Consultant ProfileWABI Engineering
Principal Cloud Engineer

Nicolai Lang

I help teams ship reliable, cost-efficient cloud systems on AWS.

Get in touch
Nicolai Lang
Location
Neumarkt i.d.OPf.
Languages
German (Native)
English (Business)
Web

Profil

20+ years of software development, with over a decade on AWS. As Team Lead and Tech Lead. Across consulting and engineering projects for mid-market companies and enterprises. I deliver solid, production-ready solutions that scale. I also keep an eye on the cross-cutting concerns that make cloud systems reliable and future-proof: cost, monitoring, platform, and governance. Depending on what's needed, I act as advisory architect, embedded in cross-functional teams, or hands-on builder. No matter the role. I pay attention to the details without losing sight of the bigger picture. My focus is cloud-native development with serverless. I'm happy to partner with you at every stage of your cloud journey.

Focus Areas

01

Serverless & Cloud-Native Development

Production-ready serverless on AWS. APIs, asynchronous processes, event-driven architectures, and automation. Trade-offs around common patterns in scalability, resilience, and cost frequently meet questions of security and observability. I bring the practical experience for it - from small API backends to platforms processing millions of events.

02

Cloud Modernization & Migration

Modernizing grown AWS landscapes and migrating workloads into the cloud. AWS evolves continuously, so existing architectures can be simplified and TCO reduced. Key here is a clear compass: which metrics show that a component has improved? And what's the right sequence when components are interwoven? Implemented step by step, migrations into the cloud reveal directly how components behave under production load. That minimizes risk, and learnings flow directly into the next step.

03

AI Integration

Embedding AI capabilities into existing applications and processes - RAG-based search over your own data, LLM-driven classification and extraction, agentic workflows. From managed cloud services through hybrid architectures to fully on-premise solutions - matched to the relevant security requirements and data sensitivity. Correctness, traceability, and cost efficiency go hand in hand with access control and targeted monitoring.

04

Multi-Account, Governance & IaC

The topics that tend to get pushed back, and whose impact is often underestimated. On top of that, finding the right balance between complexity and value is hard. AWS Organizations, OrgFormation, a clear SCP and IAM Identity strategy help you stay flexible without using sledgehammers to crack nuts. Plus IaC with CDK, cost allocation, the right FinOps metrics, and a clear CloudTrail audit strategy. Done consistently, this builds an organization that grows with you, provides security, and won't become a blocker later.

05

Multi-Tenant SaaS

Architectures for multi-tenant SaaS platforms. Isolation, noisy neighbors, data residency, and security. The right trade-offs depend on tenant count and load asymmetry, regulatory requirements, and your own cost model. Most of my experience here comes from architecting, building, and running our own SaaS products over many years.

06

European Cloud & Data Residency

The tension between US cloud dominance and European sovereignty requirements shapes the architecture decisions of many companies. With the European Sovereign Cloud (EUSC), AWS has provided a concrete answer, one I have been observing and testing since its market launch. Even with the service gaps that still exist today, you can build complete and compliant applications that hold up in heavily regulated environments.

