SD Tech Solutions logo

Solutions

The services on offer, and the architecture patterns underneath them — from physical builds to private AI, with one identity surface and central logging tying it together.

Services

Six core practice areas — from running cable and racking servers up to shipping custom software and standing up private on-prem AI. Engagements are scoped individually or bundled into a longer-running consulting retainer.

Infrastructure & Networking

Hands-on physical and network builds: cabling, racks, firewalls, on-prem servers, and wireless point-to-point bridges between sites.

  • Oversee or personally run structured cabling, server-rack builds, patch panels, UPS, and PDU work.
  • Provision and harden hardware firewalls — pfSense, WatchGuard, SonicWall — with sane ACLs, IDS/IPS, and reporting.
  • Design L2/L3 switching, VLAN segmentation, QoS, and inter-VLAN routing for offices, server rooms, and DMZs.
  • Stand up wireless point-to-point bridges and backhauls (TP-Link CPE710-class radios) for branch links, warehouse extensions, and post-acquisition site stand-ups.
  • Build dedicated backup servers and snapshot-based recovery for both Windows and Linux workloads.
  • Site-to-site VPN topologies (WireGuard, IPsec) and SD-WAN-style routing for multi-site organizations.
Build & Operate

Cloud & Hybrid

Azure, AWS, and on-prem working as one estate — with clustered VMs, identity sync, and SaaS deployed where it actually pays off.

  • Azure: VMs, Virtual Networks, Entra ID, Intune, Microsoft Defender, M365 / SharePoint Online, and Purview for governance.
  • AWS: EC2, S3, IAM, VPC peering, Route 53, and CloudWatch — sized for actual load, not "just spin up a t3.large".
  • Clustered virtualization on Hyper-V or KVM/Proxmox, including HA, live migration, and replication to a secondary site.
  • Hybrid identity: AD DS ↔ Entra ID, SSO, conditional access, and seamless user experience across on-prem and cloud.
  • Workload placement decisions backed by real cost and performance modelling — not just defaulting to "everything to cloud".
  • Hybrid networking: ExpressRoute, S2S VPN, public IP gateway designs, and split-horizon DNS that survives a cloud outage.
Cloud & On-Prem

Security & Access

Practical defense-in-depth: zero-trust-style access, MFA, hardened baselines, and central logging that someone actually reads.

  • Firewall policies tuned to real traffic, with VPN + MFA as the only inbound path to internal resources.
  • Mandatory MFA / 2FA on VPN, RDP, admin tooling, and cloud sign-ins (Microsoft Authenticator, Duo, hardware tokens).
  • Least-privilege identity design across AD DS, Entra ID, and SaaS — Tier-0 separation for admin accounts, no daily-driver Domain Admins.
  • Endpoint hardening with Intune / GPO baselines, full-disk encryption, app control, and least-privilege local accounts.
  • Central logging and alerting: SSH, VPN, firewall, AD sign-ins, web servers — feeding a dashboard or SIEM-lite the team will actually look at.
  • Security assessments and roadmaps tailored to your real risk profile, not a generic checklist that ignores how the business operates.
Defense-in-Depth

Software & SaaS Development

Custom web apps, internal tools, and SaaS products — built on a classic LAMP stack or a modern web framework, hosted where it makes sense.

  • Custom web apps and internal tools: PHP / LAMP, Python, Node/Express — chosen for fit, not fashion.
  • Front-controller / MVC layouts so apps stay maintainable without framework lock-in.
  • SaaS-style products billed per seat or by retainer, including auth, billing, and admin surfaces.
  • ERP / CRM integration — Dynamics, Salesforce, SharePoint, Power Platform, plus self-hosted suites — wired into custom workflows and dashboards.
  • Database design and operations: MySQL/MariaDB, PostgreSQL, MSSQL — with backups, point-in-time recovery, and schema migration discipline.
  • Secure delivery: hardened TLS, sane HTTP headers, CSP, audit logging, and least-privilege service accounts as defaults.
Apps & Integrations

DevOps & Automation

IaC-style configs, CI/CD pipelines, and scripting that turns long-and-error-prone tasks into one repeatable command.

  • Infrastructure-as-code mindset — git-versioned configs for nginx/Apache, firewall rules, and provisioning scripts.
  • CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) for build, test, deploy, and rollback paths.
  • Bash, PowerShell, and Python automation for backups, health checks, log rotation, certificate renewal, and post-migration cleanup.
  • Power Automate for business workflows: approvals, notifications, document routing, and lifecycle tasks across M365.
  • Onboarding / offboarding flows that drive AD, Entra ID, Intune, Exchange Online, and SaaS provisioning from a single trigger.
  • Monitoring and alerting (Grafana / Prometheus / Zabbix / native cloud) with thresholds tuned to actual workload behaviour.
Repeatable Ops

AI & Private LLMs

On-prem private LLMs, agentic workflows, and AI woven into ERP / CRM — with the data and compute staying inside your network.

  • Stand up on-prem private LLMs on dedicated GPU servers (Ollama, vLLM, llama.cpp) so sensitive data never leaves the network.
  • Cost angle that matters: a single capable server hosting a private LLM is often cheaper than a stack of $200-per-seat AI subscriptions, with full data sovereignty as a bonus.
  • Agentic AI workflows — Claude Code, MCP servers, and custom orchestrators — wired into existing tooling for code, ops, and back-office tasks.
  • Retrieval-augmented assistants over your real data: SharePoint libraries, file shares, ticket histories, code repos, and internal wikis.
  • ERP / CRM integration so AI surfaces sit on top of the systems your business already runs in — Dynamics, Salesforce, SharePoint, line-of-business apps.
  • Guardrails, audit logging, and access controls so AI use is traceable and aligned with the same policies as the rest of the stack.
Private & Practical

Architecture

How environments are designed under the hood — from the patch panel to the private LLM. Six layers, each built on simple, hardened building blocks and configuration kept under version control.

