The Architecture of Agility: Bicep at Scale


Modern cloud platforms don't fail because Azure isn't powerful enough—they fail because governance, automation, and developer experience weren't designed to scale together. In this episode of the M365 FM Podcast, host Mirko Peters explores how Azure Bicep evolves from a simple Infrastructure as Code language into the foundation of enterprise platform engineering. Rather than focusing on syntax, this deep dive examines the architectural principles that allow organizations to build Azure Landing Zones, governance models, subscription strategies, reusable modules, and self-service platforms that enable teams to innovate without sacrificing security or compliance. The episode challenges one of the biggest assumptions in enterprise IT: that tighter control automatically creates better governance. Instead, you'll discover why modern cloud platforms succeed by making the governed path the easiest path. From subscription vending and management groups to policy-as-code, FinOps, observability, and platform engineering, this episode provides a blueprint for designing Azure environments that remain agile as organizations grow.
WHY LANDING ZONES ARE REALLY GOVERNANCE MODELS
Azure Landing Zones are often presented as technical architectures, but they're much more than networking diagrams and subscription hierarchies. Every decision encoded in a Bicep module determines who can deploy infrastructure, who owns resources, how quickly teams can provision environments, and how governance flows across the organization. The episode explains why successful cloud platforms move away from gatekeeper governance toward enablement, replacing manual approvals with automated guardrails that empower teams while maintaining security and compliance.
BUILDING FOR AGILITY, NOT CONTROL
Many enterprises unintentionally create Shadow IT by making official infrastructure too slow to consume. Instead of preventing risk, excessive governance often encourages developers to work around official processes. Topics include:
- Subscription vending
- Self-service infrastructure
- Platform engineering
- Developer experience
- Shadow IT
- Governance as Code
- Automation
- Azure Landing Zones
- Organizational agility
- Cloud operating models
SCALING AZURE WITH REUSABLE BICEP MODULES
As organizations grow, infrastructure cannot rely on copy-and-paste templates. Reusable, versioned Bicep modules become the building blocks for enterprise platforms. The discussion explores:
- Azure Verified Modules (AVM)
- Module registries
- Semantic versioning
- Infrastructure contracts
- Composition patterns
- Parameter design
- Shared variables
- Resource modules
- Solution modules
- Version control
MANAGEMENT GROUPS, POLICY & PLATFORM GOVERNANCE
Governance begins long before a resource is deployed. This episode explains how Management Groups, Azure Policy, RBAC, and Policy Initiatives combine to create scalable governance models that automatically enforce organizational standards. Instead of treating policies as deployment blockers, you'll discover how audit-first strategies, policy-as-code, and automated compliance enable organizations to maintain security without slowing down innovation.
PLATFORM ENGINEERING AND THE GOLDEN PATH
The role of central IT is changing. Rather than acting as infrastructure gatekeepers, platform teams increasingly operate as internal product teams. The episode explores how self-service infrastructure, golden paths, reusable templates, and developer-first experiences allow application teams to provision secure Azure environments within minutes instead of waiting weeks for approvals. Platform engineering shifts the focus from enforcing permissions to enabling productivity.
FINOPS, OBSERVABILITY & COST GOVERNANCE
Enterprise cloud success isn't measured solely by uptime. Organizations must also understand infrastructure costs, policy compliance, operational health, and governance effectiveness. Topics include:
- FinOps
- Cost governance
- Azure Monitor
- Log Analytics
- Diagnostic Settings
- Observability
- Tagging strategies
- Chargeback
- Showback
- Continuous compliance
WHO SHOULD LISTEN?
This episode is ideal for:
- Azure Architects
- Platform Engineers
- DevOps Engineers
- Cloud Engineers
- Enterprise Architects
- Infrastructure Engineers
- Azure Administrators
- Security Architects
- IT Decision Makers
- Microsoft MVPs
- Anyone designing enterprise Azure platforms
Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365--6704921/support.
🚀 Want to be part of m365.fm?
Then stop just listening… and start showing up.
👉 Connect with me on LinkedIn and let’s make something happen:
- 🎙️ Be a podcast guest and share your story
- 🎧 Host your own episode (yes, seriously)
- 💡 Pitch topics the community actually wants to hear
- 🌍 Build your personal brand in the Microsoft 365 space
This isn’t just a podcast — it’s a platform for people who take action.
🔥 Most people wait. The best ones don’t.
👉 Connect with me on LinkedIn and send me a message:
"I want in"
Let’s build something awesome 👊
00:00:00,000 --> 00:00:03,040
Your landing zone was designed for a world that doesn't exist anymore.
2
00:00:03,040 --> 00:00:07,560
It was designed in 2018, and it was built on an assumption that hasn't aged well.
3
00:00:07,560 --> 00:00:08,720
The assumption was simple.
4
00:00:08,720 --> 00:00:10,880
Total standardization equals total control.
5
00:00:10,880 --> 00:00:11,920
Lock everything down.
6
00:00:11,920 --> 00:00:17,280
Enforce one way of doing things, centralize the decisions, reduce variation, reduce risk.
7
00:00:17,280 --> 00:00:18,440
In theory, it made sense.
8
00:00:18,440 --> 00:00:20,240
In practice, it broke everything.
9
00:00:20,240 --> 00:00:21,560
Because here is what actually happened.
10
00:00:21,560 --> 00:00:25,000
You standardized so hard that infrastructure provisioning now takes weeks.
11
00:00:25,000 --> 00:00:26,200
Teams hit a policy wall.
12
00:00:26,200 --> 00:00:28,520
They can't get what they need through official channels.
13
00:00:28,520 --> 00:00:30,160
So they solved the problem a different way.
14
00:00:30,160 --> 00:00:32,240
They spin up personal Azure subscriptions.
15
00:00:32,240 --> 00:00:33,640
They use their own credit cards.
16
00:00:33,640 --> 00:00:36,600
They adopt SAS that lives outside your cloud footprint entirely.
17
00:00:36,600 --> 00:00:39,480
You wanted control, but you created the exact opposite.
18
00:00:39,480 --> 00:00:41,120
You created Shadow-A-T.
19
00:00:41,120 --> 00:00:43,360
Your landing zone isn't failing because it's too permissive.
20
00:00:43,360 --> 00:00:45,000
It's failing because it's too slow.
21
00:00:45,000 --> 00:00:46,440
This isn't a security problem.
22
00:00:46,440 --> 00:00:47,800
This is a governance problem.
23
00:00:47,800 --> 00:00:49,760
And the governance problem lives in the code.
24
00:00:49,760 --> 00:00:51,920
In how you designed your bicep templates,
25
00:00:51,920 --> 00:00:53,920
how you structured your management groups,
26
00:00:53,920 --> 00:00:57,800
and how you decided which decisions would be centralized and which would be distributed.
27
00:00:57,800 --> 00:01:00,240
You built rigidity into infrastructure as code.
28
00:01:00,240 --> 00:01:03,920
And now you're watching teams build parallel infrastructures just to get around it.
29
00:01:03,920 --> 00:01:07,240
We're moving from static templates to living infrastructure.
30
00:01:07,240 --> 00:01:09,160
That shift changes everything.
31
00:01:09,160 --> 00:01:11,520
Not the bicep syntax, not the Azure services.
32
00:01:11,520 --> 00:01:14,280
The shift changes how you think about governance itself.
33
00:01:14,280 --> 00:01:17,120
It moves from how do we control what people do then?
34
00:01:17,120 --> 00:01:20,280
To how do we make the right path the easiest path?
35
00:01:20,280 --> 00:01:22,040
That's what this deep dive is about.
36
00:01:22,040 --> 00:01:25,800
The governance model behind the code, landing zones aren't architecture.
37
00:01:25,800 --> 00:01:28,560
They are organizational power structures expressed as bicep.
38
00:01:28,560 --> 00:01:30,120
That's the reframing that matters.
39
00:01:30,120 --> 00:01:32,760
Most people treat landing zones as a technical blueprint.
40
00:01:32,760 --> 00:01:36,640
They look at the network topology, the subscription structure, and the naming conventions.
41
00:01:36,640 --> 00:01:37,800
But they're missing the real story.
42
00:01:37,800 --> 00:01:42,480
Every decision encoded in those bicep templates is actually a decision about who gets to decide things.
43
00:01:42,480 --> 00:01:43,760
Who can create a resource?
44
00:01:43,760 --> 00:01:45,560
Who approves policy changes?
45
00:01:45,560 --> 00:01:47,480
How fast can a team get what they need?
46
00:01:47,480 --> 00:01:48,880
Those aren't technical questions.
47
00:01:48,880 --> 00:01:50,840
They're organizational questions.
48
00:01:50,840 --> 00:01:52,200
And they're baked into the code.
49
00:01:52,200 --> 00:01:55,200
There are two models of governance operating in most enterprises right now.
50
00:01:55,200 --> 00:01:57,320
The first is gatekeeper governance.
51
00:01:57,320 --> 00:01:59,360
Central IT owns the bicep templates.
52
00:01:59,360 --> 00:02:00,920
Central IT reviews all changes.
53
00:02:00,920 --> 00:02:02,680
Central IT approves all exceptions.
54
00:02:02,680 --> 00:02:06,960
Central IT moves slowly because the blast radius of getting it wrong is massive.
55
00:02:06,960 --> 00:02:08,480
The responsibility is concentrated.
56
00:02:08,480 --> 00:02:10,000
The authority is concentrated.
57
00:02:10,000 --> 00:02:12,560
The speed is concentrated slowly.
58
00:02:12,560 --> 00:02:14,880
The second model is enabler governance.
59
00:02:14,880 --> 00:02:17,080
Central teams define guardrails not gates.
60
00:02:17,080 --> 00:02:18,560
They publish reusable modules.
61
00:02:18,560 --> 00:02:20,400
They build self-service patterns.
62
00:02:20,400 --> 00:02:23,240
They move fast because the responsibility is distributed.
63
00:02:23,240 --> 00:02:24,720
The authority is distributed.
64
00:02:24,720 --> 00:02:27,760
Teams can ship within the guardrails without asking permission.
65
00:02:27,760 --> 00:02:28,960
But here's the paradox.
66
00:02:28,960 --> 00:02:32,400
Gatekeeper governance designed to reduce risk actually increases it.
67
00:02:32,400 --> 00:02:36,400
Because the more friction you create in the official path, the more teams find unofficial
68
00:02:36,400 --> 00:02:37,400
paths.
69
00:02:37,400 --> 00:02:39,320
Centralize controls create pressure.
70
00:02:39,320 --> 00:02:40,880
Pressure creates shadow IT.
71
00:02:40,880 --> 00:02:42,640
And shadow IT is invisible.
72
00:02:42,640 --> 00:02:43,640
It's unmeasured.
73
00:02:43,640 --> 00:02:44,640
It's unlogged.
74
00:02:44,640 --> 00:02:45,640
It's unpatched.
75
00:02:45,640 --> 00:02:46,640
It's the opposite of control.
76
00:02:46,640 --> 00:02:48,640
The research is stark.
77
00:02:48,640 --> 00:02:52,640
Up to 40% of enterprise IT spending now happens outside official channels.
78
00:02:52,640 --> 00:02:54,280
It's not a technology adoption problem.
79
00:02:54,280 --> 00:02:55,720
That's a governance design problem.
80
00:02:55,720 --> 00:02:58,520
There are three specific governance failures that drive this.
81
00:02:58,520 --> 00:03:00,120
First, slow provisioning.
82
00:03:00,120 --> 00:03:04,160
Teams request a new subscription or a new infrastructure pattern, but Central IT takes
83
00:03:04,160 --> 00:03:05,160
weeks to review it.
84
00:03:05,160 --> 00:03:08,440
The teams time out, they build it themselves somewhere else.
85
00:03:08,440 --> 00:03:11,160
Second, overly prescriptive policies.
86
00:03:11,160 --> 00:03:13,240
The standard template doesn't fit the use case.
87
00:03:13,240 --> 00:03:15,360
The request to deviate is denied.
88
00:03:15,360 --> 00:03:18,080
The teams build it in personal subscriptions instead.
89
00:03:18,080 --> 00:03:21,160
Third, poor visibility into why the rules exist.
90
00:03:21,160 --> 00:03:23,160
These are enforced but never explained.
91
00:03:23,160 --> 00:03:25,680
Teams don't trust the constraints so they circumvent them.
92
00:03:25,680 --> 00:03:28,360
Each of these failures flows from the same structural problem.
93
00:03:28,360 --> 00:03:32,000
The governance model assumes control requires centralization in reality.
94
00:03:32,000 --> 00:03:33,840
Control actually requires clarity.
95
00:03:33,840 --> 00:03:34,880
It requires speed.
96
00:03:34,880 --> 00:03:36,360
It requires usability.
97
00:03:36,360 --> 00:03:40,080
It requires making the governed path faster than the ungoverned one.
98
00:03:40,080 --> 00:03:42,680
Understanding this model is the prerequisite to fixing it.
99
00:03:42,680 --> 00:03:45,240
Because you can't fix a governance problem with more governance.
100
00:03:45,240 --> 00:03:48,600
You fix it by restructuring how governance decisions flow.
101
00:03:48,600 --> 00:03:51,680
And gatekeeper to enabler from how do we prevent mistakes?
102
00:03:51,680 --> 00:03:55,280
Two, how do we make good decisions, the default?
103
00:03:55,280 --> 00:03:58,240
Once you understand the model, everything else becomes addressable.
104
00:03:58,240 --> 00:04:02,240
Your subscription strategy, your network architecture, your shared services, your multi-region
105
00:04:02,240 --> 00:04:03,240
design.
106
00:04:03,240 --> 00:04:06,520
The technical problems are only problems because the governance model underneath them
107
00:04:06,520 --> 00:04:07,520
is broken.
108
00:04:07,520 --> 00:04:08,960
That's what we're going to fix.