My EUSC status tracker and newsfeed: eusc.dev

Tech Stack

Full-Stack Cloud Development with a focus onAWSServerlessTypeScriptCDKReact

Compute & Integration
AWS LambdaAmazon ECSAWS FargateAmazon EC2AWS Auto ScalingAmazon ECRAWS Step FunctionsAmazon API GatewayAWS AppSyncAmazon EventBridgeAmazon EventBridge PipesAmazon EventBridge SchedulerAmazon SQSAmazon SNSAmazon Kinesis Data StreamsAmazon Data FirehoseAWS IoT Core
Database & Storage
Amazon DynamoDBSingle Table DesignAmazon DynamoDB StreamsAmazon RDSAmazon Aurora ServerlessAmazon S3AWS Transfer FamilyAmazon ElastiCacheAmazon EFSAmazon EBS
Data & Analytics
AWS GlueAWS Lake FormationAmazon OpenSearchAmazon Athena
Networking & Content Delivery
Amazon VPCAWS VPN (Site-to-Site & Client)AWS PrivateLinkAmazon VPC LatticeELBAWS Cloud MapAmazon Route 53AWS Certificate ManagerAmazon CloudFrontLambda@EdgeAmazon CloudFront Functions
Email
Amazon SESResend
Sovereign Cloud
AWS European Sovereign Cloud (EUSC)
Security, Identity & Compliance
AWS IAMAWS IAM Identity CenterAmazon CognitoAzure Entra IDAWS KMSAWS Secrets ManagerAWS WAFAWS Security HubAmazon GuardDutySocket Firewall
Management & Governance
AWS CDKAWS CloudFormationOrgFormationAWS OrganizationsAWS Control TowerAWS Systems ManagerAWS AppConfigAWS Parameter StoreAWS Cost ExplorerAWS BudgetsAWS Cost and Usage Reports
Monitoring & Observability
Amazon CloudWatchAWS X-RayAWS CloudTrailAWS Config
AI & Automation
Amazon BedrockAmazon Bedrock Knowledge BasesAmazon S3 VectorsAmazon TextractOpenRouterOllamaModel Context Protocol (MCP)
Developer Tools
GitHub GitHub Actions Blacksmith Claude CodeDockerOrbStackAWS CodePipelineAWS CodeBuild
Frontend
ReactTanStack RouterTanStack StartViteTailwind CSSshadcn/uireact-i18nextMDX
Languages & Frameworks
TypeScriptJavaScriptJavaNode.jsAWS SDK (v3)TypeSpecZodOpenAPIMiddyAWS Lambda PowertoolsVitestInversifyTurboRepopnpmOXC Suite

Core focusServices I use deeply and often.

Certifications

AWS Certified Solutions Architect - Associate
AWS Certified AI Practitioner
AWS Certified Cloud Practitioner
Technology Badge: Serverless
Technology Badge: Architecting
Technology Badge: Events & Workflows
Technology Badge: Networking Core
Technology Badge: Cloud Essentials
AWS Partner: Technical Accredited
AWS Partner: Sales Accredited

Approach

I work in incremental, outcome-driven steps - each delivering clear value on its own. With clearly defined goals and requirements. Results become visible immediately, and progress and costs stay transparent. Course corrections become apparent early, and blockers can be cleared quickly. I communicate clearly and directly, keeping even complex technical topics accessible for the audience at hand.

Reference Projects

Document Management with AI-Driven Capture

Solution Architect & Lead Developer12/2025 - 06/2026

Multi-tenant SaaS product for automated document capture and management. AI-driven pipeline of OCR, classification, data extraction, and automatic tagging powered by Amazon Bedrock. All infrastructure is deployed via CDK through GitHub Actions. The project is purely serverless on AWS Lambda, built with TypeScript. The frontend is based on React with TSX and uses shadcn/ui components with custom styling. Users can create accounts through a self-onboarding process backed by Cognito and sign in passwordless via OTP or use their Microsoft account as IdP. Authentication and federation run over OAuth2/OIDC flows.

Amazon BedrockAWS LambdaAmazon API GatewayAmazon DynamoDBAmazon CognitoAWS CDKTypeScriptReact

RAG Platform for Technical Documentation

Solution Architect & Lead Developer03/2026 - 05/2026

Experimental question-and-answer system for documents with source citations. Fully serverless codebase (TypeScript on AWS Lambda) with a swappable model backend: AWS-managed, European Sovereign Cloud, and local on-premise models for different sovereignty levels. A role-based authorization layer ensures that only documents within the user's access scope enter the retrieval context. The frontend was built with React and TypeScript as well.

Amazon Bedrock Knowledge BasesAmazon S3 VectorsAmazon TextractAmazon Titan EmbeddingsOllamaAWS LambdaAmazon SQSAmazon EventBridgeTypeScriptReact

SaaS Loyalty & Couponing Platform

Solution Architect & Lead Developer02/2023 - 10/2025

Multi-tenant platform for customer loyalty in retail, serverless and event-driven. Migration of the existing ECS solution onto Lambda via Strangler Pattern during ongoing operations. Per-tenant data and queues, events distributed across account boundaries, DynamoDB Single Table Design plus OpenSearch for more complex queries and the UI. Development followed an API-first approach with OpenAPI and a custom code-generation layer. Both the backend code on Lambda and the infrastructure with CDK were built entirely in TypeScript. Monitoring uses a mix of CloudWatch and OpenSearch + Grafana.