Physical & Network

The layer most teams ignore until it bites: cabling, racks, firewalls, switching, and wireless P2P bridges done properly.

  • Structured cabling, rack builds, patch panels, UPS, and PDU layouts oversaw or executed personally.
  • Hardware firewalls (pfSense, WatchGuard, SonicWall) configured with sane ACLs, IDS/IPS, and reporting wired into central logging.
  • L2/L3 switching, VLAN segmentation, and inter-VLAN routing — separate networks for servers, users, IoT/cameras, and guests.
  • Wireless point-to-point bridges and backhauls (TP-Link CPE710-class radios) for branch links, warehouse extensions, and acquisition stand-ups.
  • Site-to-site VPN topologies (WireGuard, IPsec) with health monitoring and failover.
  • DNS, DHCP, NTP, and SNMP — boring, foundational, and built to be observable.

Compute & Storage

Clustered VMs, on-prem servers, and cloud workloads designed as one estate — with SMB, iSCSI, and S3-compatible storage where each fits.

  • Hypervisor stacks: Hyper-V, VMware, KVM/Proxmox — clustered with HA, live migration, and replication to a secondary site.
  • Windows Server roles (AD DS, DNS/DHCP, IIS, file/print, ADFS) and Linux servers (Ubuntu, RHEL/Fedora) running side-by-side.
  • Cloud compute — Azure VMs and AWS EC2 — sized for actual load, with autoscale only where the workload genuinely benefits.
  • Storage layouts: SMB shares, iSCSI targets, NFS, and S3-compatible object storage — chosen for the workload, not the vendor.
  • Dedicated backup servers (Veeam-class or scripted snapshot pipelines) with offline copies and tested restore drills.
  • Database tiers across MySQL/MariaDB, PostgreSQL, and MSSQL with backups, replication, and migration discipline.

Identity & Access

One identity surface across on-prem and cloud, with MFA, conditional access, and Tier-0 separation as the defaults.

  • Centralized identity via AD DS / Entra ID — policies, groups, and MFA flow through to servers, SaaS, and VPN endpoints from one place.
  • Conditional access and Tier-0 separation: admin accounts isolated from daily-driver accounts; PAW-style admin workstations where appropriate.
  • SSH key-only authentication for Linux servers, with role-based admin accounts and no password logins.
  • WireGuard / IPsec VPNs for remote desktop, SSH, and SMB traffic — services kept off the public internet by default.
  • Mandatory MFA for VPN, RDP, admin tooling, and cloud sign-ins (Microsoft Authenticator, Duo, hardware tokens).
  • Sign-in and admin-action logging fed into central monitoring so suspicious access patterns surface fast.

Data & Applications

Custom web apps, internal tools, and ERP / CRM integrations on top of databases that are backed up, encrypted, and operated like production.

  • Apache or nginx fronting PHP, Python, and Node services — front-controller / MVC layouts, no framework lock-in.
  • Hardened TLS, HSTS, CSP, and sane HTTP-header / cookie defaults baked into every site.
  • Application data stored in encrypted databases on-prem or in cloud, with backups and point-in-time recovery configured per workload.
  • ERP / CRM integration — Dynamics, Salesforce, SharePoint, Power Platform — wired together via REST APIs, queues, and Power Automate.
  • Internal tools and dashboards that replace spreadsheet-based processes for finance, ops, and HR.
  • Reverse-proxy designs (nginx, Cloudflare) for safe public exposure of internal services where needed.

Operations

Configuration as code, CI/CD pipelines, scripted ops, and monitoring that catches problems before users do.

  • Git-versioned configuration: nginx/Apache vhosts, firewall rules, IaC templates, and automation scripts live in source control.
  • CI/CD pipelines (GitHub Actions, GitLab CI, Jenkins) for build, test, deploy, and rollback paths on apps and infrastructure changes.
  • Bash, PowerShell, and Python automation for backups, health checks, log rotation, certificate renewal, and post-migration cleanup.
  • Power Automate for business workflows: approvals, notifications, document routing, and lifecycle tasks across M365.
  • Onboarding / offboarding flows that drive AD, Entra ID, Intune, Exchange Online, and SaaS provisioning from a single trigger.
  • Monitoring (Grafana / Prometheus / Zabbix / native cloud) with alerting tuned to actual workload behaviour, not just defaults.

AI Layer

On-prem private LLMs, agentic workflows, and AI assistants grounded in real company data — with the compute and prompts staying inside your network.

  • Private LLMs hosted on dedicated GPU servers (Ollama, vLLM, llama.cpp) behind a hardened reverse proxy and IdP-backed auth.
  • Cost angle: a single capable server can serve a 30+ person org for less than the equivalent stack of $200-per-seat AI subscriptions — with full data sovereignty.
  • Retrieval-augmented assistants pointed at SharePoint libraries, file shares, ticket history, code repos, and internal wikis.
  • Agentic workflows — Claude Code, MCP servers, custom orchestrators — wired into ops, code, and back-office tasks.
  • ERP / CRM integration so AI surfaces sit on top of existing systems, not in a side-quest portal nobody opens.
  • Audit logging, rate limits, and access policies aligned with the rest of the stack — AI usage is observable and reviewable.
Book a free audit →