DEV Community

Yeison Cruz
Yeison Cruz

Posted on

You can't optimize everything (And that's okay)

#aws #architecture #devops #cloud

You know why you're modernizing. You've assessed your environment. Now comes the fun part: actually doing it.

And here's the problem: you can't optimize for everything at once.

You want it cheap. You want it safe. You want it fast. You want it compliant. Pick two. Maybe three if you're lucky.

Let's talk about how to balance these four things without losing your mind.

The four forces trying to kill each other

Cost: Keep the CFO happy

You need to save money. Or at least not spend more. Leadership approved this modernization because you promised it would be cheaper (or you lied and said it would be).

What cost wants:

  • Use the cheapest services possible
  • Turn things off when not in use
  • Don't over-provision
  • Avoid expensive managed services

Risk: Don't break production

You need to not blow up the business. One bad deploy and you're on the front page of Hacker News for all the wrong reasons.

What risk wants:

  • Test everything twice
  • Run things in parallel
  • Have rollback plans
  • Move slowly and carefully

Velocity: Ship faster

You need to deliver value quickly. Your competitors aren't waiting. Your customers want features now. Leadership wants to see progress.

What velocity wants:

  • Move fast
  • Automate everything
  • Skip the unnecessary stuff
  • Ship and iterate

Compliance: Keep the lawyers happy

You need to meet regulations. HIPAA, SOC 2, GDPR, PCI-DSS, whatever applies to you. Fail an audit and you lose customers. Or get fined. Or both.

What compliance wants:

  • Document everything
  • Audit trails everywhere
  • Encrypt all the things
  • Lock everything down

Why they fight

Cost vs. Risk: The cheapest option is usually the riskiest. Running everything in one availability zone saves money until it doesn't.

Velocity vs. Risk: Moving fast means taking shortcuts. Taking shortcuts means things break.

Velocity vs. Compliance: Documentation and approvals slow you down. But skip them and you fail your audit.

Cost vs. Compliance: Compliance is expensive. Encryption, logging, monitoring, auditing—it all costs money.

See the problem? Every decision is a trade-off.

How to actually balance them

1. Know which one matters most (right now)

You can't optimize for all four equally. So don't try.

If you're in healthcare or finance: Compliance and risk come first. Period. You can't afford to fail an audit or have a breach.

If you're a startup burning cash: Cost and velocity matter most. You need to move fast and not run out of money.

If you're a mature company with customers: Risk is #1. Downtime costs you more than anything else.

If you're being acquired: Velocity matters. You have a deadline and it's non-negotiable.

Pick your priority. Everything else is secondary.

2. Set boundaries, not goals

Don't try to minimize cost. Set a budget and stay under it.

Don't try to eliminate risk. Decide what's acceptable and work within it.

Don't try to maximize velocity. Set a timeline and hit it.

Don't try to be "fully compliant." Meet the requirements and stop there.

Example:

  • Budget: Don't spend more than $50K/month
  • Risk: No more than 4 hours of downtime per year
  • Velocity: Ship the first wave in 8 weeks
  • Compliance: Pass SOC 2 audit by Q3

Now you have constraints. Work within them.

3. Make trade-offs explicit

Every decision has a cost. Make it visible.

Scenario: You need to migrate a database.

Option A: Lift-and-shift to EC2

  • Cost: Low (you control the instance size)
  • Risk: High (you manage backups, patches, failover)
  • Velocity: Fast (just move it)
  • Compliance: Medium (you handle encryption and logging)

Option B: Migrate to RDS

  • Cost: Medium (managed service costs more)
  • Risk: Low (AWS handles backups and failover)
  • Velocity: Medium (some reconfiguration needed)
  • Compliance: High (built-in encryption and audit logs)

Option C: Refactor to Aurora Serverless

  • Cost: Variable (scales with usage)
  • Risk: Medium (new technology, learning curve)
  • Velocity: Slow (requires code changes)
  • Compliance: High (same as RDS)

There's no "right" answer. It depends on your priorities.

If cost is #1, pick A. If risk is #1, pick B. If you need compliance and can wait, pick C.

4. Use the 80/20 rule

You don't need perfect. You need good enough.

For cost: Cut the obvious waste first. Unattached volumes, idle load balancers, oversized instances. That's 80% of your savings with 20% of the effort.

For risk: Focus on the critical systems. Your payment API needs five-nines uptime. Your internal admin tool? It can go down for an hour.

For velocity: Automate the repetitive stuff. CI/CD, infrastructure provisioning, testing. Don't automate the one-off tasks.

For compliance: Meet the requirements that matter. Encrypt data at rest and in transit. Enable CloudTrail. Set up proper IAM. That covers 80% of most audits.

5. Phase your approach

You don't have to balance everything on day one.

Phase 1: Get it working

  • Priority: Velocity and risk
  • Goal: Migrate without breaking anything
  • Trade-off: Higher costs, basic compliance

Phase 2: Optimize costs

  • Priority: Cost
  • Goal: Right-size resources, implement auto-scaling
  • Trade-off: Some risk (you're changing things)

Phase 3: Harden security and compliance

  • Priority: Compliance and risk
  • Goal: Pass audits, improve reliability
  • Trade-off: Slower velocity, some cost increase

Phase 4: Improve velocity

  • Priority: Velocity
  • Goal: Better CI/CD, faster deployments
  • Trade-off: Upfront cost for long-term gains

Each phase focuses on 1-2 priorities. You're not juggling all four at once.

Real-world examples

Example 1: The startup

Situation: 6 months of runway, need to ship fast, can't afford downtime.

Priorities: Velocity > Risk > Cost > Compliance

Decisions:

  • Use managed services (RDS, ECS, ALB) to move fast
  • Multi-AZ for critical services only
  • Basic monitoring and logging
  • Compliance is "good enough" for now

Trade-off: Higher costs, but they're shipping weekly and staying up.

Example 2: The healthcare company

Situation: HIPAA required, can't afford a breach, budget is tight.

Priorities: Compliance > Risk > Cost > Velocity

Decisions:

  • Everything encrypted (at rest and in transit)
  • Full audit logging with CloudTrail and CloudWatch
  • Private subnets, no public access
  • Slower deployments with extensive testing

Trade-off: Takes longer to ship, but they pass audits and sleep at night.

Example 3: The enterprise

Situation: Millions of users, downtime costs $100K/hour, compliance required.

Priorities: Risk > Compliance > Velocity > Cost

Decisions:

  • Multi-region active-active setup
  • Automated failover and rollback
  • Extensive monitoring and alerting
  • Full compliance controls

Trade-off: Expensive, but they can't afford to be down.

Common mistakes

Trying to optimize everything at once. You'll fail. Pick your battles.

Not communicating trade-offs. When you choose velocity over cost, tell people. When you choose risk over velocity, explain why.

Ignoring the business context. A startup and an enterprise have different priorities. Act accordingly.

Setting unrealistic expectations. You can't have the cheapest, fastest, safest, most compliant solution. Stop promising you can.

Not revisiting priorities. What matters today might not matter in 6 months. Reassess regularly.

What you should remember

You're juggling four things: cost, risk, velocity, and compliance.

You can't optimize for all of them. Pick 1-2 priorities and work within constraints for the rest.

Make trade-offs explicit. Document them. Communicate them.

Phase your approach. Focus on different priorities at different times.

And most importantly: good enough is good enough. Perfect is the enemy of done.

Top comments (0)