could request access to data of the US parent corporations via the CLOUD Act. For highly sensitive data there are three paths: a) EU-sovereign providers (IONOS, OVHcloud, STACKIT, T-Systems Open Sovereign Cloud), b) customer-managed keys with bring-your-own-key — the cloud provider cannot technically decrypt the data, c) a hybrid setup with the most sensitive workloads on-premise and only less critical workloads in the public cloud.
Practical recommendation for most SMEs: hyperscaler in an EU region, a documented DPA with SCC, customer-managed keys for the most critical data classes, a data protection impact assessment for high-risk workloads. This is legally implementable in 2026 and sufficient for most business models.
What does a cloud migration cost in 2026
The question is justified and deserves an honest answer. We provide orientation in real numbers for a typical SME with 20 to 50 workloads and 50 to 200 employees.
Discovery and migration plan: 12,000 to 30,000 euros for the complete inventory, 6-R categorization, target architecture sketch and business case. Duration: 4 to 8 weeks. Worth it even if the migration is subsequently carried out with a different partner — the basis for decisions is worth gold.
Foundation (landing zone): 15,000 to 40,000 euros for the base cloud platform with IAM, network topology, logging hub, backup strategy, FinOps setup. A one-time investment, after which the platform largely runs itself.
Migration sprints: per workload, calculate as a rule of thumb — rehost 1,500 to 4,000 euros, replatform 4,000 to 12,000 euros, refactor 8,000 to 60,000 euros. With a typical portfolio (50 percent replatform, 30 percent rehost, 15 percent repurchase, 5 percent refactor), for 30 workloads you land at 120,000 to 300,000 euros in consulting and migration work over 6 to 12 months.
Ongoing cloud costs: after a successful migration with clean right-sizing and Reserved Instances, the monthly cloud consumption costs typically come to 60 to 80 percent of the previous on-premise TCO (Total Cost of Ownership including hardware depreciation, power, cooling, maintenance, staff). Without FinOps discipline they can easily reach 120 percent too — the difference is the discipline, not the cloud.
DevOps coaching: 1,500 to 4,000 euros per day for accompanying pair working, workshops, architecture reviews. We recommend 20 to 40 coaching days over the entire migration phase — that secures the knowledge transfer and makes you independent of the partner.
A solid migration proposal in 5 working days
Sketch out your workload inventory for us in rough terms — we deliver a first order of magnitude as a solid range, not a shot in the dark.
Request cloud migrationFrequently asked questions
What does a cloud migration cost in 2026?
For a typical SME with 20 to 50 workloads, a complete migration ranges between 60,000 and 250,000 euros over 6 to 12 months. Pure lift-and-shift is cheaper (from 1,500 euros per workload), re-architecture with container and serverless rebuilds is more expensive (from 8,000 euros per workload). On top come monthly cloud consumption costs, typically 60 to 80 percent of the previous on-premise TCO with clean right-sizing discipline.
Should we choose AWS, Azure or GCP?
For DACH SMEs with a Microsoft stack (Active Directory, M365, SQL Server), Azure is the natural choice — identity integration and bring-your-own licensing save 20 to 30 percent. For data-heavy workloads with BigQuery, Vertex AI or Anthos, GCP pays off. AWS remains the broadest provider with the most mature service catalog and the best third-party integration. A serious decision considers staff skills, workload profile and existing licenses — not just the list price.
Do we need Kubernetes or is a simple PaaS enough?
If you run fewer than 20 services and need only one region, Kubernetes is usually overkill. Azure App Service, AWS App Runner, Google Cloud Run or Container Apps deliver 80 percent of the benefit at 20 percent of the operational effort. Kubernetes pays off from around 30 services, with multi-region requirements, or when you need portable workloads between cloud and on-premise. The operational effort for a production K8s cluster realistically amounts to 0.5 to 1 full-time position.
What distinguishes Terraform, OpenTofu and Pulumi?
Terraform (HashiCorp, BSL license since 2023) is the market leader with the broadest provider coverage. OpenTofu is the Linux Foundation fork (MPL 2.0), API-compatible with Terraform 1.5 and the right choice if the license shift is a problem. Pulumi uses real programming languages (TypeScript, Python, Go) instead of HCL — good for teams with a developer background and complex logic. For most SMEs, OpenTofu plus the standard providers from AWS/Azure/GCP is the pragmatic default.
How do we reduce cloud costs without losing performance?
Three levers deliver 80 percent of the savings: right-sizing compute instances using CloudWatch or Azure Monitor data from the last 30 days (typically 25 to 40 percent reduction), Reserved Instances or Savings Plans for stable workloads (up to 72 percent versus On-Demand), and a consistent storage-tiering strategy (S3 Intelligent-Tiering, Azure Cool/Archive). On top come abandoned resources — typically 10 to 15 percent of every cloud bill are unused disks, snapshots or load balancers.