109
00:04:08,960 --> 00:04:11,120
The subscription strategy paradox.
110
00:04:11,120 --> 00:04:14,880
When you realize your governance is broken, your first instinct is to create distance,
111
00:04:14,880 --> 00:04:18,000
more separation, more subscriptions, more isolation.
112
00:04:18,000 --> 00:04:19,160
It sounds right on paper.
113
00:04:19,160 --> 00:04:22,040
If one subscription gets compromised, the damage is contained.
114
00:04:22,040 --> 00:04:26,240
If teams are separated by subscription boundaries, they can't break each other's tools.
115
00:04:26,240 --> 00:04:29,000
You're trying to find standardization through multiplication.
116
00:04:29,000 --> 00:04:30,680
But in reality, it does the opposite.
117
00:04:30,680 --> 00:04:33,320
More subscriptions don't equal more security.
118
00:04:33,320 --> 00:04:36,360
They equal a larger surface area for things to go wrong.
119
00:04:36,360 --> 00:04:37,680
Because here is the problem.
120
00:04:37,680 --> 00:04:41,640
Every new subscription you create is another management group you have to place.
121
00:04:41,640 --> 00:04:43,680
And another set of policies you have to assign.
122
00:04:43,680 --> 00:04:47,760
You have to set up new login configurations and new identity integrations for every single
123
00:04:47,760 --> 00:04:48,760
one.
124
00:04:48,760 --> 00:04:50,760
You haven't actually solved your governance problem.
125
00:04:50,760 --> 00:04:54,560
You've just taken the mess you had in one place and scaled it across 10.
126
00:04:54,560 --> 00:04:56,720
And then the operational cost starts to compound.
127
00:04:56,720 --> 00:04:59,120
When you have three subscriptions, you can keep track of them.
128
00:04:59,120 --> 00:05:00,960
When you have 30, you start losing the thread.
129
00:05:00,960 --> 00:05:06,040
You forget which team owns which environment or which naming convention applies to which
130
00:05:06,040 --> 00:05:07,040
resource.
131
00:05:07,040 --> 00:05:10,600
The separation you thought you were buying turns into total fragmentation.
132
00:05:10,600 --> 00:05:13,920
No two subscriptions look the same because there is no way to enforce rules across all of
133
00:05:13,920 --> 00:05:14,920
them at once.
134
00:05:14,920 --> 00:05:18,800
The whole idea of standardization collapses the moment it hits real world complexity.
135
00:05:18,800 --> 00:05:20,280
But here's the deeper problem.
136
00:05:20,280 --> 00:05:22,960
Creating more subscriptions doesn't fix a broken governance model.
137
00:05:22,960 --> 00:05:24,720
It just spreads the friction around.
138
00:05:24,720 --> 00:05:27,440
Teams still can't get what they need through the official process.
139
00:05:27,440 --> 00:05:29,120
So they stop asking for new subscriptions.
140
00:05:29,120 --> 00:05:32,200
Instead, they ask for access to one that was already approved.
141
00:05:32,200 --> 00:05:34,640
Or they find a way to skip the approval process entirely.
142
00:05:34,640 --> 00:05:38,000
The strategy itself becomes the reason people look for workarounds.
143
00:05:38,000 --> 00:05:40,560
What actually works is a model called subscription vending.
144
00:05:40,560 --> 00:05:44,720
Instead of teams filling out a request and waiting weeks for an admin to click buttons, you automate
145
00:05:44,720 --> 00:05:45,720
the entire handoff.
146
00:05:45,720 --> 00:05:47,160
A team fills out a simple form.
147
00:05:47,160 --> 00:05:50,040
They define the workload, the compliance needs and the owner.
148
00:05:50,040 --> 00:05:53,240
That form triggers a bicep deployment that does the heavy lifting.
149
00:05:53,240 --> 00:05:57,040
It creates the subscription, places it in the right management group and configures the
150
00:05:57,040 --> 00:05:59,200
policies and logging automatically.
151
00:05:59,200 --> 00:06:02,200
The team gets ready to use environment in minutes instead of months.
152
00:06:02,200 --> 00:06:03,600
The difference is profound.
153
00:06:03,600 --> 00:06:06,120
You are still making the same governance decisions you were before.
154
00:06:06,120 --> 00:06:10,480
But now you are making them once in your code and executing them every time without fail.
155
00:06:10,480 --> 00:06:12,720
The strategy becomes predictable.
156
00:06:12,720 --> 00:06:16,720
Every subscription follows the same pattern because they all come from the same bicep template.
157
00:06:16,720 --> 00:06:20,080
There is no manual variation and no undocumented exceptions.
158
00:06:20,080 --> 00:06:23,520
You don't have to worry about a subscription violating policy because someone set it up
159
00:06:23,520 --> 00:06:24,680
who didn't know the rules.
160
00:06:24,680 --> 00:06:26,720
The cost difference here is staggering.
161
00:06:26,720 --> 00:06:29,040
Slow provisioning isn't just an annoyance for developers.
162
00:06:29,040 --> 00:06:30,760
It's a massive security risk.
163
00:06:30,760 --> 00:06:34,320
When teams have to wait weeks for official infrastructure, they go shadow.
164
00:06:34,320 --> 00:06:37,560
But when a team can provision a compliant environment in under 30 minutes, they stay
165
00:06:37,560 --> 00:06:38,720
within the guard rails.
166
00:06:38,720 --> 00:06:39,880
That isn't a guess.
167
00:06:39,880 --> 00:06:42,520
The research shows that 30 minutes is the breaking point.
168
00:06:42,520 --> 00:06:44,160
Faster than that, people follow the rules.
169
00:06:44,160 --> 00:06:47,240
slower than that, they find a different way to get their work done.
170
00:06:47,240 --> 00:06:49,840
So the metrics that actually matter are concrete.
171
00:06:49,840 --> 00:06:51,360
You need to measure provisioning time.
172
00:06:51,360 --> 00:06:54,360
How long it takes from a request to a ready-to-use subscription?
173
00:06:54,360 --> 00:06:58,840
You need to track your policy compliance rate to see if your subscriptions actually follow
174
00:06:58,840 --> 00:06:59,840
the rules.
175
00:06:59,840 --> 00:07:02,040
And you need to look at your time to remediate.
176
00:07:02,040 --> 00:07:05,400
When something breaks a policy, how fast does it get fixed?
177
00:07:05,400 --> 00:07:07,280
These aren't just infrastructure stats.
178
00:07:07,280 --> 00:07:10,800
They are governance metrics that tell you if your model is actually working.
179
00:07:10,800 --> 00:07:12,520
And the design principle becomes clear.
180
00:07:12,520 --> 00:07:14,240
Don't design for standardization.
181
00:07:14,240 --> 00:07:15,240
Design for blast radius.
182
00:07:15,240 --> 00:07:16,720
A blast radius is just a boundary.
183
00:07:16,720 --> 00:07:19,320
It's the limit of the damage when something eventually goes wrong.
184
00:07:19,320 --> 00:07:25,000
A good blast radius is small and easy to recover from, while a bad one is large and catastrophic.
185
00:07:25,000 --> 00:07:26,920
Subscriptions are your blast radius boundaries.
186
00:07:26,920 --> 00:07:30,440
The question you should be asking isn't, how many subscriptions do we need?
187
00:07:30,440 --> 00:07:33,320
It's what size of failure can we actually recover from?
188
00:07:33,320 --> 00:07:34,920
That shifts the entire conversation.
189
00:07:34,920 --> 00:07:38,640
Instead of trying to isolate teams with more subscriptions, you start creating the right
190
00:07:38,640 --> 00:07:42,200
number of subscriptions to contain failures while letting teams move fast.
191
00:07:42,200 --> 00:07:46,240
You stop asking how to enforce standards across subscriptions and start asking how to build
192
00:07:46,240 --> 00:07:48,880
those standards into the subscriptions automatically.
193
00:07:48,880 --> 00:07:53,040
Once you fix the strategy, once you've automated the vending and made it instant, everything
194
00:07:53,040 --> 00:07:54,280
else gets easier.
195
00:07:54,280 --> 00:07:58,360
The network architecture and the shared services model finally start to make sense.
196
00:07:58,360 --> 00:08:00,560
The whole structure snaps into focus.
197
00:08:00,560 --> 00:08:02,640
Because now you aren't designing for control.
198
00:08:02,640 --> 00:08:04,440
You're designing for flow.
199
00:08:04,440 --> 00:08:06,440
And you're designing for the right number of subscriptions.
200
00:08:06,440 --> 00:08:08,440
You're designing for the right number of subscriptions.
201
00:08:08,440 --> 00:08:10,440
You're designing for the right number of subscriptions.
202
00:08:10,440 --> 00:08:11,440
You're designing for the right number of subscriptions.
203
00:08:11,440 --> 00:08:12,440
You're designing for the right number of subscriptions.
204
00:08:12,440 --> 00:08:13,440
You're designing for the right number of subscriptions.
205
00:08:13,440 --> 00:08:14,440
You're designing for the right number of subscriptions.
206
00:08:14,440 --> 00:08:15,440
You're designing for the right number of subscriptions.
207
00:08:15,440 --> 00:08:16,440
You're designing for the right number of subscriptions.
208
00:08:16,440 --> 00:08:17,440
You're designing for the right number of subscriptions.
209
00:08:17,440 --> 00:08:18,440
You're designing for the right number of subscriptions.
210
00:08:18,440 --> 00:08:19,440
You're designing for the right number of subscriptions.
211
00:08:19,440 --> 00:08:20,440
You're designing for the right number of subscriptions.
212
00:08:20,440 --> 00:08:21,440
You're designing for the right number of subscriptions.
213
00:08:21,440 --> 00:08:22,440
You're designing for the right number of subscriptions.
214
00:08:22,440 --> 00:08:23,440
You're designing for the right number of subscriptions.
215
00:08:23,440 --> 00:08:24,440
You're designing for the right number of subscriptions.
216
00:08:24,440 --> 00:08:25,440
You're designing for the right number of subscriptions.
217
00:08:25,440 --> 00:08:35,440
You're designing for the right number of subscriptions.
218
00:08:35,440 --> 00:08:37,440
You're designing for the right number of subscriptions.
219
00:08:37,440 --> 00:08:39,440
You're designing for the right number of subscriptions.
220
00:08:39,440 --> 00:08:40,440
You're designing for the right number of subscriptions.
221
00:08:40,440 --> 00:08:41,440
You're designing for the right number of subscriptions.
222
00:08:41,440 --> 00:08:42,440
You're designing for the right number of subscriptions.
223
00:08:42,440 --> 00:08:43,440
You're designing for the right number of subscriptions.
224
00:08:43,440 --> 00:08:44,440
You're designing for the right number of subscriptions.
225
00:08:44,440 --> 00:08:45,440
You're designing for the right number of subscriptions.
226
00:08:45,440 --> 00:08:46,440
You're designing for the right number of subscriptions.
227
00:08:46,440 --> 00:08:47,440
You're designing for the right number of subscriptions.
228
00:08:47,440 --> 00:08:48,440
You're designing for the right number of subscriptions.
229
00:08:48,440 --> 00:08:49,440
You're designing for the right number of subscriptions.
230
00:08:49,440 --> 00:08:50,440
You're designing for the right number of subscriptions.
231
00:08:50,440 --> 00:08:51,440
You're designing for the right number of subscriptions.
232
00:08:51,440 --> 00:08:52,440
You're designing for the right number of subscriptions.
233
00:08:52,440 --> 00:08:53,440
You're designing for the right number of subscriptions.
234
00:08:53,440 --> 00:08:54,440
You're designing for the right number of subscriptions.
235
00:08:54,440 --> 00:08:55,440
You're designing for the right number of subscriptions.
236
00:08:55,440 --> 00:08:56,440
You're designing for the right number of subscriptions.
237
00:08:56,440 --> 00:08:57,440
You're designing for the right number of subscriptions.
238
00:08:57,440 --> 00:08:58,440
You're designing for the right number of subscriptions.
239
00:08:58,440 --> 00:08:59,440
You're designing for the right number of subscriptions.
240
00:08:59,440 --> 00:09:00,440
You're designing for the right number of subscriptions.
241
00:09:00,440 --> 00:09:01,440
You're designing for the right number of subscriptions.
242
00:09:01,440 --> 00:09:02,440
You're designing for the right number of subscriptions.
243
00:09:02,440 --> 00:09:03,440
You're designing for the right number of subscriptions.
244
00:09:03,440 --> 00:09:04,440
You're designing for the right number of subscriptions.
245
00:09:04,440 --> 00:09:05,440
You're designing for the right number of subscriptions.
246
00:09:05,440 --> 00:09:06,440
You're designing for the right number of subscriptions.
247
00:09:06,440 --> 00:09:07,440
You're designing for the right number of subscriptions.
248
00:09:07,440 --> 00:09:08,440
You're designing for the right number of subscriptions.
249
00:09:08,440 --> 00:09:09,440
You're designing for the right number of subscriptions.
250
00:09:09,440 --> 00:09:10,440
You're designing for the right number of subscriptions.
251
00:09:10,440 --> 00:09:11,440
You're designing for the right number of subscriptions.
252
00:09:11,440 --> 00:09:12,440
You're designing for the right number of subscriptions.
253
00:09:12,440 --> 00:09:24,440
You're designing for the right number of subscriptions.
254
00:09:24,440 --> 00:09:26,440
You're designing for the right number of subscriptions.
255
00:09:26,440 --> 00:09:28,440
You're designing for the right number of subscriptions.
256
00:09:28,440 --> 00:09:30,440
You're designing for the right number of subscriptions.
257
00:09:30,440 --> 00:09:31,440
You're designing for the right number of subscriptions.
258
00:09:31,440 --> 00:09:32,440
You're designing for the right number of subscriptions.
259
00:09:32,440 --> 00:09:33,440
You're designing for the right number of subscriptions.
