Avoiding Cloud Lock‑In — A Playbook for Platform Teams

Architecture

Avoiding Cloud Lock‑In — A Playbook for Teams

Lock‑in usually arrives in small steps: a managed DB without export paths, a proprietary identity layer, or tooling that only runs on one region. Here is how to stay portable without slowing delivery.

Favor open interfaces

Choose tools that expose APIs, standard identities (OIDC/SAML) and export pipelines. Vendor SDKs are fine if they sit on top of open protocols.

Separate control plane from data plane

Let orchestration live wherever is easiest (cloud), but run stateful workloads on infrastructure you can move.

Automate migrations from day one

Treat ‘ability to redeploy elsewhere’ as a requirement and test it just like DR or backups.

Where Greffon fits

Greffon decouples the app store (control plane) from where workloads run (Greffers). You can run Greffers in colos, on bare metal or on existing virtualized clusters, and redeploy apps elsewhere with the same manifest.

Checklist before adopting a new SaaS

• Is there an export feature without tickets to support?

• Does it support SSO providers we already control?

• Can we deploy an equivalent workload via Greffon if needed?

• Do we know the total switching effort (infra, data, change management)?