AWS LambdaAmazon API GatewayAmazon DynamoDBAmazon OpenSearchAmazon SQSAmazon EventBridgeTypeScriptAWS CDK

Modernization of a Stateful Messaging Service

Solution Architect09/2024 - 03/2025

Modernization of a stateful messaging service whose architecture only scaled through over-provisioning and was uneconomical during low-traffic periods. Stepwise rebuild to serverless, starting from rarely used features of individual consuming systems through to high-traffic central endpoints. The previously in-memory state moved to DynamoDB and EFS. Result: better scalability, lower operating costs, significantly less code.

AWS LambdaAmazon API GatewayAmazon DynamoDBAmazon VPCELBAWS Cloud MapAmazon EFSAmazon SQSAmazon EventBridgeTypeScriptAWS CDK

Multi-Account Landing Zone & Identity

Solution Architect03/2024 - 09/2024

Migration of a grown AWS organization to fully IaC-based landing zones (OrgFormation), replacing Control Tower. Central identity management with Identity Center and Azure Entra ID as IdP. Various standard roles can be provisioned via IaC, and member accounts and regions are secured by OUs and matching SCPs.

OrgFormationAWS IAM Identity CenterAzure Entra IDSCPsAWS CDKGitHub Actions

Multi-Tenant Micro-Frontend Platform

Solution Architect & Lead Developer06/2024 - 08/2024

Multi-tenant frontend platform for various services in the retail sector, implemented as micro-frontends under a central app shell. The app shell orchestrates the individual micro-frontends and provides shared baseline functionality. The micro-frontends are versioned; the app shell is responsible for resolving and delivering the correct version of each. This runs via CloudFront with Lambda@Edge and CloudFront Functions, with the matching origin resolved dynamically from the CloudFront KeyValueStore. It was built with React/TypeScript and the AWS Cloudscape Design System. Behind the scenes, a management system based on AWS Lambda, DynamoDB, and Cognito enables creating tenant workspaces and establishing federations with external IdPs such as Microsoft Entra ID or SAP Cloud Identity Services. I was substantially involved from concept through to the finished implementation.

Amazon CloudFrontAWS LambdaAmazon DynamoDBAmazon CognitoReactTypeScriptCloudscape Design System

Hybrid Cloud - Data Center Integration

Solution Architect11/2023 - 03/2024

Connecting an on-premise data center to a multi-account AWS environment in a hub-and-spoke architecture. In case of a data center outage, cloud services take over operations - the prerequisite was clean DNS and network configuration across all accounts.

Amazon VPCAWS VPNAWS RAMAmazon Route 53Amazon EC2AWS CDK

CDK Account Preparation System

Lead Developer03/2023 - 09/2023

Automated account setup for multi-account, multi-tenant environments. Every newly provisioned account receives a standardized baseline of IAM roles and policies, alarms, and foundational infrastructure, fully deployed via AWS CDK. The CDK constructs and stacks are modular and can be tailored per tenant configuration and per deployment stage. Accounts are managed and secured organization-wide via AWS Organizations and AWS Control Tower; the baseline setup establishes a uniform security baseline for every account. Amazon EventBridge reacts to relevant events so that downstream setup and control steps are triggered automatically. For steps outside native CloudFormation coverage, CDK Custom Resources written in TypeScript are used.

AWS CDKCDK Custom ResourcesTypeScriptAWS LambdaAmazon EventBridgeAWS IAMAWS OrganizationsControl Tower

Self-Service API for SAP Customer Data Platform

Solution Architect08/2022 - 06/2023

Integration architecture for several product teams in a grown retail IT landscape. Decoupled REST API and event system as a unified entry point to the central SAP Customer Data Platform - product teams get curated APIs and work independently, without having to build up SAP expertise. Platform events are collected in a data lake for analytics.

Amazon API GatewayAWS LambdaAmazon SQSAmazon EventBridgeAmazon Data FirehoseAmazon S3TypeScript

Centralized Cross-Account Email Sending

Lead Developer10/2022 - 12/2022

Shared service for sending transactional email from Cognito, multi-tenant across tenant accounts. Implemented with Cognito Custom Email Sender, OTP decryption with KMS, and per-tenant designed emails via SES Templates. Includes SES Sender Domains, bounce and complaint management, and use of the SES account-level suppression list.