Does our data stay in the EU?
Yes, if you consistently restrict the cloud regions to EU locations (Frankfurt, Dublin, Amsterdam, Paris, Zurich) and pin data replication to EU regions via service configuration. However: all three hyperscalers are US companies, which means the US CLOUD Act and the Schrems II ruling apply. For highly sensitive data, we recommend either EU-sovereign providers (IONOS, OVHcloud, STACKIT) or encrypted storage with bring-your-own-key, so that the cloud provider cannot technically decrypt the data.
What is GitOps and do we need it?
GitOps means: the desired state of your infrastructure and applications resides entirely in Git, and an agent (ArgoCD or Flux) automatically ensures that the cluster matches this state. Benefits: a complete audit trail, automatic rollbacks via Git revert, no direct kubectl access to production needed. For teams with more than 3 developers and Kubernetes in use, GitOps is best practice in 2026. For small teams, a classic CI/CD pipeline is often sufficient.
How long does a cloud migration take?
For pure lift-and-shift, plan 2 to 4 months per 10 workloads including testing. Re-platforming (database from on-prem SQL to a managed service, application into containers) doubles this timeframe. Re-architecting with microservice splitting and serverless rebuild takes 12 to 24 months. Honest rule of thumb: any deadline under 6 months for a complete migration is unrealistic — anyone who promises it faster is planning rework in production.
Do we need SRE or is classic operations enough?
Site Reliability Engineering is not a personnel title but a discipline: measurable Service Level Objectives, error budgets, a post-mortem culture and toil reduction through automation. In SMEs you don't need a dedicated SRE title — but the practices pay off from the moment you operate critical applications with a defined availability (typically 99.5 percent or higher). We coach the operations team on SRE practices instead of hiring a separate SRE.
What about cloud exit — do we avoid vendor lock-in?
Complete cloud portability is a myth and expensive. Pragmatic approach: use the native services of your chosen cloud (managed Postgres, managed Kafka, IAM), but encapsulate the application logic so that a switch remains theoretically possible — via containers, standard APIs and IaC-defined infrastructure. A real cloud-exit strategy needs annual restore tests in an alternative region or cloud — otherwise it is just paper.
In-depth articles & cases
This pillar covers the overview — for operational depth we refer to the specialized articles per topic area. Each article is usable on its own and links back to this cloud-and-DevOps guide.
Cloud migration step by step
From discovery through foundation to cutover — the complete migration process with real time estimates.
AWS vs Azure vs GCP — comparison
Service depth, DACH suitability, prices and identity integration in an honest direct comparison.
Kubernetes for SMEs — when it pays off
A decision matrix with clear thresholds — and when PaaS containers are the better choice.
Terraform Best Practices
Module structure, state management, CI integration, drift detection — the pragmatic guide.
Building a CI/CD pipeline
From build through test to deploy — the mandatory building blocks of a 2026-ready pipeline.
Docker vs Podman
Rootless containers, license differences, OCI compatibility and which runtime for which workloads.
Reducing cloud costs — FinOps guide
Right-sizing, reservations, storage tiering and the monthly FinOps review in detail.
Building a DevOps team in an SME
Roles, skill profiles, onboarding paths and the coaching alternative to pure new hiring.
Observability stack 2026
Prometheus, Grafana, OpenTelemetry, Tempo, Loki — and when Datadog is the better choice.
Zero-downtime deployments
Blue-green, canary, rolling updates — which strategy for which application.
Multi-cloud vs single-cloud
When multi-cloud really pays off — and when it only multiplies operational complexity.
GitOps with ArgoCD and Flux
Declarative cluster state in Git, automatic sync agents, rollback via Git revert.
Serverless vs container
Lambda, Cloud Run, Container Apps versus ECS, AKS, GKE — decision criteria for 2026.
Site Reliability Engineering in SMEs
SLOs, error budgets, post-mortems — SRE practices without a dedicated SRE crew.
Cloud-exit strategy and avoiding vendor lock-in
Realistic portability architecture instead of the multi-cloud myth.
From our projects
Cloud migration with hardening
A SaaS provider migrated from a dedicated server to AWS, including security hardening and a CSPM baseline.
ERP automation for an SME
Interface modernization, IaC foundation, CI/CD pipeline for a mechanical-engineering ERP.
Infracorp Global — multi-region setup
An international infrastructure firm with a multi-region cloud architecture and a complete data-residency review.
Ready for the first step?
Arrange a free 30-minute conversation to assess the state of your cloud and DevOps situation. Afterwards you'll know whether you need a migration, a foundation modernization or DevOps coaching — or whether your platform is already cleanly set up.
Book a consultation