260
00:09:33,440 --> 00:09:34,440
You're designing for the right number of subscriptions.
261
00:09:34,440 --> 00:09:35,440
You're designing for the right number of subscriptions.
262
00:09:35,440 --> 00:09:36,440
You're designing for the right number of subscriptions.
263
00:09:36,440 --> 00:09:37,440
You're designing for the right number of subscriptions.
264
00:09:37,440 --> 00:09:38,440
You're designing for the right number of subscriptions.
265
00:09:38,440 --> 00:09:39,440
You're designing for the right number of subscriptions.
266
00:09:39,440 --> 00:09:40,440
You're designing for the right number of subscriptions.
267
00:09:40,440 --> 00:09:41,440
You're designing for the right number of subscriptions.
268
00:09:41,440 --> 00:09:42,440
You're designing for the right number of subscriptions.
269
00:09:42,440 --> 00:09:43,440
You're designing for the right number of subscriptions.
270
00:09:43,440 --> 00:09:44,440
You're designing for the right number of subscriptions.
271
00:09:44,440 --> 00:09:45,440
You're designing for the right number of subscriptions.
272
00:09:45,440 --> 00:09:46,440
You're designing for the right number of subscriptions.
273
00:09:46,440 --> 00:09:47,440
You're designing for the right number of subscriptions.
274
00:09:47,440 --> 00:09:48,440
You're designing for the right number of subscriptions.
275
00:09:48,440 --> 00:09:49,440
You're designing for the right number of subscriptions.
276
00:09:49,440 --> 00:09:50,440
You're designing for the right number of subscriptions.
277
00:09:50,440 --> 00:09:51,440
You're designing for the right number of subscriptions.
278
00:09:51,440 --> 00:09:52,440
You're designing for the right number of subscriptions.
279
00:09:52,440 --> 00:09:53,440
You're designing for the right number of subscriptions.
280
00:09:53,440 --> 00:09:54,440
You're designing for the right number of subscriptions.
281
00:09:54,440 --> 00:09:55,440
You're designing for the right number of subscriptions.
282
00:09:55,440 --> 00:09:56,440
You're designing for the right number of subscriptions.
283
00:09:56,440 --> 00:09:57,440
You're designing for the right number of subscriptions.
284
00:09:57,440 --> 00:09:58,440
You're designing for the right number of subscriptions.
285
00:09:58,440 --> 00:09:59,440
You're designing for the right number of subscriptions.
286
00:09:59,440 --> 00:10:14,440
You're designing for the right number of subscriptions.
287
00:10:14,440 --> 00:10:16,440
You're designing for the right number of subscriptions.
288
00:10:16,440 --> 00:10:18,440
You're designing for the right number of subscriptions.
289
00:10:18,440 --> 00:10:19,440
You're designing for the right number of subscriptions.
290
00:10:19,440 --> 00:10:20,440
You're designing for the right number of subscriptions.
291
00:10:20,440 --> 00:10:21,440
You're designing for the right number of subscriptions.
292
00:10:21,440 --> 00:10:22,440
You're designing for the right number of subscriptions.
293
00:10:22,440 --> 00:10:23,440
You're designing for the right number of subscriptions.
294
00:10:23,440 --> 00:10:24,440
You're designing for the right number of subscriptions.
295
00:10:24,440 --> 00:10:25,440
You're designing for the right number of subscriptions.
296
00:10:25,440 --> 00:10:26,440
You're designing for the right number of subscriptions.
297
00:10:26,440 --> 00:10:27,440
You're designing for the right number of subscriptions.
298
00:10:27,440 --> 00:10:28,440
You're designing for the right number of subscriptions.
299
00:10:28,440 --> 00:10:30,440
You're designing for the right number of subscriptions.
300
00:10:30,440 --> 00:10:31,440
You're designing for the right number of subscriptions.
301
00:10:31,440 --> 00:10:32,440
You're designing for the right number of subscriptions.
302
00:10:32,440 --> 00:10:33,440
You're designing for the right number of subscriptions.
303
00:10:33,440 --> 00:10:34,440
You're designing for the right number of subscriptions.
304
00:10:34,440 --> 00:10:35,440
You're designing for the right number of subscriptions.
305
00:10:35,440 --> 00:10:36,440
You're designing for the right number of subscriptions.
306
00:10:36,440 --> 00:10:37,440
You're designing for the right number of subscriptions.
307
00:10:37,440 --> 00:10:38,440
You're designing for the right number of subscriptions.
308
00:10:38,440 --> 00:10:39,440
You're designing for the right number of subscriptions.
309
00:10:39,440 --> 00:10:40,440
You're designing for the right number of subscriptions.
310
00:10:40,440 --> 00:10:41,440
You're designing for the right number of subscriptions.
311
00:10:41,440 --> 00:10:42,440
You're designing for the right number of subscriptions.
312
00:10:42,440 --> 00:10:43,440
You're designing for the right number of subscriptions.
313
00:10:43,440 --> 00:10:44,440
You're designing for the right number of subscriptions.
314
00:10:44,440 --> 00:10:45,440
You're designing for the right number of subscriptions.
315
00:10:45,440 --> 00:10:46,440
You're designing for the right number of subscriptions.
316
00:10:46,440 --> 00:10:47,440
You're designing for the right number of subscriptions.
317
00:10:47,440 --> 00:11:00,440
Global security baselines that will never change everything else lives lower in the tree.
318
00:11:00,440 --> 00:11:01,440
That way when your regulatory requirements shift and they will.
319
00:11:01,440 --> 00:11:02,440
You can update a specific branch without triggering a global crisis.
320
00:11:02,440 --> 00:11:03,440
The discipline is this.
321
00:11:03,440 --> 00:11:05,440
Every management group needs a documented purpose.
322
00:11:05,440 --> 00:11:07,440
Don't just say this is for platform stuff.
323
00:11:07,440 --> 00:11:08,440
Say this is where we enforce logging for regulated workloads.
324
00:11:08,440 --> 00:11:10,440
Or this is where we apply lease privilege for dev teams.
325
00:11:10,440 --> 00:11:11,440
When you get specific about the purpose, the hierarchy explains itself.
326
00:11:11,440 --> 00:11:12,440
When you get specific about the purpose, the hierarchy explains itself.
327
00:11:12,440 --> 00:11:13,440
The teams know exactly where they fit.
328
00:11:13,440 --> 00:11:14,440
The teams know exactly where they fit.
329
00:11:14,440 --> 00:11:15,440
The teams know exactly where they fit.
330
00:11:15,440 --> 00:11:16,440
The teams know exactly where they fit.
331
00:11:16,440 --> 00:11:19,440
They know and fight each other because they were designed for a specific scope.
332
00:11:19,440 --> 00:11:23,440
Once you have the hierarchy sorted, you can finally address the network layer.
333
00:11:23,440 --> 00:11:25,440
The connectivity tax.
334
00:11:25,440 --> 00:11:26,440
Network architecture fundamentals.
335
00:11:26,440 --> 00:11:28,440
Your governance structure finally scales.
336
00:11:28,440 --> 00:11:30,440
Subscriptions move fast.
337
00:11:30,440 --> 00:11:32,440
Management groups keep your policies consistent.
338
00:11:32,440 --> 00:11:33,440
But then you hit the next layer.
339
00:11:33,440 --> 00:11:34,440
The network.
340
00:11:34,440 --> 00:11:36,440
And this is where the hidden costs start to show up.
341
00:11:36,440 --> 00:11:38,440
Most organizations default to a centralized model.
342
00:11:38,440 --> 00:11:43,440
They want one single egress point all outbound traffic routes through one firewall.
343
00:11:43,440 --> 00:11:44,440
Or maybe a pair of them.
344
00:11:44,440 --> 00:11:46,440
It's a shared gateway, a single choke point.
345
00:11:46,440 --> 00:11:48,440
From a control perspective, this makes perfect sense.
346
00:11:48,440 --> 00:11:50,440
You have one place to inspect traffic.
347
00:11:50,440 --> 00:11:51,440
One place to enforce your rules.
348
00:11:51,440 --> 00:11:54,440
One place to see exactly what is leaving your environment.
349
00:11:54,440 --> 00:11:56,440
It gives you a unified visibility and total control.
350
00:11:56,440 --> 00:11:57,440
It sounds secure.
351
00:11:57,440 --> 00:11:59,440
But in reality, it's incredibly expensive.
352
00:11:59,440 --> 00:12:02,440
The problem is a pattern called hairpinning.
353
00:12:02,440 --> 00:12:04,440
Imagine you have a workload running in East US.
354
00:12:04,440 --> 00:12:07,440
It needs to talk to a SAS service located in North Europe.
355
00:12:07,440 --> 00:12:10,440
Under a centralized model, that traffic doesn't just go straight to Europe.
356
00:12:10,440 --> 00:12:13,440
Instead it travels from East US to your central hub.
357
00:12:13,440 --> 00:12:15,440
Maybe in West US, just to be inspected.
358
00:12:15,440 --> 00:12:17,440
Then it finally heads out to North Europe.
359
00:12:17,440 --> 00:12:19,440
Your data just traveled west to go east.
360
00:12:19,440 --> 00:12:20,440
The path makes no sense.
361
00:12:20,440 --> 00:12:23,440
The latency is high, the performance drops, and the costs start to spiral.
362
00:12:23,440 --> 00:12:27,440
When you have hundreds of data flows making the same detour, the bill compounds.
363
00:12:27,440 --> 00:12:29,440
As your charge is you for data that leaves a region.
364
00:12:29,440 --> 00:12:32,440
It doesn't charge for data that stays inside one.
365
00:12:32,440 --> 00:12:35,440
Ingress is free, but egress is a line item on your invoice.
366
00:12:35,440 --> 00:12:37,440
By forcing traffic through a central hub in a different region,
367
00:12:37,440 --> 00:12:40,440
you're creating cross-region transfers that didn't need to happen.
368
00:12:40,440 --> 00:12:43,440
You've essentially built a hidden tax into your architecture.
369
00:12:43,440 --> 00:12:44,440
The tax is real.
370
00:12:44,440 --> 00:12:49,440
Organizations often realize months into a deployment that their egress costs are five times higher than they budgeted.
371
00:12:49,440 --> 00:12:52,440
The cause is almost always the same, centralized egress.
372
00:12:52,440 --> 00:12:57,440
The assumptions about traffic patterns were wrong, and now that connectivity is flowing through a distant hub,
373
00:12:57,440 --> 00:12:59,440
the transfer charges are piling up.
374
00:12:59,440 --> 00:13:01,440
What actually works is a hybrid model.
375
00:13:01,440 --> 00:13:04,440
You need central policy orchestration with distributed enforcement.
376
00:13:04,440 --> 00:13:07,440
You define your rules once, what's allowed, what gets logged, what gets inspected.
377
00:13:07,440 --> 00:13:09,440
But you enforce those rules at the edge.
378
00:13:09,440 --> 00:13:12,440
In every region, in every network.
379
00:13:12,440 --> 00:13:15,440
The policy is central. The enforcement is local.
380
00:13:15,440 --> 00:13:19,440
Traffic exits exactly where it is, but it still follows the rules you set at the top.
381
00:13:19,440 --> 00:13:21,440
This requires a shift in how you think about architecture.
382
00:13:21,440 --> 00:13:23,440
You can't rely on one firewall anymore.
383
00:13:23,440 --> 00:13:27,440
You need multiple firewalls, one for each region, or running the same rule set.
384
00:13:27,440 --> 00:13:31,440
You might use Azure Firewall per region or cloud native controls like NSG's.
385
00:13:31,440 --> 00:13:33,440
The specific tools change, but the principle stays the same.
386
00:13:33,440 --> 00:13:36,440
The policy flows down from the center, but the execution happens locally.
387
00:13:36,440 --> 00:13:39,440
We call these regional breakout patterns.
388
00:13:39,440 --> 00:13:42,440
A workload in East US talks to East US services directly.
389
00:13:42,440 --> 00:13:47,440
If it needs to reach something in West US, it can go through a regional firewall or a direct path based on your policy.
390
00:13:47,440 --> 00:13:50,440
You aren't funneling it through a central hub for no reason.
391
00:13:50,440 --> 00:13:53,440
You're creating natural breakout points where local traffic stays local.
392
00:13:53,440 --> 00:13:57,440
Private endpoints and express routes are the alternatives to the firewall model.
393
00:13:57,440 --> 00:14:01,440
Private endpoints let your Azure workloads reach a SaaS service without ever touching the public internet.
394
00:14:01,440 --> 00:14:03,440
The traffic stays on Microsoft's private network.
395
00:14:03,440 --> 00:14:08,440
There's no public IP, no standard egress charge, and no need for a firewall to inspect the packet.
396
00:14:08,440 --> 00:14:11,440
ExpressRoute does the same thing for your on-premises connection.
397
00:14:11,440 --> 00:14:14,440
You pay for the private circuit instead of paying for the data transfer.
398
00:14:14,440 --> 00:14:16,440
These aren't free.
399
00:14:16,440 --> 00:14:18,440
Private endpoints take time to configure.
400
00:14:18,440 --> 00:14:20,440
ExpressRoute requires a contract and an upfront cost.
401
00:14:20,440 --> 00:14:24,440
But for high volume traffic, they are much cheaper than a centralized egress model.
402
00:14:24,440 --> 00:14:27,440
They are also more secure because your data never touches the open web.
403
00:14:27,440 --> 00:14:29,440
The design principle is simple.
404
00:14:29,440 --> 00:14:32,440
Let traffic follow the shortest path unless your policy says otherwise.
405
00:14:32,440 --> 00:14:36,440
Don't force detours just because they seem convenient for the networking team.
406
00:14:36,440 --> 00:14:39,440
Don't centralize a system that scales better when it's distributed.
407
00:14:39,440 --> 00:14:44,440
Network design dictates everything downstream, how teams deploy, and what performance they can actually get.