AWS LambdaAWS IAMAmazon SESAmazon SQSAmazon CognitoAWS CDKTypeScript

CloudTrail-Based Auditing

Solution Architect & Developer08/2022 - 09/2022

Central audit solution for user activity based on AWS CloudTrail across an entire AWS Organization. Activities from all member accounts are captured organization-wide and consolidated in a dedicated audit account. At its core is a CloudTrail Lake event data store that holds the events centrally and tamper-evident. For recurring audit and compliance questions (who performed which action and when), prebuilt queries are available for ad-hoc analysis. Access is granted exclusively with least-privilege permissions via IAM Identity Center and corresponding permission sets. Service Control Policies (SCPs) prevent disabling or tampering with the trail.

AWS CloudTrailAWS CloudTrail LakeAmazon CloudWatchAWS OrganizationsAWS IAM Identity Center

Data Migration for a Loyalty & Couponing Platform

Lead Developer06/2022 - 09/2022

Data migration in a loyalty and couponing project: transfer of ~25 million records from heterogeneous source systems (SAP and historically grown in-house developments) to AWS. Extraction, preparation, and validation via custom-built migration tools with AWS Glue, Amazon Athena, and S3; target storage in DynamoDB and Aurora Serverless (MySQL). Since the legacy and target systems ran in parallel for an extended period, a continuous, event-driven synchronization via Amazon EventBridge, SQS, and Lambda was added, monitored via CloudWatch. Focus: lossless and consistent migration between the old and new systems.

AWS GlueAmazon AthenaAmazon S3Amazon DynamoDBAmazon Aurora ServerlessAWS LambdaAmazon EventBridgeAmazon SQSAWS CDKTypeScript

Corporate VPN with Customer Network Connectivity

Solution Architect & Developer03/2022 - 04/2022

Client VPN for employees plus site-to-site connectivity to customer systems. Access control via Identity Center and Azure Entra ID, site-specific hybrid DNS resolution (split-horizon) for VPN-based direct access bypassing public endpoints.

Amazon VPCAWS VPNAWS IAM Identity CenterAmazon Route 53Amazon EC2AWS CDKTerraform

Open Source Projects

Turborepo Remote Cache - Serverless on AWS

Author & Maintainer

Turborepo is great, and as an AWS architect you want a caching solution without Vercel. The project provides a CDK construct and CLI to deploy a Turborepo Remote Cache into your own AWS account - fully serverless. Either via one-command deploy or as a construct integrated into existing stacks.

AWS LambdaAmazon S3AWS Secrets ManagerAWS CDKTypeScript

WABI TypeSpec Tooling - API-First Code Generation

Author & Maintainer
In Preparation

TypeSpec emitter suite that generates production-ready TypeScript code from API definitions. Types and Zod validation schemas for requests, responses, and events. HTTP routing tables with API Gateway and Lambda adapters. Service operation interfaces with typed errors, CloudEvents envelopes with dispatch maps, and AWS CDK constructs for API Gateway bindings. Plus typed HTTP clients in AWS-SDK-v3 style for consuming APIs from frontends or M2M. Emitters can be used individually or combined and are opinionated by design - the result of years of practice with REST API development and API-first approaches.

TypeSpecTypeScriptZodAWS CDKAmazon API GatewayCloudEvents
Publication coming soon

WABI Foundation - Cloud-Native Building Blocks for AWS

Author & Maintainer
In Preparation

Modular CDK library for building production-ready serverless applications on AWS. Six building blocks, usable individually or together, addressing recurring concerns in new projects: base infrastructure (Route53, EventBridge, Lambda helpers), edge layer with CloudFront and ACM, an email service with send/receive and multilingual templates, an event pipeline from DynamoDB Streams into EventBridge, an identity service on Cognito with OTP flow, user onboarding plus user and group management, and a Cedar-based in-process authorization. The aim is to distill experience from 10 years of AWS projects into reusable components - new initiatives start directly with the actual solution, not the boilerplate.

