Google Cloud Platform Solution Architect

Job Title: Senior Google Cloud Architect Infrastructure & Network

Location: Hybrid (Office in Deerfield, IL)

Department: Google Practice

Reports To: Head of Google Practice

Job Overview

Zion Cloud Solutions is seeking a Senior Google Cloud Architect to lead the design and implementation of sophisticated Google Cloud Platform (Google Cloud Platform) infrastructure, with an emphasis on constructing enterprise-grade landing zones. This role demands hands-on expertise in defining resource hierarchies, VPC networking topologies, security hardening, control plane automation, and cost optimization at scale. Stationed in a hybrid work model with our office in Glenview, IL, you ll architect solutions that integrate hybrid connectivity, enforce zero-trust security, and leverage Google Cloud Platform s native tools to deliver resilient, compliant, and cost-efficient cloud environments for our clients.

This is a technical, hands-on leadership position for someone who thrives on building the backbone of cloud infrastructure think VPC Service Controls, Cloud Armor, and Terraform-driven deployments and can own the end-to-end lifecycle of Google Cloud Platform landing zones.

Key Responsibilities

Landing Zone Architecture:

• Design and deploy multi-tenant, multi-region landing zones using Google Cloud Organizations, Folders, and Projects to enforce resource isolation and governance.
• Implement custom IAM roles, policies, and Organization Policy constraints (e.g., restricting public IPs, enforcing VPC Service Controls) to align with enterprise security baselines.
• Set up centralized logging and monitoring with Cloud Logging, Cloud Monitoring, and BigQuery for audit trails and operational insights across landing zones.

Advanced Networking:

• Architect VPC topologies, including Shared VPCs with service projects, VPC peering, and subnet segmentation for microservices and hybrid workloads.
• Configure hybrid connectivity using Dedicated Interconnect or Partner Interconnect, paired with Cloud Router for dynamic BGP routing between on-premises data centers and Google Cloud Platform.
• Deploy Cloud NAT, Private Google Access, and DNS Hub to secure egress/ingress traffic and enable private Kubernetes clusters E instances.

Security Hardening:

• Integrate VPC Service Controls to create security perimeters around sensitive data, preventing exfiltration risks in multi-project environments.
• Deploy policies for DDoS protection, WAF rules, and geo-based access controls at the edge.
• Configure KMS for customer-managed encryption keys (CMEK) and HSM integration to secure data at rest and in transit, ensuring compliance with standards like NIST 800-53 or CIS benchmarks.

Control Plane & Automation:

• Build a fully automated control plane using Terraform to provision VPCs, subnets, firewall rules, GKE clusters, and service accounts with least-privilege principles.
• Leverage Google Cloud Deployment Manager or Anthos Config Management for policy-as-code enforcement across landing zones.
• Script custom automation workflows (Python, Go) to integrate with Cloud Build CI/CD pipelines for infrastructure provisioning and validation.

Cost Governance & Optimization:

• Implement Billing Accounts with hierarchical cost allocation and create dashboards for real-time cost visibility.
• Optimize workloads by recommending preemptible VMs, sustained-use discounts, or committed use contracts, balancing cost with SLAs.
• Identify idle resources, over-provisioned instances, or unutilized IP ranges, driving continuous cost efficiency.

Technical Leadership:

• Collaborate with application teams to integrate landing zones with GKE, Cloud Run, or App Engine workloads, ensuring seamless network and security alignment.
• Troubleshoot complex issues e.g., BGP convergence delays, IAM permission sprawl, or GKE pod networking failures using tools like Packet Mirroring and Trace.
• Lead architecture reviews, produce detailed HLD/LLD documents and evangelize Google Cloud Platform best practices within the team.

Qualifications

Experience:

• 7+ years in cloud infrastructure engineering, with 3+ years architecting Google Cloud Platform environments at scale.
• Demonstrated success in deploying production landing zones with 10+ projects, hybrid connectivity, and 100+ VPCs/subnets.
• Hands-on experience debugging L3/L4 network issues (e.g., MTU mismatches, NAT traversal) and securing multi-cloud or hybrid setups.

Technical Skills:

• Mastery of Google Cloud Platform networking stack: VPC, Cloud Router, Load Balancers (Global/Regional), Traffic Director, and Hybrid Connectivity options.
• Expert-level proficiency with Terraform HCL for multi-module deployments, including provider-level integrations with Google Cloud Platform APIs.
• Deep knowledge of Google Cloud Platform security tools: Security Command Center, Chronicle, Forseti, and Cloud DLP for data classification and redaction.
• Experience with GKE networking (e.g., Calico CNI, Network Policy), Anthos Service Mesh, or Istio for microservices deployments.
• Fluency in scripting (Python, Bash, or Go) and querying BigQuery for cost/performance analysis.

Certifications (Preferred):

• Google Cloud Professional Cloud Architect
• Google Cloud Professional Network Engineer
• Google Cloud Professional Security Engineer
• HashiCorp Certified: Terraform Associate

Soft Skills:

• Ability to dissect RFCs or Google Cloud Platform whitepapers and translate them into actionable designs.
• Strong communication skills to whiteboard complex architectures for CTOs or debug live with SREs.
• Comfortable leading under pressure, e.g., resolving P1 outages tied to misconfigured firewall rules or IAM deny policies.

Location & Availability:

• Hybrid role with regular in-office presence at Glenview, IL (e.g., 2-3 days/week).
• Willingness to join on-call rotations or travel for client engagements (<20% travel).