408
00:14:44,440 --> 00:14:48,440
If you get the network wrong, every other part of the landing zone suffers.
409
00:14:48,440 --> 00:14:51,440
Shared services, the centralization trap.
410
00:14:51,440 --> 00:14:53,440
You fix the subscription vending.
411
00:14:53,440 --> 00:14:54,440
Management groups are working.
412
00:14:54,440 --> 00:14:56,440
The network is distributing enforcement.
413
00:14:56,440 --> 00:14:58,440
You finally build a space where teams can move fast.
414
00:14:58,440 --> 00:15:01,440
And then they hit the shared services bottleneck.
415
00:15:01,440 --> 00:15:03,440
This is where most landing zones fail in the real world.
416
00:15:03,440 --> 00:15:05,440
It's not a failure of theory.
417
00:15:05,440 --> 00:15:06,440
It's a failure of practice.
418
00:15:06,440 --> 00:15:09,440
The logic that works for governance doesn't always work for operations.
419
00:15:09,440 --> 00:15:13,440
You can't distribute a logging platform the same way you distribute a firewall rule.
420
00:15:13,440 --> 00:15:17,440
You can't put a key vault in one region and expect a team across the world to use it without issues.
421
00:15:17,440 --> 00:15:20,440
Shared services have different constraints.
422
00:15:20,440 --> 00:15:24,440
When you optimize for centralization without understanding those limits, you haven't solved the problem.
423
00:15:24,440 --> 00:15:27,440
You've just moved the bottleneck from the cloud team to the service itself.
424
00:15:27,440 --> 00:15:30,440
There is a massive difference between shared and bottleneck.
425
00:15:30,440 --> 00:15:35,440
A shared service is something multiple teams use because building it twice would be a waste of money.
426
00:15:35,440 --> 00:15:38,440
Identity, logging, network services.
427
00:15:38,440 --> 00:15:43,440
These make sense to share, but shared does not have to mean centralized in one spot.
428
00:15:43,440 --> 00:15:45,440
It means coordinated.
429
00:15:45,440 --> 00:15:48,440
The old model is the hub and spoke topology.
430
00:15:48,440 --> 00:15:50,440
One central hub holds every shared service.
431
00:15:50,440 --> 00:15:53,440
The spokes are the individual team subscriptions, everything.
432
00:15:53,440 --> 00:15:56,440
Identity, logging, connectivity, routes through that one hub.
433
00:15:56,440 --> 00:15:59,440
It sounds efficient because there is only one place to manage.
434
00:15:59,440 --> 00:16:02,440
But now, every single workload depends on that hub.
435
00:16:02,440 --> 00:16:04,440
If the hub goes down, your workloads can't authenticate.
436
00:16:04,440 --> 00:16:06,440
They can't log data. They can't talk to each other.
437
00:16:06,440 --> 00:16:09,440
The hub is now a single point of failure for your entire company.
438
00:16:09,440 --> 00:16:13,440
As you scale, the burden of managing that hub becomes a nightmare.
439
00:16:13,440 --> 00:16:19,440
More traffic, more complexity, and more coordination are required just to make a small change without breaking everything.
440
00:16:19,440 --> 00:16:22,440
You need shared logging and identity, but you don't need them in one physical location.
441
00:16:22,440 --> 00:16:24,440
You need a central policy for how you log data.
442
00:16:24,440 --> 00:16:26,440
You need a central standard for what you monitor.
443
00:16:26,440 --> 00:16:29,440
But you can run regional instances of those services.
444
00:16:29,440 --> 00:16:34,440
A log analytics workspace in each region, all configured the same way, works much better.
445
00:16:34,440 --> 00:16:35,440
Teams log their data locally.
446
00:16:35,440 --> 00:16:38,440
Central teams can still run queries across every region.
447
00:16:38,440 --> 00:16:42,440
You get the cost savings of a shared model with the resilience of a distributed one.
448
00:16:42,440 --> 00:16:45,440
The model that actually works is shared services as a product.
449
00:16:45,440 --> 00:16:48,440
Stop looking at these as infrastructure requirements.
450
00:16:48,440 --> 00:16:51,440
Start looking at them as products your internal teams consume.
451
00:16:51,440 --> 00:16:53,440
That shift changes everything.
452
00:16:53,440 --> 00:16:57,440
A product has a road map. It has a support model. It has usage metrics and SLOs.
453
00:16:57,440 --> 00:17:03,440
When you treat a service like a product, you start measuring whether it's actually helping people or just getting in their way.
454
00:17:03,440 --> 00:17:07,440
The metrics are very simple. How long does it take a team to get access to the identity service?
455
00:17:07,440 --> 00:17:10,440
If it's hours you're fine. If it's days you have a bottleneck.
456
00:17:10,440 --> 00:17:15,440
How often does the logging system lag or fail? If it happens once a month, your teams will stop trusting it.
457
00:17:15,440 --> 00:17:19,440
What is the delay between an error happening and it's showing up in the dashboard?
458
00:17:19,440 --> 00:17:22,440
If it takes two hours, your developers can't troubleshoot in real time.
459
00:17:22,440 --> 00:17:25,440
These aren't infrastructure stats. They are product stats.
460
00:17:25,440 --> 00:17:27,440
They tell you if the service is actually usable.
461
00:17:27,440 --> 00:17:30,440
Once you look at it this way, the choices become clear.
462
00:17:30,440 --> 00:17:34,440
Do you need one central identity service that depends on the latency your teams can handle?
463
00:17:34,440 --> 00:17:39,440
Do you need one central logging workspace that depends on your data residency rules and query speed?
464
00:17:39,440 --> 00:17:43,440
Do you need a hub and spoke network? That depends on your specific security needs and traffic flows.
465
00:17:43,440 --> 00:17:45,440
The failure point is always the same.
466
00:17:45,440 --> 00:17:48,440
Teams optimize for central control without checking if that control actually works.
467
00:17:48,440 --> 00:17:54,440
They build a shared service because it feels right and then they're surprised when it breaks under the pressure of scale.
468
00:17:54,440 --> 00:17:57,440
Performance drops. Maintenance windows start disrupting everyone's work.
469
00:17:57,440 --> 00:18:01,440
The fix is to measure everything. Run your shared services like a business.
470
00:18:01,440 --> 00:18:03,440
Know your KPI is know exactly when you are slowing teams down.
471
00:18:03,440 --> 00:18:08,440
When you start looking at the data you'll realize that shared usually just means bottleneck.
472
00:18:08,440 --> 00:18:11,440
Because nobody asked if centralization was the right choice to begin with.
473
00:18:11,440 --> 00:18:16,440
Once your shared services are running smoothly, the next challenge is scaling this whole mess across multiple regions.
474
00:18:16,440 --> 00:18:20,440
Multi-region design, complexity for complexities sake.
475
00:18:20,440 --> 00:18:24,440
Most organizations eventually reach a point where they make a choice they'll regret.
476
00:18:24,440 --> 00:18:27,440
They've built a landing zone that actually works in one region.
477
00:18:27,440 --> 00:18:30,440
Subscriptions provision fast. Policies enforce consistently.
478
00:18:30,440 --> 00:18:33,440
Shared services work. Teams are shipping.
479
00:18:33,440 --> 00:18:36,440
Then someone asks, what about multi-region?
480
00:18:36,440 --> 00:18:39,440
And the answer is almost always the same.
481
00:18:39,440 --> 00:18:41,440
We should probably plan for it.
482
00:18:41,440 --> 00:18:44,440
But here's the problem. Most enterprises don't actually need multi-region.
483
00:18:44,440 --> 00:18:46,440
They think they do. There's a massive difference.
484
00:18:46,440 --> 00:18:50,440
Needing multi-region means you have a business requirement that can't be met any other way.
485
00:18:50,440 --> 00:18:53,440
Thinking you need it means it just sounds like a good idea.
486
00:18:53,440 --> 00:18:56,440
It sounds resilient. It sounds like what mature organizations do.
487
00:18:56,440 --> 00:18:59,440
In reality, the real cost isn't the infrastructure. It's the governance.
488
00:18:59,440 --> 00:19:02,440
It's the operational complexity. The data residency constraints.
489
00:19:02,440 --> 00:19:05,440
Every new region means new management groups and new policy assignments.
490
00:19:05,440 --> 00:19:08,440
You need new subscriptions following the same vending pattern.
491
00:19:08,440 --> 00:19:12,440
You need new shared services, identity, logging, monitoring in that specific region.
492
00:19:12,440 --> 00:19:16,440
New network boundaries, new naming conventions, new everything.
493
00:19:16,440 --> 00:19:19,440
You've just doubled the surface area of your governance model.
494
00:19:19,440 --> 00:19:22,440
And the operational complexity scales differently than the servers do.
495
00:19:22,440 --> 00:19:25,440
In one region, you have one set of policies to maintain.
496
00:19:25,440 --> 00:19:28,440
In two regions, you aren't just maintaining twice as much policy.
497
00:19:28,440 --> 00:19:30,440
You're maintaining twice as much coordination.
498
00:19:30,440 --> 00:19:33,440
Teams in region A have to follow the same standards as teams in region B.
499
00:19:33,440 --> 00:19:35,440
But they can't see each other's deployments.
500
00:19:35,440 --> 00:19:38,440
They can't quickly check if they're doing things the same way.
501
00:19:38,440 --> 00:19:43,440
And the coordination tax data residency is the constraint most teams underestimate until it's too late.
502
00:19:43,440 --> 00:19:47,440
When you move to a second region, you suddenly have to care about exactly where data lives.
503
00:19:47,440 --> 00:19:51,440
A workload in East US can log to a workspace in East US without a second thought.
504
00:19:51,440 --> 00:19:54,440
But move that to West Europe and your bound by GDPR.
505
00:19:54,440 --> 00:19:57,440
Personal data cannot leave the EU without explicit consent.
506
00:19:57,440 --> 00:20:01,440
A multi-region architecture that looks simple in the US becomes a nightmare in Europe.
507
00:20:01,440 --> 00:20:06,440
You need separate logging per region, separate backups per region, separate retention policies per region.
508
00:20:06,440 --> 00:20:11,440
The question isn't, "Should we be multi-region?" The question is, "What would break if we weren't?"
509
00:20:11,440 --> 00:20:14,440
If the honest answer is nothing, then you don't need it.
510
00:20:14,440 --> 00:20:20,440
If the answer is customer compliance or regulatory mandate or latency is killing our users on three continents, then you need it.
511
00:20:20,440 --> 00:20:23,440
But needing it isn't the same as knowing how to design it.
512
00:20:23,440 --> 00:20:25,440
When you do pull the trigger, there are trade-offs.
513
00:20:25,440 --> 00:20:29,440
Active active means both regions handle production traffic all the time.
514
00:20:29,440 --> 00:20:32,440
Work loads run in both. Users go to whichever is closer.
515
00:20:32,440 --> 00:20:36,440
If one region fails, the other keeps going. It sounds seamless.
516
00:20:36,440 --> 00:20:39,440
But active active means your data consistency requirements explode.
517
00:20:39,440 --> 00:20:41,440
You're replicating data across regions in real time.
518
00:20:41,440 --> 00:20:46,440
Database is synchronizing. Caches invalidating. Complexity compounds.
519
00:20:46,440 --> 00:20:49,440
Active passive means one region is primary and the other is standby.
520
00:20:49,440 --> 00:20:53,440
If the primary fails, you fail over. There's less complexity here, but fail over takes time.
521
00:20:53,440 --> 00:20:57,440
Minutes at best. During those minutes, your service is degraded.
522
00:20:57,440 --> 00:20:59,440
And fail over testing is painful.
523
00:20:59,440 --> 00:21:06,440
You need to actually fail over to know it works, which means you're either disrupting production or paying for an entire second environment just for tests.
524
00:21:06,440 --> 00:21:09,440
The cost implications are stark. Cross-region replication is never free.
525
00:21:09,440 --> 00:21:13,440
Database replication. Back-up replication. Logging replication.
526
00:21:13,440 --> 00:21:16,440
Every terabyte you send to a second region is a line item.
527
00:21:16,440 --> 00:21:20,440
Fail over testing means standing up resources in a second region just to tear them down.
528
00:21:20,440 --> 00:21:24,440
Data transfer between regions hits that egress tax we discussed earlier.
529
00:21:24,440 --> 00:21:28,440
A simple multi-region design can easily double your Azure Bill.
530
00:21:28,440 --> 00:21:32,440
Data delivery and compliance drivers are usually the only reasons that actually justify this cost.
531
00:21:32,440 --> 00:21:36,440
GDPR forces data residency. PCI requires specific geographic separation.
532
00:21:36,440 --> 00:21:41,440
Sovereign cloud regulations require data to stay in a specific country. Those are non-negotiable.
533
00:21:41,440 --> 00:21:44,440
But they're also very specific. If you have them, you know it. If you're not sure.
534
00:21:44,440 --> 00:21:51,440
You probably don't have them. The model is this. Multi-region is an architectural choice, not a default, if you need it, build for it.
535
00:21:51,440 --> 00:21:55,440
But don't build for it because it feels mature. Build for it because your business can't survive without it.
536
00:21:55,440 --> 00:21:59,440
Everything else should run in one region until the business proves otherwise.
537
00:21:59,440 --> 00:22:03,440
Bicep as infrastructure contract. Moving beyond templates.
538
00:22:03,440 --> 00:22:07,440
You've now built a landing zone that provisions subscriptions fast. It enforces policy consistently.
539
00:22:07,440 --> 00:22:10,440
It networks efficiently. It shares services appropriately.
540
00:22:10,440 --> 00:22:14,440
And it doesn't get ambitious about geography. You fix the governance model.
541
00:22:14,440 --> 00:22:18,440
The remaining layer is the code itself. And this is where the biggest maintenance mistakes happen.
542
00:22:18,440 --> 00:22:21,440
Most organizations treat bicep files as templates.
