How Upwork's Lifted runs production workloads inside their own VPC with Northflank

Lifted is an Upwork-owned subsidiary for enterprise contingent workforce management. It handles sourcing, contracting, and paying contingent talent across engagement types including independent contractors, staff augmentation, agent of record, and employer of record.

Alex Bucur is Lifted’s Director of Engineering. Alex ran the original platform evaluation that landed on Northflank when Bubty was still a standalone SaaS startup. When the Upwork acquisition happened, he brought Northflank with him, ran the GCP-to-AWS migration, and made the call to get the entire Lifted engineering team on Northflank.

The pre-Northflank setup at Bubty was not ideal.

"Everything was kind of brittle. Every other month you had to fix certificates, update packages. It was extremely time-consuming."

Alex wasn't looking for a fully managed PaaS like Heroku. The company had cloud credits and didn't want to increase its infrastructure bill. He wanted a control panel that could manage their existing Kubernetes-based infrastructure without hiding it behind another layer.

There was also a hard requirement most platforms he evaluated didn’t meet. The product is white-label-first, so every customer gets their own domain with a Let's Encrypt certificate pointing at the same deployment. Tens of domains per service. Most platforms Alex evaluated capped this at 50 or 100 domains, which was a non-starter.

Alex talked to around ten platforms.

The final call came down to Northflank vs. Upsun, and local development broke the tie.

Upsun at the time of the evaluation was built around deployment and configuration of Nix packages, in contrast, Northflank does deploy Dockerfile based services which allowed the team to keep a local docker compose setup that matches the actual deployments.

"Northflank got us closer to local and production environments being run in a similar fashion."

Primary use case: the full deployment lifecycle for their monolith application. Despite being a monolith, they run a complex setup with preview environments, queue workers, and multiple service duplications.

The deployment pipeline is declarative and version-controlled, editable through the Northflank UI when needed. Pipeline runs include health checks, security checks, migration steps, and uptime checks.

"Before, it was really hard to figure out how long a deployment would take. Now you see the breakdown on how long the pipeline took, all the different steps. It's easy to prioritize fixing pain points."

When Lifted adds a new queue worker or clones a service, a developer does it themselves. Previously this was a ticket to platform engineering.

This maps to a philosophy Alex holds about how product engineers should work:

Developers need to understand how the application is being deployed in order to be able to understand what they need to optimize from a speed and reliability perspective.

Northflank supports autoscaling on requests per second, which is important for web-facing workloads. Application developers tune it themselves without touching Kubernetes YAML or Helm charts.

Updating a secret can auto-restart all dependent services. Boring, and huge for daily operations.

Every branch gets a full environment. This lets Lifted do trunk-based development and matters more as more of their code becomes AI-generated:

"Having isolated preview environments in which we can double-check AI-generated code, and hopefully in the future also automate that, is an extra thing that makes us faster in the market."

When Upwork acquired the company, the stack needed to move from Google Cloud to AWS, which usually can take weeks and multiple engineers.

Alex did it in four hours. Alone (well, with Northflank 🙂)

Thirteen services, duplicated across development and production environments, plus pipeline reconnection to the new infrastructure. Once the new Northflank-managed cluster was provisioned, the actual migration was mechanical.

"That was the whole amount of time to migrate 13 different services times two, plus reconnect the pipelines. That was it."

This is the result of running on a platform that abstracts the cloud without hiding it.

Northflank runs inside Lifted's own AWS VPC, which is load-bearing for compliance.

"BYOC is important from a compliance standpoint. When you're talking about ISO, SOC compliance, having your own infrastructure that you can audit, verify, and control is important. You're not relinquishing control."

There's a second benefit to BYOC. If compliance requirements ever force a platform change, Lifted can do it without rebuilding their entire infrastructure setup. The cluster, the VPC, the networking all stay. Only the control plane changes. That's a very different position from being locked into a PaaS where switching means a full rebuild.

There's also a performance angle. Because Northflank runs inside Lifted's VPC, adjacent services connect through the internal AWS network. Their Snowflake deployment sits in the same VPC with internal network controls, no private link setup required.

The decision to stay on Northflank came down to what was already working.

Lifted's engineering team had built a self-service deployment model on Northflank that let application engineers ship independently, run preview environments per branch, and scale services without raising tickets. That setup was fast and the platform was meeting Lifted's compliance and isolation requirements through BYOC.

From a business continuity perspective, keeping Northflank meant zero disruption to engineering through the acquisition.

It is a Kubernetes cluster managed by Northflank, isolated from the rest of the services, and the application team can work in a pretty good isolated environment from the rest of the deployments without any concerns from a security standpoint.

The Upwork platform team stays involved at the infrastructure layer. The application team continues to ship on Northflank. Both groups got the outcome that worked best for them.

In Alex’s words:

Northflank is a one-stop deployment platform, which doesn't lock you in and also offers you a unified integrated developer experience without bolting in five different platforms to make this work on top of Kubernetes.

Three groups at Lifted interact with Northflank.

Application engineering. The primary users. They deploy via the UI, scale services themselves, run preview environments for every branch, and don't file tickets with the infra team to add queue workers.

Support team. Read-only access to check application health, view logs, and monitor uptime. They also have a narrow self-serve permission to add customer domains to the cluster, so onboarding a new white-label customer no longer needs an engineering ticket.

Infrastructure and security team. Doesn't touch the cluster day-to-day. Their interaction is mostly observability. Audit logs stream from Northflank to an S3 bucket for external compliance tracking. Application logs flow through Northflank log sinks.

Lifted is mostly UI-based today but enabling GitOps for audit compliance. Auditors want a history of pipeline and template changes tracked outside the platform itself.

Between BYOC, the self-service model, and the ability to abstract Kubernetes without hiding it, the Lifted team is happy with how Northflank fits the way they work.

Now this is even more in the hands of developers. We can see the deployments, create new deployments easily, scale and maintain our cluster size and nodes by ourselves. A lot less back and forth from an infra team to the actual application team, because they just don't need it.

The team is now looking at additional ways to extend their use of the platform, including upcoming Northflank capabilities around external add-ons, image signing at deploy time, and high-availability MySQL.