Cloud Audit: Multi-Cloud Design

Drop — Multi-Cloud Architecture Design 
 Date: 2026-02-19
 Auditor: solution-arch (CloudForge cloud-audit team)
 MC Task: #1443 
 
 Executive Summary 
 Drop is 85% cloud-portable thanks to Docker containerization and PostgreSQL. Main AWS lock-in: App Runner (easily replaceable). Recommendation: stay on AWS , optimize current setup, design Terraform with abstraction for future portability. 
 
 1. Provider Comparison Matrix 
 
 
 
 Service 
 AWS (Current) 
 Azure 
 GCP 
 
 
 
 
 Compute 
 App Runner ($25-35/mo) 
 Container Apps ($20-30/mo) 
 Cloud Run ($15-25/mo) 
 
 
 Database 
 RDS PostgreSQL ($15-18/mo) 
 Azure DB for PG ($15-20/mo) 
 Cloud SQL ($12-18/mo) 
 
 
 Registry 
 ECR ($1-2/mo) 
 ACR ($5/mo) 
 Artifact Registry ($1-2/mo) 
 
 
 Secrets 
 Secrets Manager ($0.40/secret) 
 Key Vault ($0.03/10k ops) 
 Secret Manager ($0.06/10k ops) 
 
 
 CDN 
 CloudFront ($0-5/mo) 
 Front Door ($35+/mo) 
 Cloud CDN ($0-5/mo) 
 
 
 WAF 
 AWS WAF ($5+/mo) 
 Azure WAF ($20+/mo) 
 Cloud Armor ($5+/mo) 
 
 
 Monitoring 
 CloudWatch ($3-10/mo) 
 Azure Monitor ($5-15/mo) 
 Cloud Monitoring ($0-8/mo) 
 
 
 Total estimate 
 $50-75/mo 
 $100-130/mo 
 $35-60/mo 
 
 
 
 
 2. Portable Architecture 
 Cloudflare (DNS + CDN + WAF) ← Cloud-agnostic edge
 |
 | HTTPS
 v
 ┌──────────────────┐
 │ CaaS Platform │ ← App Runner / Container Apps / Cloud Run
 │ ┌──────────┐ │
 │ │ Docker │ │ ← Identical image everywhere
 │ │ Next.js │ │
 │ │ :3000 │ │
 │ └──────────┘ │
 └────────┬────────┘
 │ DATABASE_URL
 ┌────────┴────────┐
 │ Managed PG │ ← RDS / Azure DB / Cloud SQL
 └─────────────────┘
 
 Abstraction Strategy 
 
 
 
 Layer 
 Approach 
 
 
 
 
 Compute 
 Docker image to any CaaS. No platform SDK 
 
 
 Database 
 Standard PostgreSQL via DATABASE_URL 
 
 
 Secrets 
 Terraform abstracts provider. App reads env vars 
 
 
 DNS/CDN/WAF 
 Cloudflare (cloud-agnostic, free tier) 
 
 
 Monitoring 
 Sentry (errors) + structured logs to any aggregator 
 
 
 CI/CD 
 GitHub Actions (already cloud-agnostic) 
 
 
 
 
 3. Migration Paths 
 AWS to Azure (3-5 days) 
 
 Push image to ACR 
 Create Azure DB for PostgreSQL Flexible Server 
 pg_dump/pg_restore data migration 
 Deploy to Azure Container Apps 
 Update Cloudflare DNS 
 Write Azure Terraform modules 
 
 AWS to GCP (2-3 days) 
 
 Push image to Artifact Registry 
 Create Cloud SQL PostgreSQL 
 pg_dump/pg_restore 
 Deploy to Cloud Run (most similar to App Runner) 
 Update Cloudflare DNS 
 Write GCP Terraform modules 
 
 Lock-In Assessment 
 
 
 
 Component 
 Lock-In 
 Notes 
 
 
 
 
 App Runner 
 LOW 
 Standard Docker, replaceable 
 
 
 RDS PostgreSQL 
 LOW 
 Standard PG, any managed PG works 
 
 
 ECR 
 LOW 
 Standard OCI registry 
 
 
 VPC Connector 
 MEDIUM 
 AWS-specific networking 
 
 
 IAM Roles 
 MEDIUM 
 AWS-specific auth model 
 
 
 Secrets Manager 
 LOW 
 App reads env vars regardless 
 
 
 
 
 4. Recommendation: Stay AWS, Optimize 
 Rationale: 
 
 $50-75/mo already low 
 No business need to migrate 
 85% portable — migration possible in 2-5 days if needed 
 Azure costs MORE (~$100-130/mo) 
 GCP saves ~$15/mo but not worth effort now 
 
 Immediate Actions 
 
 Security fixes (encrypt RDS, restrict SG, use Secrets Manager) 
 Add Cloudflare free tier (DNS, CDN, WAF — cloud-agnostic) 
 Terraform all resources (reproducibility) 
 Add CloudWatch basic alarms ($3-5/mo) 
 
 Future Migration Triggers 
 
 AWS cost > $200/mo → evaluate GCP Cloud Run 
 EU data sovereignty requirement → Azure Norway East 
 Multi-region needed → Cloudflare Workers + D1 
 Kubernetes requirement → EKS or GKE 
 
 
 5. 12-Month Cost Projection 
 
 
 
 Scenario 
 Monthly 
 Annual 
 
 
 
 
 Current (no changes) 
 $50-75 
 $600-900 
 
 
 Optimized AWS 
 $55-80 
 $660-960 
 
 
 AWS + Cloudflare 
 $55-80 
 $660-960 
 
 
 Azure equivalent 
 $100-130 
 $1,200-1,560 
 
 
 GCP equivalent 
 $35-60 
 $420-720