543
00:22:21,440 --> 00:22:26,440
You write a template for storage account. You write a template for a virtual network. Someone needs storage.
544
00:22:26,440 --> 00:22:30,440
So you copy the template. You modify it for the specific workload. You deploy it.
545
00:22:30,440 --> 00:22:32,440
Next request. You repeat the process.
546
00:22:32,440 --> 00:22:36,440
Every team starts with a copy. Every team modifies it slightly for their own needs.
547
00:22:36,440 --> 00:22:41,440
Within months, you have 50 variations of the same storage account template. Some have encryption enabled.
548
00:22:41,440 --> 00:22:44,440
Some don't. Some have diagnostic settings. Some don't.
549
00:22:44,440 --> 00:22:48,440
You've got template drift before you've even finished the initial rollout.
550
00:22:48,440 --> 00:22:54,440
That's the template mindset. Write it once, copy it many times. Every copy diverges. No two copies stay in sync.
551
00:22:54,440 --> 00:22:58,440
Maintenance becomes impossible. Security baseline updates become nightmares.
552
00:22:58,440 --> 00:23:05,440
You update the encryption standard in the master template. And now you have to hunt down all 50 copies and update them individually if you miss one.
553
00:23:05,440 --> 00:23:09,440
There's a non-compliant deployment running in your environment. The contract mindset is different.
554
00:23:09,440 --> 00:23:12,440
You write a module. Not a template, a module.
555
00:23:12,440 --> 00:23:16,440
A module is a reusable component that you version, publish and consume.
556
00:23:16,440 --> 00:23:20,440
You don't copy it. You reference it. You reference a specific version.
557
00:23:20,440 --> 00:23:25,440
When you deploy, you're consuming that exact version. When a vulnerability is discovered, you publish a new version.
558
00:23:25,440 --> 00:23:30,440
Teams that need the fix upgrade their reference. Teams that don't have time yet stay on the old version consciously.
559
00:23:30,440 --> 00:23:36,440
It's a deliberate choice, not an accident of drift. The shift from bicep files to bicep modules is version to products.
560
00:23:36,440 --> 00:23:41,440
Sound subtle. It's not. It's architectural. It changes how you distribute code, how you maintain it, how you govern it.
561
00:23:41,440 --> 00:23:48,440
As your verified modules are the implementation of this philosophy. AVM modules are bicep modules that follow a strict standard.
562
00:23:48,440 --> 00:23:55,440
They have clear parameters, clear outputs, clear behavior. They are tested, documented, versioned.
563
00:23:55,440 --> 00:24:02,440
When you consume an AVM module, you're consuming something that multiple organizations rely on, something that's maintained, something that evolves predictably.
564
00:24:02,440 --> 00:24:08,440
For enterprise scale, that predictability is everything. You can't maintain 50 custom templates. You can maintain two.
565
00:24:08,440 --> 00:24:14,440
One for your core platform components, one for workloads, standard patterns. Everything else you consume from a published registry.
566
00:24:14,440 --> 00:24:19,440
Whether it's AVM modules or your own internal modules. They must be published and versioned like products.
567
00:24:19,440 --> 00:24:26,440
Semantic versioning is the discipline that makes this work. You use a major version for breaking changes. Maybe you're removing a parameter that teams relied on.
568
00:24:26,440 --> 00:24:32,440
You use a minor version for additive changes. Like adding a new optional parameter, you use a patch version for fixes.
569
00:24:32,440 --> 00:24:44,440
Like a typo in a default value or a security hardening that doesn't change the interface. Teams see a major version bump and they know they have work ahead. They see a minor version bump and they know they can adopt it on their own timeline.
570
00:24:44,440 --> 00:24:47,440
The cost of forking templates is where this becomes concrete.
571
00:24:47,440 --> 00:24:52,440
Someone forks your storage module because they need a slightly different skew. They modify it, they maintain it separately.
572
00:24:52,440 --> 00:24:57,440
Two years later you discover a security vulnerability in the encryption config, you fix it in the main module.
573
00:24:57,440 --> 00:25:04,440
But their fork still has the vulnerability. Now your running security patches across two code bases, two review processes, two deployment pipelines.
574
00:25:04,440 --> 00:25:10,440
Your governance model has just doubled because nobody enforced the constraint that modules must be consumed, not copied.
575
00:25:10,440 --> 00:25:14,440
Version pinning discipline means never referencing latest or main.
576
00:25:14,440 --> 00:25:19,440
Never, those are moving targets. You reference 1.3.2, a specific version.
577
00:25:19,440 --> 00:25:30,440
When you're ready to upgrade to 1.4.0, you make that decision explicitly. It's a pull request. It gets reviewed, it gets tested, then you merge it. Now you're on the new version and you stay there until you decide to move again.
578
00:25:30,440 --> 00:25:40,440
No surprises, no automatic upgrades, breaking things in production, no, the template changed and now everything fails. That discipline scales governance because governance isn't enforcement anymore.
579
00:25:40,440 --> 00:25:51,440
It's versioning, it's publishing, it's knowing that every deployment is using a known tested version of the module, not a drift infected copy, not a moving target, a contract, a versioned, documented, published contract.
580
00:25:51,440 --> 00:26:03,440
Once modules become contracts, governance becomes measurable, module composition patterns, building reusable infrastructure. You understand modules as contracts, but how do you design those contracts so they actually work at scale?
581
00:26:03,440 --> 00:26:16,440
The first instinct is usually to build comprehensive modules. One single module that deploys a complete workload, compute, storage, networking, identity, monitoring. It's all in one place, it feels efficient because you have one version and one reference.
582
00:26:16,440 --> 00:26:23,440
And everything stays synchronized, but in reality, it fails the moment you hit real complexity because a module that does everything is just a god module.
583
00:26:23,440 --> 00:26:34,440
It ends up with 50 parameters, half of them are optional, and nobody can remember which combinations actually work together. When you need to update one small piece like a monitoring setting, you have to bump the version for the entire stack.
584
00:26:34,440 --> 00:26:40,440
Teams that don't even care about monitoring now have to decide if they should upgrade or stay on an old unsupported version.
585
00:26:40,440 --> 00:26:48,440
You've created artificial coupling where none needed to exist. The model that actually scales is layered composition, think of it in three tiers. The bottom tier is primitives.
586
00:26:48,440 --> 00:27:00,440
A primitive module is a single resource or a very tight set of resources, like a storage account, a virtual network, or a managed identity. These are small and focused. They do one thing well. They have minimal parameters, but very rich outputs.
587
00:27:00,440 --> 00:27:10,440
Everything downstream might need to know about them so you expose the resource IDs, the principle IDs, and the endpoints. The middle tier is patterns. A pattern module composes those primitives into a solution.
588
00:27:10,440 --> 00:27:23,440
A web app pattern might pull together storage, compute, and identity, but it isn't just a big file of code. It references the primitive modules and wires their outputs together. Because you are building on proven primitives, the pattern module stays simple.
589
00:27:23,440 --> 00:27:35,440
You only expose the parameters that actually matter for that specific pattern. The top tier is solutions. A solution module is what a team actually consumes. Maybe it's a microservice landing zone that uses the web app pattern and adds networking and security.
590
00:27:35,440 --> 00:27:48,440
A developer says I need a microservice environment. They consume the solution. They don't need to know how the primitives or patterns work internally. They provide a workload name and some basic config, and they get a coherent deployment. This layering solves a massive problem.
591
00:27:48,440 --> 00:27:59,440
When a security floor is found in how your storage handles encryption, you fix it once in the primitive module. That fix automatically flows up through every pattern and every solution. One fix, total scale.
592
00:27:59,440 --> 00:28:20,440
But this is where most teams fail. Parameter design. The instinct is to make the module maximally flexible by exposing every possible option. But maximum flexibility is just maximum complexity. A module with 30 parameters is a module nobody understands. People end up guessing which combinations are correct and they usually get it wrong. The balance is simple. Parameterize what actually varies.
593
00:28:20,440 --> 00:28:42,440
Everything else becomes an opinionated default. A storage module should ask for the account name, the location and the replication strategy. Those change based on the workload. But that same module should default to encryption enabled and firewalls turned on. Those are baseline standards. They aren't options. They're just how you do things. Then you have outputs. Outputs are your public interface. Most modules are under designed here. A storage module that only gives you the account name is useless to a downstream resource.
594
00:28:42,440 --> 00:28:56,440
You need the account ID, the blob endpoint and the principal ID for identity. The module that created the resource already knows these values. Expose them. Don't make downstream modules try to calculate them again. There is also a specific approach called the shared variable file pattern.
595
00:28:56,440 --> 00:29:07,440
Sometimes you have complex config like a network security group with dozens of rules. You don't want all of that clattering up your module parameters. Instead you store that data in a JSON file. The module loads the file and uses it.
596
00:29:07,440 --> 00:29:27,440
The team updates the JSON, not the module code, the configuration stays external and the module stays clean. The guiding principle is this. A module should be usable by someone who has no idea how it works inside. If a developer can't use your module in five minutes without reading your source code, you've over designed it. Once these patterns are in place, you need versioning discipline to keep it all from falling apart.
597
00:29:27,440 --> 00:29:48,440
Version control and release discipline. Version control isn't just a storage locker for code. It's the mechanism that prevents drift. It's what keeps your infrastructure consistent across different teams and different years. Without it you're just managing hundreds of manual variations. But here's the problem. Version control for bicep is not the same as version control for application code. With an app, you version the whole code based together.
598
00:29:48,440 --> 00:30:07,440
One repo, one release, that works because the app is a single unit that you deploy all at once. Infrastructure is different. A platform team might own the network. A security team owns the policies. A database team owns the storage patterns. They are all moving at different speeds. If you lock them into one repository with one release cadence, you create massive overhead.
599
00:30:07,440 --> 00:30:27,440
The network team can't ship a critical fix because they're stuck waiting for the security team to finish a new feature. The shift you need to make is separating code repositories from configuration repositories. The code repo holds your modules, your primitives and your solutions. This is where the engineers work and where you track every logic change. The configuration repo holds the actual values like the bicep arm files.
600
00:30:27,440 --> 00:30:42,440
This is where the application teams live. This is where you track exactly which version of a module is running in production. This separation solves the scaling issue. Five different teams can own five separate module repositories. The network team and the identity team maintain their own code and version it independently.
601
00:30:42,440 --> 00:30:52,440
The configuration repo acts as the coordinator. It points to specific versions of those modules. When the network team releases version 2.1, the configuration doesn't just automatically update.
602
00:30:52,440 --> 00:31:04,440
Someone has to review the change. They test it in a sandbox, they approve it. Then they update the reference to 2.1. That is a deliberate choice, not an accident. This is also where you use CICD gates to enforce quality.
603
00:31:04,440 --> 00:31:13,440
Before any change hits the main branch, it has to pass a validation check. For bicep, that means a what if deployment, you compile the code and run what if against a test environment to see exactly what would happen.
604
00:31:13,440 --> 00:31:25,440
If the changes look right, the gate opens, if the tool shows a resource getting deleted or a breaking change you didn't expect, the gate stays shut. The pull request can't merge until the logic is fixed. To handle the overhead, use path filters and per module pipelines.
605
00:31:25,440 --> 00:31:32,440
If you have 10 modules in one repo and you change one, you shouldn't trigger 10 releases. You only want to run the pipeline for the specific folder that changed.
606
00:31:32,440 --> 00:31:41,440
Tools like as you are pipelines or GitHub actions handle this easily. When the network folder changes, you run the network pipeline. No unnecessary versions and no artificial coupling.
607
00:31:41,440 --> 00:31:52,440
For the actual life cycle, Azure uses deployment stacks. A stack is a managed unit that knows exactly which resources belong to it. When you update a template, the stack knows what to add, what to modify and what to clean up.
608
00:31:52,440 --> 00:32:02,440
It can even enforce deny assignments so people can't manually delete things. This is vital for shared services. You don't want a random admin deleting a central logging resource because they thought it was leftover junk.
609
00:32:02,440 --> 00:32:11,440
Then there are breaking changes. When you remove a parameter or change how a module behaves, you bump the major version. That's the signal to every consuming team that they have worked to do.
610
00:32:11,440 --> 00:32:23,440
If 50 teams are using your module, a breaking change means 50 updates that need to be coordinated. You have to plan for that. Communicate it early. Provide a clear migration path and keep the old documentation live as long as teams need it.
611
00:32:23,440 --> 00:32:46,440
The discipline is simple. Every version is immutable. Once you publish version 1.3, that code never changes. If you find a bug, you publish 1.3.1. When a team is using 1.3 and hits a bug, they know they aren't alone. They can find the known issues and compare notes with others. That immutability is what creates predictability. And that predictability is what allows a platform to evolve without breaking everything in its path.
612
00:32:46,440 --> 00:33:01,440
Teams know what's changing when it's changing and exactly what they need to do to keep up. The subscription vending machine, automating on boarding, subscription vending is where governance meets agility. It is the operational hinge that everything else depends on. Everything you have built so far.
613
00:33:01,440 --> 00:33:10,440
The management group hierarchy, the policy assignments and the baseline configurations. Only matters if teams can actually create subscriptions and get to a usable state without waiting.
614
00:33:10,440 --> 00:33:22,440
The old model was built on friction. A team needs a new environment so they fill out a form and answer questions about workload type, team size and compliance requirements. They explain if it needs to talk to on-premises systems or if it faces the public internet.
615
00:33:22,440 --> 00:33:32,440
In most organizations, that form is a 20-page questionnaire that leads to a manual ticket which sits in a service now queue while it waits for a human to review it. But in reality, that assumption is broken.
616
00:33:32,440 --> 00:33:47,440
Work doesn't start with a ticket. It starts with context. The new model uses a simple form with five or maybe ten fields which provides just enough context to make automated decisions. When that form is submitted, it triggers a bicep deployment, not a request, a deployment.
