Skip to main content
fremverk
  1. Services/

Build

Platform engineering, shared services, and cloud-native application platforms

Service line
Table of Contents

From blueprint to running platform
#

Design is only valuable when it becomes infrastructure. We build production-ready, EU-sovereign platforms: fully automated, security-hardened, and ready for your teams to deploy on.

Platform
#

A Cloud Adoption Framework-aligned platform with the required baseline in place from day one, plus optional extensions where the design calls for them.

  • Landing zones — One T Cloud account by default with enterprise projects as the main permission, ownership, and cost boundary, plus separate accounts only when legal, billing, or strong administrative isolation requires them
  • Sovereign Fremforge — EU-sovereign managed Git and CI/CD at frem.sh with hosted runners, single sign-on enforcement, and a bundled supply chain security stack (pre-receive secret scanning, dependency scanning, signed commits, and SLSA provenance) for strong control over source code and delivery workflows, AI-agnostic by design with a first-class public API your developer tooling and AI agents consume directly, with no forge-level vendor lock-in
  • Ephemeral Fremforge runners — Temporary continuous integration and continuous delivery (CI/CD) workers spawned on demand, scaling with workload and back to zero when idle, similar to hosted Azure DevOps agents
  • OpenTofu modules — Standardised infrastructure modules with best-practice security defaults
  • CI/CD templates — Deployment pipelines with built-in security scanning and multi-environment support
  • Runtime secrets delivery — Pipeline secrets and deployment credentials supplied from sovereign secrets management at runtime, so CI/CD jobs avoid long-lived credentials in repositories and runner images
  • Policy as code — Governance and continuous compliance enforcement, including Kubernetes manifest policy evaluation

Shared services
#

The cross-cutting services that form the platform baseline, plus optional shared services when the architecture needs them.

  • API management — Optional shared or workload-owned API gateway for routing, throttling, and authentication controls where it adds value
  • Load balancing and WAF — Public web ingress through Web Application Firewall (WAF)-protected edges, with load balancing patterns selected per workload or shared service
  • Enterprise networking — Native virtual private cloud (VPC) routing by default, with Enterprise Router and firewall controls where shared routing domains or perimeters are required
  • Hybrid connectivity — Connections to on-premises, Secure Access Service Edge (SASE), or other hosting providers when the design includes hybrid dependencies
  • DNS as code — Shared public and private DNS patterns, usually owned in the connectivity boundary and managed through infrastructure as code
  • Certificate management — Automated TLS lifecycle with cert-manager and Let’s Encrypt for Kubernetes workloads, or load-balancer-based TLS termination for non-containerised services
  • Managed messaging — Optional Kafka-based messaging for event-driven architectures and asynchronous workflows
  • Documentation site — Optional central platform and service documentation where shared documentation needs justify it

Cloud native application platform
#

Enterprise Kubernetes with everything developers need to ship confidently.

  • Kubernetes — Enterprise clusters with secure-by-default configuration
  • GitOps — Declarative, auditable, and version-controlled deployment workflows when GitOps is the chosen delivery model
  • Managed ingress and egress — Approved ingress patterns with WAF at public web edges and controlled egress through the selected perimeter model
  • Flexible isolation — Multi-solution or single-solution designs (platform-in-platform or per-workload isolation)
  • Container registry — Managed registry with Trivy-based image scanning in CI/CD
  • Serverless compute — FunctionGraph-first automation and lightweight event-driven workloads without provisioning servers
  • Managed databases and storage — Added where the workload design needs managed data services rather than self-managed runtimes
  • Virtual machines — VM-based compute for workloads that don’t require containers or serverless patterns
  • Secrets and encryption — Managed keys and platform secrets through Data Encryption Workshop (DEW) Key Management Service (KMS) and Cloud Secret Management Service (CSMS)
  • Self-service pipelines — Consistent developer experience with deployment autonomy

Included in These Paces

This service is included in the following packaged offers:

Perform Accelerate
Let's talk