Case Study
Many founders assume multi-cloud means redesigning the platform. It doesn't — and it shouldn't. Hybrid architectures are common in mature companies; they're rare in startups because it's easier to teach a Series A startup how to optimize for one cloud than to manage two. But when you've already optimized for one, and new capital (in credits) is contingent on using another, the math changes. You preserve what works, extend what you've built, and move forward. At Renaiss, we help founders make that call technically sound — and profitable.
IP allocation
Get this right before anything else; it's the cheapest mistake to avoid and the most expensive to fix later.
Plan your address space before you connect: no overlaps, aggregatable CIDRs, and know Kubernetes' IP appetite. The cheapest mistake to avoid, the most expensive to fix later. Kilimo learned this the hard way.
IPsec, dedicated circuits, or fully managed cloud fabric. Decide what sits in the path before traffic arrives. For Kilimo: cloud-native. Transit Gateway and Virtual WAN, no third-party appliances, no licensing burden.
A workload in EKS resolves Azure service names without leaking queries to public DNS. Conditional forwarding in both directions, resolver endpoints in HA across AZs, CoreDNS rules in every cluster.
One certificate hierarchy that crosses clouds: a shared root, per-cloud intermediates. Kilimo didn't need mTLS, so we left this out. But it's cheaper to plan early than retrofit later.
One certificate hierarchy that crosses clouds: a shared root, per-cloud intermediates. Kilimo didn't need mTLS, so we left this out. But it's cheaper to plan early than retrofit later.
INFRASTRUCTURE MAPPING
01 / 05
CONNECTIVITY DESIGN
02 / 05
DNS AND NAME RESOLUTION
03/ 05
LOAD BALANCER ORCHESTRATION
04 / 05
TESTING AND HANDOFF
05 / 05
We audited Kilimo's existing AWS architecture, mapped the workloads that would cross clouds, and calculated how much IP space each cloud needed. The goal was simple: know exactly what you're building before you build it. Most teams skip this. We don't.
We modeled three scenarios: IPsec VPN over the internet, dedicated circuits via Equinix, and cloud-native managed fabric. For Kilimo's traffic volume and inspection needs, IPsec between Transit Gateway and Virtual WAN was the answer. No third-party appliances, no licensing overhead.
We built conditional forwarding so an EKS pod can resolve an Azure service name and vice versa, without leaking queries to public DNS. Route 53 Private Zones on one side, Azure Private DNS on the other, with resolver endpoints in HA across availability zones.
We fronted the cross-cloud services with internal load balancers — an NLB in AWS, a Standard LB in Azure. The clusters stay decoupled from each other's pod-level details. A service resolves the peer's private name and gets a stable endpoint. Simple, predictable, operationally sound.
We validated latency, failover, and symmetric routing before handing over to Kilimo's ops team. Documented the BGP topology, the DNS rules, and the cost per byte crossing the interconnect. The platform was live, the team understood it, and it stayed live.
© 2026 - Renaiss with love
.svg)