617
00:33:47,440 --> 00:33:54,440
That deployment handles everything by creating the subscription in the right management group and assigning the correct policies based on compliance needs.
618
00:33:54,440 --> 00:34:01,440
It configures our back so the team has ownership immediately and it sets up logging, monitoring and a virtual network with the right address space.
619
00:34:01,440 --> 00:34:15,440
By the time the form submission completes the subscription is ready, not days away, not weeks away, ready. The speed difference is profound. Manual requests take weeks because they require constant coordination, starting when a cloud operations person reviews the ticket and asks clarifying questions.
620
00:34:15,440 --> 00:34:28,440
They coordinate with security to check policies and networking to ensure the address space does not conflict and then they manually click through the portal to create resources. Two weeks later, the team finally has something they can work with. Automated vending takes minutes.
621
00:34:28,440 --> 00:34:38,440
The form validates the data immediately and the bicep deployment runs because the standard decisions are already encoded. No human judgment is needed during the process because that judgment was already applied once.
622
00:34:38,440 --> 00:34:48,440
In the code itself, if the deployment fails, the problem is usually simple and fixable, like an invalid address space or a duplicate name. It is never a case of needing to talk to three more teams before getting an approval.
623
00:34:48,440 --> 00:34:55,440
Using bicep to automate this requires discipline and the vending machine must be flexible enough to handle different needs.
624
00:34:55,440 --> 00:35:03,440
A development environment requires different configurations than a production environment just as a machine learning workload needs different resources than a simple web application.
625
00:35:03,440 --> 00:35:16,440
The bicep code uses parameters for workload type, environment classification and compliance tiers to make these decisions. For a development environment, the machine creates a single subscription with minimal policies and loser RBAC so teams can experiment.
626
00:35:16,440 --> 00:35:24,440
When it handles production, it creates subscriptions in a different branch of the hierarchy with stricter policies, restrictive RBAC and mandatory logging.
627
00:35:24,440 --> 00:35:31,440
For machine learning, it provisions specific compute resources like GPU quotas and higher storage limits that would not make sense for a web app.
628
00:35:31,440 --> 00:35:41,440
The self-service portal is where usability matters most. The form cannot be hidden in an internal wiki three levels deep, so it needs to be discoverable, simple and capable of providing real feedback.
629
00:35:41,440 --> 00:35:48,440
If a submission fails, teams need to know why and how to fix it right then. If the deployment is taking time, they need visibility into the progress.
630
00:35:48,440 --> 00:35:58,440
A portal that just accepts a form and disappears is a portal that gets abandoned and teams will stop using it and go back to manual tickets or even worse. Shadow IT.
631
00:35:58,440 --> 00:36:05,440
The tension lies in balancing automation with necessary guardrails. You want to automate as much as possible, but some decisions still need a human eye.
632
00:36:05,440 --> 00:36:14,440
Maybe a team is requesting an unusually large number of subscriptions or a workload has compliance needs that do not map to your standard categories. These cases need an escalation path.
633
00:36:14,440 --> 00:36:17,440
Not a rejection. Not a you can't do this. A path.
634
00:36:17,440 --> 00:36:26,440
An approver reviews the request and makes a decision and that decision is documented. If you see the same type of request repeatedly, you update the vending machine to handle it automatically next time,
635
00:36:26,440 --> 00:36:31,440
rather than keeping the same problem escalated. The cost of not automating is staggering.
636
00:36:31,440 --> 00:36:36,440
Organizations that still use manual ticket-based provisioning spend massive amounts on operational overhead.
637
00:36:36,440 --> 00:36:41,440
Cloud teams get buried in tickets while security teams perform the same compliance review 50 times instead of encoding it once.
638
00:36:41,440 --> 00:36:47,440
Finance teams end up tracking manual chargebacks because subscriptions were not tagged consistently at the start.
639
00:36:47,440 --> 00:36:52,440
Shadow IT grows because the official path was so slow that teams felt they had to create their own way forward.
640
00:36:52,440 --> 00:36:59,440
Once subscription vending is working, teams can move fast within the governance structure. Fast provisioning only works if the governance is sound,
641
00:36:59,440 --> 00:37:04,440
and the vending machine is fast because the rules it encodes are trusted by the organization.
642
00:37:04,440 --> 00:37:12,440
Teams do not have to wait and they do not have to wonder if their environment is compliant. It was created by the machine, it is compliant by design, policy as code.
643
00:37:12,440 --> 00:37:14,440
Guard rails versus gates.
644
00:37:14,440 --> 00:37:26,440
Guards are different, but the distinction that actually matters is the difference between guard rails and gates. A guard rail is a boundary.
645
00:37:26,440 --> 00:37:30,440
It is a safe edge that lets you move freely as long as you stay within the lines.
646
00:37:30,440 --> 00:37:35,440
A guard rail keeps you from falling off a cliff, but it does not tell you which direction to walk. You go where you want.
647
00:37:35,440 --> 00:37:39,440
You are just protected from the worst case outcomes. Gates are different. Gates block you.
648
00:37:39,440 --> 00:37:46,440
You hit a policy gate and your deployment stops until someone or something opens it. Gates are explicit blocks. They are rejections.
649
00:37:46,440 --> 00:37:51,440
Most organizations implement their first policies as gates, where they deny this and they deny that.
650
00:37:51,440 --> 00:37:59,440
A deny policy on public IP addresses means you cannot create a VM with a public IP so the deployment fails, the gate closes and you are stuck.
651
00:37:59,440 --> 00:38:13,440
The policy achieved its goal of stopping public IPs, but it also created a secondary problem. The team that actually needed that IP for a testing scenario or a temporary debugging session now has to file an exception request. That means a ticket. That means waiting.
652
00:38:13,440 --> 00:38:26,440
The team gets frustrated and finds a workaround, perhaps by creating the resource in a personal subscription or using a different tool entirely, the gate did not actually prevent the behavior. It just moved the behavior outside of your control. Guard rails work differently.
653
00:38:26,440 --> 00:38:35,440
Instead of denying public IPs, you assign a policy that audits them. So every public IP deployment is logged and flagged. You can see who is creating them and why, but the deployment still succeeds.
654
00:38:35,440 --> 00:38:48,440
The team gets what they need without an exception request or a long wait and you have gained visibility without creating friction. The rollout strategy that actually works is audit first, then enforce. You start with every policy in audit mode. Not deny, audit.
655
00:38:48,440 --> 00:38:58,440
The policy runs and flags violations, but it does not block any deployments. You let this run for several weeks while you collect data. You see which policies are actually triggering and which ones are just edge cases.
656
00:38:58,440 --> 00:39:09,440
This is when you involve the teams and ask them why certain deployments do not meet the baseline. The teams explain their context, which might include legitimate needs, simple mistakes or workarounds for missing capabilities in the platform.
657
00:39:09,440 --> 00:39:21,440
Then you move to enforcement, but only for the policies where you have validated the impact. You only turn on deny once you have a clear exception process and you have ensured the govern path is faster than the ungoverned one.
658
00:39:21,440 --> 00:39:26,440
Rushing straight to deny policies is how you end up with teams circumventing your governance entirely.
659
00:39:26,440 --> 00:39:38,440
When I policies have a hidden cost that organizations rarely measure, the cost is not in the IT budget, it is in productivity. When a team hits a deny policy they have two choices. They can file an exception and wait or they can find a workaround.
660
00:39:38,440 --> 00:39:47,440
The workaround costs real time and real money. A team that spends two hours bypassing a policy because an official exception would take three days has just lost two hours of work.
661
00:39:47,440 --> 00:39:57,440
If you multiply that across an entire organization and every policy you have in place, you find the actual cost of your governance. Policy compliance metrics tell a story if you know how to read them.
662
00:39:57,440 --> 00:40:05,440
A compliance rate of 98% sounds good, but it depends entirely on what you are measuring. If you are checking if resources have the right tags, 98% is probably fine.
663
00:40:05,440 --> 00:40:12,440
But if you are measuring whether virtual machines have encryption enabled, that 2% gap means you have unencrypted data sitting in your environment.
664
00:40:12,440 --> 00:40:20,440
The metric matters, the threshold matters and the trend matters more than the absolute number. If compliance is dropping month over month, something is wrong with the system.
665
00:40:20,440 --> 00:40:28,440
Maybe the policies are getting too strict or maybe teams are being pushed toward workarounds to get their jobs done. This is a signal that you need to revisit the policy set.
666
00:40:28,440 --> 00:40:35,440
Exception management is where most organizations fail silently. A team needs an exception to a deny policy, so they file a request.
667
00:40:35,440 --> 00:40:49,440
But because no formal process exists, it goes to an email chain, someone approves it somewhere, but there is no record and no tracking. A month later nobody remembers what was approved or why it was allowed, and you have created a governance process that is essentially invisible. The fix is structure.
668
00:40:49,440 --> 00:40:55,440
You must make exceptions trackable and time bound. If you approve an exception for six months, it should expire unless it is explicitly renewed.
669
00:40:55,440 --> 00:41:06,440
If the same exception keeps getting renewed over and over, that is a signal that the policy itself probably needs to change, you have identified a gap between the intent of the policy and the reality of the work.
670
00:41:06,440 --> 00:41:14,440
Policies only work when they are paired with usable alternatives. Governance succeeds when the govern path is genuinely faster than the shadow path.
671
00:41:14,440 --> 00:41:21,440
Identity and access at scale. Identity is the control plane for everything else, not the network, not the policies identity.
672
00:41:21,440 --> 00:41:31,440
Because every deployment, every configuration change, and every access request flows through identity. When identity is right, governance is enforced automatically. When identity is wrong, governance is theater.
673
00:41:31,440 --> 00:41:37,440
You end up with policies nobody can trigger. You have resources nobody can reach. You have audits showing compliance that's meaningless.
674
00:41:37,440 --> 00:41:44,440
Because the people auditing don't even have access to the systems they're checking. The first mistake organizations make is treating identity as infrastructure.
675
00:41:44,440 --> 00:41:50,440
They deploy Microsoft and try to call it done, but identity isn't infrastructure. It's governance itself.
676
00:41:50,440 --> 00:42:01,440
Every permission you grant is a governance decision. Every role assignment is a control. Every conditional access rule shapes what teams can do. And when they can do it, managed identities versus service principles is where this gets concrete.
677
00:42:01,440 --> 00:42:10,440
A managed identity is what you use when a resource needs to authenticate without a human involved. For example, a VM needs to pull a secret from Key Vault. It gets a managed identity.
678
00:42:10,440 --> 00:42:39,440
The Vault trusts that identity. The VM authenticates without passwords. No human has to manage credentials. No credentials get stolen because they're not sitting in a config file. They don't exist outside Azure. That's the model. That's how identity at scale works. Service principles are the alternative. They're identities that represent applications, but they have passwords or certificates. Someone has to create them. Someone has to manage the credentials. Someone has to rotate them before they expire. Service principles are still necessary in some cases. External systems need to authenticate to Azure and they can't use managed identities.
679
00:42:39,440 --> 00:43:04,440
So they use service principles, but for everything internal to Azure, managed identities are the answer because they remove the credential management problem. And credential management at scale is where most organizations fail. Federated credentials solve the CICD problem. Your GitHub actions workflow needs to deploy infrastructure to Azure. It can't use a managed identity because GitHub is external to Azure. Historically, you'd create a service principle, generate credentials. Store them in GitHub secrets.
680
00:43:04,440 --> 00:43:23,440
That works, but credentials in GitHub secrets are a problem waiting to happen. They get rotated on the schedule. They expire. Someone has to remember to rotate them before they expire and leaked GitHub secrets in commit history are a real risk. Federated credentials, let you say, GitHub actions can authenticate to Azure without passwords. The GitHub workflow has an identity.
681
00:43:23,440 --> 00:43:39,440
Azure trusts that identity because GitHub cryptographically proves it. No credentials, no secrets, no exploration. The workflow authenticates. It gets a token. It deploys. That token is short-lived. It's used once. It can't be stolen because it exists only for the moment it's used. That's the model. That's how you do it at scale.
682
00:43:39,440 --> 00:43:55,440
Arbach inheritance through the hierarchy is where governance becomes operational. You design a management group hierarchy. Each level has policies. But Arbach is part of that hierarchy too. You assign a role at the root management group level and it cascades down to every child. Every subscription, every resource group, every resource.
683
00:43:55,440 --> 00:44:10,440
Design for least privilege at the hierarchy level in every subscription you create gets least privilege by default. You don't have to manually configure it on each one. The discipline is never assign roles at the resource level if you can assign them at a higher level. Assign them at the right level.
684
00:44:10,440 --> 00:44:26,440
A team that manages identity components gets assigned roles on the identity management group. A team that manages networks gets assigned roles on the networking management group. Not on individual resources, not on individual subscriptions. On the management group where their scope applies, everything underneath inherits the correct level of access.
685
00:44:26,440 --> 00:44:51,440
Breakglass accounts are the emergency access pattern. Something is broken. Your automation is failing. You need to fix it now. You need to access resources but your normal access controls are preventing it. Breakglass accounts bypass those controls. They're restricted. They're audited heavily. Access requires approval from multiple people. But they exist. They're prepared ahead of time. You test them quarterly so you know they work when you actually need them. Then you document what happened. Why you needed to use them? What change to prevent needing them again?
686
00:44:51,440 --> 00:45:13,440
Conditional access policies shape deployment workflows in ways teams don't always understand. A team's developers can access Azure from the office. But Azure detects they're accessing from a coffee shop and blocks them. That's conditional access. It's appropriate in some context. But it's also friction designed the access policy you need. But measure the friction it creates when the friction outweighs the risk. Change the policy.
687
00:45:13,440 --> 00:45:39,440
Identity is foundational. Every other control depends on it working correctly. Observability as a governance mechanism. Here's what nobody tells you about logging. It's not about troubleshooting. Not primarily. Yes, you need logs to figure out why something failed at 3am. But that's the convenience benefit. The actual purpose is different. Logging is how governance proves it happened. It's the audit trail. It's the insurance policy. It's the mechanism that turns governance from intention to evidence.