AWS CDKTypeScriptAWS LambdaAmazon DynamoDBAmazon CognitoAmazon CloudFrontAmazon EventBridgeCedar
Publication coming soon

serverless-offline Local Authorizers Plugin

Author & Maintainer
Archived

Plugin for serverless-offline that enables local Lambda authorizers in development setups. Closes the DX gap when locally testing API Gateway endpoints with custom authorizers - no cloud deploy required to validate authorizer logic. Active from 2020 to 2023 and used productively across the serverless community during that time. Afterwards, the Serverless Framework and its ecosystem changed considerably and the plugin's relevance declined. At the same time, I increasingly moved new projects to CDK.

AWS LambdaAmazon API GatewayTypeScriptServerless Framework

Publications

AWS Lambda MicroVMs: A Hands-On Test

Wabi-Tech Blog
June 2026

AWS just launched Lambda MicroVMs: Firecracker-isolated VMs that run for up to 8 hours, are stateful, and can be suspended and woken up again in under a second. I put them through their paces with a small Node.js server and looked at throughput, snapshots, PRNG behavior, disk, logging, and quotas.

Messaging-Latenz: AWS European Sovereign Cloud vs. Frankfurt im Test

Wabi-Tech Blog
June 2026

Ich habe einen Latency Checker für EventBridge, SNS und SQS gebaut und parallel in der AWS European Sovereign Cloud und in eu-central-1 (Frankfurt) laufen lassen. Das Ergebnis: vergleichbare Latenzen, und bei niedrigem Durchsatz aktuell sogar ein Vorteil für die EUSC.

ADRs in Agentic Coding: Warum Entscheidungen zum Kontext werden müssen

Wabi-Tech Blog
June 2026

Architecture Decision Records halten fest, warum etwas im Code so ist, wie es ist. Im Zusammenspiel mit KI-Agenten werden sie zu mehr als Doku, nämlich zu maschinenlesbarem Kontext und Leitplanken, die dem Agenten helfen, deinen Code besser zu verstehen.

Die AWS European Sovereign Cloud - eine echte europäische Alternative zur AWS Cloud?

Wabi-Tech Blog
June 2026

Am 15. Januar 2026 hat AWS die European Sovereign Cloud gelauncht - eine eigene, vollständig in der EU betriebene Partition für Workloads mit erhöhten Souveränitätsanforderungen. Was steckt dahinter, was kann sie heute schon, und wann lohnt sich der Einsatz wirklich? Eine ehrliche Einordnung aus der Praxis.

AWS CDK vs. Terraform - An Honest Take from Real-World Experience

Wabi-Tech Blog
March 2026

AWS CDK or Terraform? We've used both in production - and ultimately chose CDK. This article compares the two from hands-on experience, with honest trade-offs in both directions.

Infrastructure as Code with AWS CDK

Wabi-Tech Blog
March 2026

Building AWS infrastructure by hand works - until it doesn't. In this article we look at why traditional IaC tools only shift the problem and how AWS CDK turns infrastructure into a real software project.

AWS Multi-Account Strategy - why a single account won't cut it

Wabi-Tech Blog
February 2026

An AWS multi-account strategy brings structure to security, cost management and compliance. This article explains what a clean org structure looks like, which AWS services help you get there and how to make the transition step by step.

Why Serverless Is the Only Architecture That Makes Sense

Wabi-Tech Blog
February 2026

A serverless-first architecture gives you maximum flexibility at every stage of your project. But does that come with high costs and complexity? This article takes an honest look at the strengths and weaknesses - and explains why serverless is the best foundation and what the serverless paradox is all about.

From Logs to Insights: Observability on AWS - Part II

PAGNOS Case Studies
January 2026

Five steps to better observability on AWS.

Co-author: Christian Bannes

From Logs to Insights: Observability on AWS - Part I

PAGNOS Case Studies
January 2026

The observability journey: why classic monitoring often falls short in the cloud.

Co-author: Christian Bannes

Efficient and Secure Deduplication of Customer Data

PAGNOS Case Studies
September 2024

Clean customer data as the foundation for CRM, analytics, and compliance - architecture patterns on AWS.

Co-author: Simon Irmer, Alexander Strauß