In 90 days, a fractional GCP architect delivers a production-ready cloud platform — landing zone, Terraform automation, CI/CD pipelines, security hardening, monitoring, and documentation. Not a strategy document. Not a roadmap presentation. A working platform your team can deploy to on day 91. At Buoyant Cloud, that is what every engagement produces, following the SCALE Framework from day one.
I am Amit Malhotra, founder of Buoyant Cloud Inc. in Toronto. Here is the exact week-by-week breakdown of what I deliver as a fractional GCP architect, based on the pattern I have repeated across engagements for startups and SMBs across Canada and the USA.
Days 1–14 — Assessment and Landing Zone Design
The first two weeks are about understanding what exists and designing the foundation.
Week 1 — Discovery
I review your current state — existing GCP resources (if any), application architecture, team structure, deployment processes, compliance requirements, and business timeline. This is not a two-month discovery phase. It is a focused assessment that answers four questions. What do you have today? What do you need for production? Where are the security and compliance gaps? What is the right GCP architecture for your workload and budget?
If you are starting from scratch, this week produces the GCP landing zone design — resource hierarchy (organization, folders, projects), IAM structure, network topology, and org policy configuration. If you have an existing environment, this week produces a gap analysis showing what needs to change and in what order.
Week 2 — Landing Zone Build
The landing zone is built in Terraform and deployed. This includes the GCP resource hierarchy with separate projects for production, staging, and development. Org policies enforcing security constraints — no public IPs on compute, no default service account usage, restricted regions. IAM bindings following least-privilege principles with duty separation between developers, CI/CD pipelines, and administrators. Network topology — VPCs, subnets, firewall rules, Cloud NAT, and Private Google Access.
At the end of week 2, you have a governed, secure GCP foundation that everything else will be built on top of.
Days 15–42 — Platform Build
Weeks 3 through 6 are the intensive build phase where the core infrastructure goes from Terraform code to running services.
Weeks 3–4 — Compute and Deployment Infrastructure
GKE cluster or Cloud Run services deployed in Terraform, configured with appropriate autoscaling, security contexts, and network policies. CI/CD pipelines built in GitHub Actions or Cloud Build — code push triggers automated build, test, and deployment to staging, with a manual approval gate for production promotion. Container registry configured in Artifact Registry with vulnerability scanning enabled.
The goal is that by end of week 4, your dev team can push code to a Git repository and have it automatically tested and deployed to staging. Production deployment requires one approval click.
H3: Weeks 5–6 — Data, Secrets, and Supporting Services
Cloud SQL or AlloyDB provisioned with appropriate sizing, backups, and high availability for production. Secrets migrated to Secret Manager with application code updated to read from Secret Manager instead of environment variables or config files. Cloud Storage buckets configured with appropriate access controls, lifecycle policies, and encryption settings. Pub/Sub or Cloud Tasks configured for async workloads if applicable.
By end of week 6, the full application stack is running on the platform with Terraform managing every component.
Days 43–70 — Security Hardening and Compliance
Weeks 7 through 10 are where the platform goes from functional to auditable.
Weeks 7–8 — Security Implementation
Security Command Center enabled and configured with finding notifications routed to the appropriate team. VPC Service Controls implemented if the workload handles sensitive data. Cloud Armor configured for public-facing services. IAM audit — reviewing every binding, removing overly permissive roles, implementing custom roles where Google’s predefined roles are too broad. Service account hygiene — removing unused accounts, rotating keys, migrating to Workload Identity for GKE workloads.
This is the 6-Layer Security Model applied systematically — identity, network, data, application, platform, and operational security layers each reviewed and hardened.
Weeks 9–10 — Compliance and Documentation
For startups preparing for SOC 2, this phase includes connecting Drata to the GCP environment and validating that all controls pass. Architecture Decision Records documenting every significant choice — why GKE over Cloud Run, why this network topology, why these IAM patterns. Runbook documentation for common operational tasks — scaling, failover, incident response, access provisioning. Handover documentation for your team covering the Terraform structure, pipeline configuration, and how to make changes safely.
Days 71–90 — Lifecycle Operations and Handover
The final three weeks establish operational maturity and transition ownership to your team.
Weeks 11–12 — Monitoring and Operations
Cloud Monitoring dashboards built for application health, infrastructure utilization, and cost tracking. Alerting configured with meaningful thresholds — not default alerts that nobody reads, but specific alerts tied to SLOs your team cares about. Log-based metrics for security events — IAM changes, firewall modifications, privilege escalations. Cost monitoring with budget alerts at 50%, 80%, and 100% of expected monthly spend.
Week 13 — Handover and Knowledge Transfer
Walk-through sessions with your engineering team covering the platform architecture, Terraform structure, CI/CD pipeline operation, monitoring dashboards, and operational procedures. Every piece of infrastructure is in Terraform, every decision is documented, and every operational procedure has a runbook. Your team can operate the platform independently from day 91.
I do not disappear after handover. Most Buoyant Cloud clients transition to a lightweight monthly advisory arrangement — a few hours per month for architecture questions, cost reviews, and escalation support. But the platform is designed so that your team does not need me for day-to-day operations.
What You Have at Day 90
At the end of 90 days, you have a production GCP platform that includes a secured landing zone with proper resource hierarchy and org policies. All infrastructure managed in Terraform with modular, documented code. CI/CD pipelines with automated testing and production approval gates. GKE or Cloud Run deployment infrastructure with autoscaling configured. Database, secrets management, and supporting services provisioned and hardened. Security hardened across all six layers of the 6-Layer Security Model. Monitoring, alerting, and cost governance in place. SOC 2 readiness if compliance is in scope. Full documentation and team handover completed.
This is what $2,000–$5,000 buys for a startup setup, or what a larger scoped engagement delivers for SMBs with more complex requirements. The SCALE Framework ensures that every one of these components is addressed — nothing is skipped and nothing is deferred.
Frequently Asked Questions
Can a fractional architect really build a full GCP platform in 90 days?
Yes — 90 days is actually conservative for a startup-scale platform. The reason it takes companies much longer to do this internally is the learning curve. A fractional architect with 20+ years of experience and dozens of production GCP platforms has already solved every design problem your team would encounter for the first time. The work is execution of proven patterns, not exploration.
What does the startup need to provide during the 90-day engagement?
Access to the GCP organization or billing account, access to the code repository (GitHub or equivalent), a primary point of contact on the engineering team who can answer questions about the application architecture, and clarity on compliance requirements (SOC 2, HIPAA, or other frameworks). The fractional architect handles everything else.
What happens if the scope is smaller than 90 days?
Many startup setups complete in 4–6 weeks rather than 13. The 90-day timeline includes security hardening, compliance preparation, and thorough handover — if compliance is not in scope or the workload is simpler, the timeline compresses. The fixed-cost startup package at $2,000–$5,000 USD covers the core platform build regardless of whether it takes 4 weeks or 8.
What if I already have a GCP environment that needs fixing?
Remediation engagements follow the same phased approach but start with a deeper assessment of the existing environment. The timeline depends on the severity of the issues — quick wins like org policies and IAM cleanup can be done in days, while architectural changes like implementing proper network segmentation or migrating from console-managed to Terraform-managed infrastructure take longer.
Do I need to be available full-time during the engagement?
No. I need a few hours per week from your primary point of contact — mainly during the first two weeks for discovery and at the end for handover. The intensive architecture and build work happens independently. I provide weekly progress updates and flag any decisions that need your input.