688
00:45:39,440 --> 00:46:08,440
When you make a policy decision, this resource must be encrypted. This identity must use multi factor authentication. This deployment must come from an approved pipeline. Logging is what proves the policy is actually being followed. Without logging, you have a policy nobody can verify. You're trusting based on assumption. With logging, you have records. You can prove compliance. You can prove violations. You can prove who did what and when. Most organizations think about logging wrong. They think it's about collecting everything. Dump all logs into one central place. Make it available to whoever needs it. That sounds reasonable. In practice.
689
00:46:08,440 --> 00:46:15,440
It becomes a governance nightmare. You've got years of logs, terabytes of data. No organization. No structure.
690
00:46:15,440 --> 00:46:28,440
Searching for a specific event takes hours. The volume of data becomes a cost problem. You're storing logs you'll never look at. You're paying for retention policies that are too long or too short. You're not actually getting value from the logging infrastructure.
691
00:46:28,440 --> 00:46:41,440
Centralized log analytics workspaces create architectural implications that matter. If you have one workspace for your entire organization, every workload in every region and environment is logging to the same place. That's a single point of failure for observability.
692
00:46:41,440 --> 00:46:50,440
If the workspace is unavailable, you have no visibility into what's happening. It's also a query performance problem. Queries across terabytes of data slow down. It's a cost problem.
693
00:46:50,440 --> 00:47:05,440
If you have a transfer charges, if you're replicating logs from multiple regions to a central location, it's an access control problem. If you have one workspace, you need to manage access centrally. A team in one region can see logs from another region. That might be fine. It might not be depending on your compliance requirements.
694
00:47:05,440 --> 00:47:13,440
The architecture that works is regional logging with central visibility. Each region has its own log analytics workspace. Teams log locally.
695
00:47:13,440 --> 00:47:25,440
But there's a central workspace that aggregates the important stuff. Not everything, just the signals that matter for governance. Security events, policy violations, compliance audits, identity access changes, deployment activities.
696
00:47:25,440 --> 00:47:42,440
The high signal data flows to the center. Low signal data stays local. You get visibility without the volume problem. Diagnostic settings are the governance requirement that most organizations enforce last. Or never. You should enforce them first. Every resource should have diagnostic settings configured. That means every resource is logging automatically.
697
00:47:42,440 --> 00:47:52,440
Not optional. Not configurable by the team deploying the resource. Mandatory built into the resource as it's created the vending machine that creates subscriptions. It configures diagnostic settings on the resources in those subscriptions.
698
00:47:52,440 --> 00:48:04,440
The module that creates a storage account, it enables diagnostics on that storage account. You don't ask teams whether they want logging. Logging is how you know what's happening. The cost implications of centralized logging across regions is where the economic model matters.
699
00:48:04,440 --> 00:48:18,440
Data transfer between regions costs money. If you're collecting logs from East US and replicating them to West US for central analysis, you're paying for that data transfer. The more regions you have, the more the transfer costs. Design for this. Use regional workspaces as the primary repository.
700
00:48:18,440 --> 00:48:25,440
Replicate only what's essential to the central workspace. Or use a cheaper tier for long term retention and a hotter tier for recent data.
701
00:48:25,440 --> 00:48:37,440
The point is know the cost model. Don't discover six months in that your logging infrastructure is costing more than your compute infrastructure. Using telemetry to detect drift and non-compliance is where observability becomes governance automation.
702
00:48:37,440 --> 00:48:46,440
You're not just collecting logs. You're analyzing them. A deployment happens. You query the logs. Did it follow the security baseline? Was encryption enabled? Were mandatory tags applied? The logs tell you.
703
00:48:46,440 --> 00:48:58,440
If compliance is drifting, more and more resources without required tags, more deployments, missing security configurations, the logs show the trend. You catch it early instead of discovering it in an ordered six months later.
704
00:48:58,440 --> 00:49:05,440
The difference between monitoring and observability is this. Monitoring tells you if something is broken. Observability tells you why it's broken.
705
00:49:05,440 --> 00:49:13,440
Monitoring is alerting when CPU hits 90%. Observability is showing you the request patterns and resource allocation that caused CPU to hit 90%.
706
00:49:13,440 --> 00:49:27,440
90% one tells you there's a problem. The other explains what caused it both matter. But observability is what makes governance operational. You can see not just that a resource exists, but how it was created, who created it, whether it's being used, whether it's compliant and what it's costing.
707
00:49:27,440 --> 00:49:40,440
With observability in place, cost governance becomes measurable. Cost governance and FinOps integration. Cost is a governance lever. Most organizations treated as a finance problem where the CFO owns the budget and the finance team manages the spreadsheets.
708
00:49:40,440 --> 00:49:45,440
In that old model, IT just pays the bill and moves on. That model is broken.
709
00:49:45,440 --> 00:49:56,440
In reality, cost is how you enforce governance at scale because teams don't change their behavior for a policy document. They change when they see the bill. When teams are accountable for what they spend, visibility forces them to justify their choices.
710
00:49:56,440 --> 00:50:03,440
That's where the shift happens. Your tagging strategy is the foundation here. It's non-negotiable. Every single resource must have tags. And it can't be optional.
711
00:50:03,440 --> 00:50:14,440
We can't rely on teams to remember to tag things. It has to be built in. The vending machine that creates your subscriptions shouldn't ask if a team wants tags. It should just apply them. Own a tags. Cost center tags, environment and application tags.
712
00:50:14,440 --> 00:50:23,440
These tags need to flow through to every resource created in that subscription. They're inherited, they're consistent. And they are the foundation for everything you do downstream.
713
00:50:23,440 --> 00:50:30,440
Without tagging discipline, your cost reports are useless. You might get a bill for $50,000 in compute costs, but you won't know which team caused it.
714
00:50:30,440 --> 00:50:39,440
You won't know the workload or the environment because you can't see the data, you can't charge them back or optimize the spend. You can't even find the resource to see if it's actually running or just abandoned.
715
00:50:39,440 --> 00:50:49,440
Tagging solves this by tracing every dollar back to the team that created the resource. This allows you to measure if they're actually optimizing or just letting expensive resources run unused.
716
00:50:49,440 --> 00:50:58,440
The real behavior change happens when you move from showback to chargeback. Showback is just informational. You show a team they spent $10,000 last month, but they don't pay it directly.
717
00:50:58,440 --> 00:51:05,440
It's just a corporate cost. So most teams don't change a thing. Chargeback is different. Chargeback means the team is actually charged and their budget gets debited.
718
00:51:05,440 --> 00:51:12,440
Now they have to justify that expense to their manager. They have to explain why a GPU cluster is running in dev when nobody is using it.
719
00:51:12,440 --> 00:51:25,440
It changes behavior because it's their money or at least their budget. It's the difference between being told you're spending a lot and seeing your own allocation disappear. One changes behavior. The other doesn't.
720
00:51:25,440 --> 00:51:33,440
Budget alerts and quotas are just policy mechanisms wearing a different hat. You set a monthly budget and when a team hits 80% they get an alert.
721
00:51:33,440 --> 00:51:45,440
When they hit 100% their ability to create new resources gets restricted. We don't block them entirely. We just add friction. If they truly need to deploy, they have to actively override the quota and acknowledge they are going over budget.
722
00:51:45,440 --> 00:51:57,440
That moment of friction causes them to stop and think. Most of the time they don't override the limit. They optimize instead. Reserved instances and savings plans are where things get complex in multi-team environments. They are much cheaper.
723
00:51:57,440 --> 00:52:07,440
A three-year commitment can be half the price of on-demand, but it's also inflexible. You're locked into specific sizes and regions. If a team changes their workload, that reservation doesn't move with them.
724
00:52:07,440 --> 00:52:18,440
There you have one team paying full price while another team's reservation sits empty because it's locked to the wrong group. The model that actually works is centralized reservation buying. The platform team buys capacity based on the total aggregate demand of the whole company.
725
00:52:18,440 --> 00:52:29,440
Production compute gets reserved, dev gets a smaller slice and the savings are distributed back to teams based on their usage. This lets teams get the lower costs without needing to predict their exact needs three years in advance.
726
00:52:29,440 --> 00:52:44,440
The platform absorbs that risk and you'll see the connectivity tax show up in these reports too. This is where network architecture decisions finally become visible to the business. A team might put a VM in East US but root all traffic through a West US firewall. Suddenly they see a bill for $2,000 in data transfer.
727
00:52:44,440 --> 00:52:58,440
When they ask why, you show them the network path. They see the floor, they move the VM or fix the firewall and the cost drops. Tag-based billing makes invisible architectural floors impossible to hide. And once you have cost visibility, it enables the next layer.
728
00:52:58,440 --> 00:53:08,440
Security, security baselines and compliance codification. Security baselines aren't something you design once and forget. They are living documents, threats change, regulations shift, technology evolves.
729
00:53:08,440 --> 00:53:23,440
A baseline from three years ago might say TLS 1.2 is fine but today that's a vulnerability. Your baseline should now require TLS 1.3 as a minimum. But if you've coded that baseline into your infrastructure, updating it means updating every resource you've ever deployed.
730
00:53:23,440 --> 00:53:36,440
The big question is how do you evolve these baselines without breaking everything? The answer is codification, encryption, private endpoints and network isolation shouldn't be manual steps. They should be the defaults. These are baked into the modules that create your resources.
731
00:53:36,440 --> 00:53:47,440
Your storage module doesn't ask if you want encryption. It's just enabled by default. Your database module is HTTPS only with no exceptions allowed. Your networking module uses private endpoints for connectivity and blocks public access.
732
00:53:47,440 --> 00:53:57,440
This matters because security through defaults is the only way to scale. When a team deploys a storage account, it's encrypted because the module made it that way. The decision was made once during the design phase.
733
00:53:57,440 --> 00:54:03,440
The team can't accidentally disable it during deployment. This is where Microsoft Defender for Cloud makes your design observable.
734
00:54:03,440 --> 00:54:11,440
Defender scans for misconfigurations like open ports or weak authentication. When it finds a problem, you fix it but that fix has to flow back into your baseline.
735
00:54:11,440 --> 00:54:19,440
If one resource has a hole in it, it's probably because your baseline allowed it to happen. When you update the baseline, new resources get the fix by default.
736
00:54:19,440 --> 00:54:35,440
Existing resources start showing violations which gives you the visibility and accountability you need to clean them up. Compliance frameworks are where security becomes an operational policy. Whether it's CIS benchmarks, NIST or PCI DSS, these aren't just suggestions if you're in finance or healthcare, these are mandatory.
737
00:54:35,440 --> 00:54:47,440
But these frameworks are incredibly detailed. NIST 853 has hundreds of controls and you can't manually audit every resource against all of them. It's impossible at scale. So you encode those controls directly into BISEP.
738
00:54:47,440 --> 00:54:59,440
If a framework says all data in transit must be encrypted, that becomes your policy and your module default. It becomes a validation gate. If someone tries to deploy something that isn't encrypted, the gate fails and the deployment stops. The control is enforced automatically.
739
00:54:59,440 --> 00:55:13,440
When an auditor asks how you ensure encryption, you don't show them a spreadsheet, you show them the BISEP code, you show them the module, the default settings and the policy that validates it. You've turned compliance from a mountain of paperwork into a few lines of code.
740
00:55:13,440 --> 00:55:22,440
This brings us to the economic argument. The cost of remediation versus the cost of prevention. You can deploy a storage account without encryption and try to fix it later.
741
00:55:22,440 --> 00:55:36,440
But remediation means change. It means testing, potential downtime and coordinating with the teams using that resource. It's expensive and slow. Prevention is much cheaper. If you deploy with encryption enabled from day one, there is no remediation needed and no risk to the business.
742
00:55:36,440 --> 00:55:49,440
Remediation costs scale terribly. One non-compliant resource takes hours to fix, but a hundred of them can take weeks of manual effort. Eventually the backlog grows so large that organizations just give up. They accept the risk because fixing it is too expensive.
743
00:55:49,440 --> 00:55:53,440
But if you had prevented the issue at the start, the cost would have been zero.
744
00:55:53,440 --> 00:56:01,440
Audit readiness has to be a design requirement, not an afterthought. Most organizations treat audits like a massive yearly event where everyone scrambles to find evidence.
745
00:56:01,440 --> 00:56:08,440
They hope the documentation is good enough and that nothing has changed since the last check. That is the wrong model. Audit readiness should be continuous.
746
00:56:08,440 --> 00:56:16,440
Your logging should be so complete that you can answer any question in minutes. Your BISEP modules should be so standardized that you can prove every control is applied every time.
747
00:56:16,440 --> 00:56:25,440
Your policy assignments should be visible so you can show exactly which controls are active. When you design for continuous readiness, the actual audit becomes a formality.
748
00:56:25,440 --> 00:56:31,440
The auditors show up, you pull a report and you show them the code and the posture. Everything is documented and current.
749
00:56:31,440 --> 00:56:39,440
There is no scrambling and no stress. You are ready because you have been audit ready the entire time. Security and compliance only work when they are automated.
750
00:56:39,440 --> 00:56:49,440
The shadow it is signal, what it is actually telling you, shadow it isn't what most organizations think it is. It isn't a security failure, it isn't recklessness, it isn't insubordination, it is a diagnostic signal.
751
00:56:49,440 --> 00:56:56,440
Think of it as the infrastructure equivalent of a check engine light. When shadow it appears, it means something in your governance model is broken.
752
00:56:56,440 --> 00:57:03,440
The system isn't working for the people who actually use it, the teams aren't the problem. The model is, the data shows this pattern over and over again.
753
00:57:03,440 --> 00:57:13,440
When governance becomes too slow or too rigid, shadow it adoption spikes. The teams stop trying to work within the system because the friction is just too high. Instead they find a way around it.
