The Client: Manufacturing Company with 50 Employees

A custom furniture manufacturer with 50 employees and three offices across Odesa. Their IT infrastructure was typical for a business that had "grown" without planning: two physical servers in the head office (one of which was 9 years old), shared network drives, a VPN running through an aging Cisco router, and accounting software on a single unbackedup PC.

Starting Situation and Risks

  • One server had SMART warnings indicating potential HDD failure

  • No backups (last verified restore was 8 months prior)

  • VPN for branch offices was dropping 2–3 times per week

  • ERP system (1C) was only accessible from the head office

  • Monthly IT costs: ~UAH 22,000 (maintenance + electricity + emergency repairs)

  • One server failure = 50 people unable to work

Defining Goals and Constraints

At the first meeting with management we documented clear requirements:

  • Zero downtime: migration cannot stop the company from operating

  • Data security: client data and financial records are the top priority

  • Cost reduction: the new infrastructure must be cheaper to maintain

  • Remote office access: 1C and file server must be reachable from all locations

  • Minimal staff disruption: tool changes for employees — kept to a minimum

The Architectural Solution

We proposed a phased migration to Hetzner Cloud (Germany) with the following architecture:

  • Cloud server CX31 (4 vCPU, 8 GB RAM): file server, 1C application server, internal services

  • HestiaCP for web-based server management (no need for a Linux admin on staff)

  • WireGuard VPN: fast, reliable tunnel between all offices and the cloud

  • Docker containers for service isolation and simplified backups

  • Backups: automatic daily backup to Hetzner Storage Box (separate datacenter)

  • Monitoring: Uptime Kuma for services + Grafana + Node Exporter for server metrics

The Phased Migration Plan

Phase 1. Preparation (Weeks 1–2)

  • Full inventory of the current infrastructure and its dependencies

  • Deployment of the cloud server and base services

  • WireGuard setup between cloud and head office (running in parallel with the old VPN)

  • First 1C test via cloud server in a staging environment

  • Training the client-side IT contact on the new systems

Phase 2. File and Data Migration (Weeks 3–4)

  • File server sync: rsync with incremental updates every 15 minutes

  • Old and new file servers running in parallel for one week

  • Migration of 1C backups to cloud storage

  • Recovery test: full simulation of a failure and restore from backup

Phase 3. Cutover (Weekend, Week 5)

  • Friday 6:00 PM: sync stopped, final rsync, DNS switch

  • All offices connected to the WireGuard network

  • Saturday: all services tested with representatives from each department

  • Sunday: monitoring, edge-case adjustments

  • Monday: full operations on the new infrastructure

Phase 4. Stabilization (Weeks 6–8)

  • Monitoring alerts configured (Telegram notifications on service outages)

  • Old physical servers decommissioned after 2 weeks of stable operation

  • Full infrastructure documentation delivered to the client

  • Office manager trained on basic operations (service restarts, backup checks)

VPN Setup for Remote Offices

WireGuard replaced the aging Cisco router as the hub for all connections:

  • Cloud server acts as the WireGuard server (static IP address)

  • Each office is a WireGuard peer with automatic reconnection

  • Inter-office speed: 85–120 Mbit/s (vs. 12–18 Mbit/s on the old VPN)

  • Fallback: if the cloud is unreachable, offices automatically switch to mobile internet

  • Split tunneling: corporate traffic goes through VPN, regular internet traffic goes direct

Monitoring and Security

  • Uptime Kuma: monitors 1C availability, file server, VPN endpoints

  • Grafana + Node Exporter: CPU, RAM, disk, network in real time

  • Fail2Ban: automatically blocks brute-force attacks on SSH and web interfaces

  • UFW firewall: only required ports are open

  • Daily backups: automated at 3:00 AM, retained for 30 days, encrypted

  • Restore tests: monthly automated backup integrity verification

Results After 3 Months (March 2026)

  • Downtime during migration: 0 hours (cutover completed over the weekend)

  • Uptime after migration: 99.97% (3 minutes of planned maintenance)

  • VPN drops: 0 (vs. 2–3 times per week before)

  • 1C load time: reduced by 35% (SSD vs. HDD + lower network latency)

  • Monthly IT costs: UAH 22,000 → UAH 13,200 (−40%)

  • Disaster recovery test: full restore completed in 23 minutes

Lessons and Takeaways

  • Phased migration eliminates risk: running old and new infrastructure in parallel for 2 weeks removed all cutover risk

  • Backup restore tests are mandatory: a backup that has never been tested is not a backup. The client's existing "backup" turned out to be a corrupted archive

  • WireGuard beats OpenVPN for SMB: simpler setup, higher speed, less ongoing maintenance

  • Documentation for the client: knowledge transfer is a required deliverable of any infrastructure project

Do you have aging infrastructure or are you planning a cloud move? IT Master will conduct a free technical assessment and propose a migration plan with zero business risk.