754
00:57:13,440 --> 00:57:23,440
You see personal Azure subscriptions showing up on corporate credit cards, you see AWS accounts opened without a single approval, you see SaaS platforms being used that don't require it to get involved at all.
755
00:57:23,440 --> 00:57:32,440
These teams aren't trying to be difficult, they are being rational. They are solving the problem right in front of them and because the govern path costs too much time, the shadow path becomes the only viable option.
756
00:57:32,440 --> 00:57:41,440
The numbers here are staggering. The average cost of a shadow IT incident is $4.2 million. That sounds like an abstract figure until you look at what's actually happening behind the scenes.
757
00:57:41,440 --> 00:57:51,440
A team starts using an unsanctioned SaaS platform. Your customer data begins flowing through it without your knowledge, which means it's operating without your encryption or your backups.
758
00:57:51,440 --> 00:57:58,440
Then a breach happens. Suddenly that data is exposed to the world. You're looking at notification costs, remediation fees and massive regulatory fines.
759
00:57:58,440 --> 00:58:09,440
Then comes the investigation, the damage to your reputation and the customers who leave and never come back. That $4.2 million is very real. But here is the distinction. That cost doesn't exist because the teams are malicious.
760
00:58:09,440 --> 00:58:16,440
It exists because they operated outside your visibility. If that team had requested the platform through official channels, you could have evaluated it.
761
00:58:16,440 --> 00:58:22,440
You would have either approved it with the right security controls or pointed them toward an alternative that already solved the problem.
762
00:58:22,440 --> 00:58:33,440
The cost of shadow IT is really just the price of having systems you can't see. The logic behind personal subscriptions is exactly the same. A team needs to test a new architecture pattern or a different database technology for a client proof of concept.
763
00:58:33,440 --> 00:58:42,440
They need to move fast. The official process takes three weeks. The evaluation takes another two. The final approval takes one more. That is a full month of waiting for a client who needs an answer in 14 days.
764
00:58:42,440 --> 00:58:52,440
So they open a personal Azure account, they deploy the code, show the client and get the answer they needed. They weren't trying to hide anything from you. They were just trying to deliver their work on time.
765
00:58:52,440 --> 00:59:03,440
Adopting external access is driven by that same root cause. Maybe your data warehouse is slow and the analytics team is tired of waiting weeks for queries to finish. They find a faster alternative that solves their problem immediately.
766
00:59:03,440 --> 00:59:14,440
Now your customer data is living on an external server. They didn't want to expose the data, but the official warehouse wasn't doing its job. There is a direct link between rigid governance and shadow IT.
767
00:59:14,440 --> 00:59:23,440
Organizations that lean heavily on deny policies see these spikes. Organizations that take months to provision a single subscription see these spikes. It isn't a coincidence.
768
00:59:23,440 --> 00:59:41,440
It's causal. Regidity drives avoidance. You find what's happening by looking at the discovery patterns. Expense reports show cloud charges on personal accounts. Network monitoring picks up unexpected traffic to external platforms. Identity logs show people logging into services that aren't in your catalog. You listen, you observe, you discover.
769
00:59:41,440 --> 00:59:53,440
And when you find these things the question shouldn't be how do we shut this down. The question should be why are they using this and what is missing from our official offering. The real strategic shift is converting shadow IT into governed IT instead of just blocking it.
770
00:59:53,440 --> 01:00:01,440
When you see a team using an external data warehouse you ask them what problem it solves. Is it about the speed? Is it a specific feature? Is it the cost?
771
01:00:01,440 --> 01:00:18,440
Once you understand that need you have two choices. You either build that capability into your official warehouse or you adopt the external tool officially. You integrate it, you secure it and you govern it. The team gets the solution they need. You get the visibility you require. The shadow IT becomes official. And the problem is actually solved.
772
01:00:18,440 --> 01:00:30,440
This takes organizational maturity. It takes confidence. It requires you to admit that your current system isn't meeting every need. But the organizations that do this turn a security liability into a competitive advantage.
773
01:00:30,440 --> 01:00:38,440
Teams get what they need to work. Governance actually improves and shadow IT shrinks. Not because you blocked it, but because you finally addressed the demand.
774
01:00:38,440 --> 01:00:44,440
The platform, engineering model, enablement over gatekeeping. Recognizing shadow.
775
01:00:44,440 --> 01:01:01,440
IT as feedback tells you what is broken, but fixing it requires a structural shift. Most organizations still treat infrastructure teams like gatekeepers. The infrastructure sits in the middle while applications come to them with requests. The team evaluates, then they approve or deny. In this model, infrastructure controls the pace. Infrastructure is the bottleneck.
776
01:01:01,440 --> 01:01:13,440
Platform engineering flips that dynamic on its head. Infrastructure becomes a product team where the product is the platform itself. The customers are the application teams. In this world, the success metric isn't how much did we control. It's how much did we enable?
777
01:01:13,440 --> 01:01:33,440
The platform team doesn't spend its day approving requests. It builds products that other teams consume. It doesn't slow people down. It speeds them up. This is a cultural shift more than a technical one. When you are gatekeeping, the model is based on permission. Do you have permission to create a resource? Do you have permission to deploy? Every single action requires a green light from someone else.
778
01:01:33,440 --> 01:01:45,440
When infrastructure is a product, the model is based on capability. Can you use this feature? Is it available to you? Can you deploy using this template? This distinction is huge because permission based models create friction even when the answer is yes.
779
01:01:45,440 --> 01:01:53,440
A team asks for permission, and then they wait. Eventually permission is granted and they proceed. That process is serial. It's slow.
780
01:01:53,440 --> 01:02:02,440
Capability based models are different. The capability already exists, so the team is just use it. There is no waiting and no asking. It's parallel. It's fast.
781
01:02:02,440 --> 01:02:21,440
The golden path is what makes this work. You look at the workflows that happen over and over again, like deploying a microservice or standing up a database environment. For each of these, you build a golden path. This is an opinionated, tested and secure way to get the job done. It's a template or a self-service offering that just works. The golden path isn't the only way to do things.
782
01:02:21,440 --> 01:02:34,440
The teams can deviate if they really need to, but the golden path is intentionally easier. It's faster. It's better documented and it works for 80% of use cases. Teams use it because it's convenient, not because they are forced to. They use it because it solves their problem without the headache.
783
01:02:34,440 --> 01:02:41,440
Self-service templates are how teams actually interact with the platform. But a portal that requires 10 clicks to find a template is useless.
784
01:02:41,440 --> 01:02:44,440
Teams won't use it. They'll just go back to building their own tools.
785
01:02:44,440 --> 01:02:55,440
The platform needs to be discoverable where the work is already happening. It should be in their IDE, their GitHub organization or their deployment pipeline. It needs to be right where they are already solving problems.
786
01:02:55,440 --> 01:03:01,440
Documentation is also more important than most people realize. A template without examples is a template that nobody will ever touch.
787
01:03:01,440 --> 01:03:13,440
But a template with clear examples and copy-paste parameter files becomes a natural part of the workflow. Eventually, teams don't even think about the fact that they're using the platform. They're just solving the problem. When the platform disappears, you know you've succeeded.
788
01:03:13,440 --> 01:03:20,440
Developer Experience is the metric that separates platform thinking from the old way of doing things. In the old model, you only measured if policies were enforced.
789
01:03:20,440 --> 01:03:27,440
You looked at the compliance rate and checked if resources had the right settings. That's a fine metric, but it doesn't tell you if the experience was actually good.
790
01:03:27,440 --> 01:03:34,440
A team could follow every single policy while being completely miserable. The infrastructure succeeded, but the developer experience failed.
791
01:03:34,440 --> 01:03:40,440
In platform thinking, you measure how easy it is to do the right thing. How long does it take a team to deploy their first resource?
792
01:03:40,440 --> 01:03:45,440
How many authentication prompts do they have to click through? Do the error messages actually explain what went wrong?
793
01:03:45,440 --> 01:03:53,440
When a team needs help, how fast do they get it? These are the metrics that matter. They tell you whether teams will actually use your platform or if they're going to start building their own.
794
01:03:53,440 --> 01:04:02,440
Feedback loops are how these platforms stay relevant. The platform team can't live in a vacuum. They have to listen. They need to see which templates are used most and which ones are being abandoned.
795
01:04:02,440 --> 01:04:09,440
They watch the support channels to see which problems keep coming up. They look for the requests that don't fit any existing template. That is the signal.
796
01:04:09,440 --> 01:04:16,440
That signal tells you where the platform needs to evolve. Maybe you need a new template or maybe an existing one needs to be completely redesigned.
797
01:04:16,440 --> 01:04:21,440
Using telemetry to improve the platform turns governance from something static into something adaptive.
798
01:04:21,440 --> 01:04:26,440
If you see teams struggling with network configurations, you realize the template has too many parameters. So you simplify it.
799
01:04:26,440 --> 01:04:34,440
You create sensible defaults for 90% of cases. The struggle goes down, the platform evolves and teams start shipping faster. That is the flywheel.
800
01:04:34,440 --> 01:04:40,440
The cost of a bad platform experience is real. If teams can't figure out how to use what you've built, they will build their own.
801
01:04:40,440 --> 01:04:49,440
You'll see that Shadow IT signal again. This means platform thinking isn't just a theory. It's a practical necessity. It is the difference between teams using your infrastructure and teams working around it.
802
01:04:49,440 --> 01:04:55,440
Success isn't about compliance or control anymore. It's about velocity. It's about satisfaction. It's about adoption.
803
01:04:55,440 --> 01:05:00,440
Success is when teams ship faster because the platform finally got out of the way.
804
01:05:00,440 --> 01:05:10,440
Multitenant governance, bicep, across organizational boundaries. Platform thinking works for a single tenant, but most large organizations don't stop there. They have many.
805
01:05:10,440 --> 01:05:16,440
Multiple business units, multiple geographic regions, or multiple customer organizations if you're a service provider.
806
01:05:16,440 --> 01:05:23,440
Each has its own Azure tenant, each has its own governance rules. And yet, each still needs access to your shared infrastructure patterns.
807
01:05:23,440 --> 01:05:33,440
The moment you cross a tenant boundary, everything gets harder. Not because the technology changes, Azure works the same way. The hardship comes from the organizational walls. Tenants are trust boundaries.
808
01:05:33,440 --> 01:05:42,440
One tenant's security team doesn't control the other. One identity system doesn't automatically trust the next. Permissions don't flow. And access doesn't cascade.
809
01:05:42,440 --> 01:05:48,440
You have to build every bridge across that boundary explicitly. Cross tenant module consumption sounds simple in theory.
810
01:05:48,440 --> 01:05:55,440
Tenant A builds the modules, and tenant B consumes them, but in practice it breaks because of how Azure's registry authentication works.
811
01:05:55,440 --> 01:06:00,440
Bicep modules live in an Azure container registry, and to pull a module you need permissions on that specific registry.
812
01:06:00,440 --> 01:06:09,440
This means the owner has to grant credentials to people in another tenant, or you have to configure complex cross tenant authentication. Both options have friction. Neither is easy.
813
01:06:09,440 --> 01:06:20,440
The pattern most organizations actually use is registry pretend tenant. Tenant A publishes to its registry and tenant B publishes to its own. They maintain their own copies. They stay in sync through process discipline and automation.
814
01:06:20,440 --> 01:06:29,440
When tenant A releases a new version, tenant B pulls it into their own registry after testing or a manual review. This redundancy feels inefficient because it is.
815
01:06:29,440 --> 01:06:42,440
But the autonomy feels right. Each tenant controls its own registry and manages its own credentials. There is no cross tenant authentication to debug. The tradeoff is obvious. Registry pretendent is operationally cleaner, but it's also organizationally fractured.
816
01:06:42,440 --> 01:06:50,440
If you have five tenants, you have five separate repositories and five separate release cycles. When a security flaw is found in your storage module, you have to fix it five times.
817
01:06:50,440 --> 01:07:02,440
You have to coordinate five different releases. That is the tax you pay for autonomy. The alternative is a central registry shared across every tenant, one source of truth, and one place to update a code block. Updates flow to everyone automatically.
818
01:07:02,440 --> 01:07:12,440
But shared registries require shared authentication and shared access control. It requires deep trust. It requires one security team to believe the other team's practices are actually sound.
819
01:07:12,440 --> 01:07:33,440
As your lighthouse helps solve part of this, lighthouse lets you set up delegated administration across those boundaries. Tenant A can give tenant B access to specific resources without sharing credentials or creating new identities. It's clean. But lighthouse is for managing resources. Not for distributing modules. You can use it to deploy modules from a central tenant into a customer tenant, but that's an orchestration model.
820
01:07:33,440 --> 01:07:47,440
If the customer isn't consuming the module, the central team is just deploying it on their behalf. Version pinning becomes critical across these boundaries because the stakes are higher. When tenant A updates a module, tenant B doesn't get it immediately. They have to decide when to upgrade.
821
01:07:47,440 --> 01:08:02,440
If tenant A releases a breaking change and tenant B stays put, the modules still reference the old version. It works. But now you have divergence. One team is on version 2.0, while the other is on 1.3. They are running different infrastructure with different bugs and different features.
822
01:08:02,440 --> 01:08:20,440
In the simple, you must treat cross tenant modules like public open source code. You pin versions explicitly. You read the release notes. You test before you touch anything. You upgrade on your own schedule. Not the publishers. It is more work than single tenant consumption, but it's the only way to maintain governance across boundaries. The upstream first model avoids forking.
823
01:08:20,440 --> 01:08:33,440
You consume from the central repository instead of copying and modifying the code. You don't create a fork that drifts away from the source. You stay on the upstream release train. When the central team updates, you evaluate it. You upgrade or you stay on your version. But you never customize.
824
01:08:33,440 --> 01:08:49,440
That discipline prevents maintenance debt from piling up across your tenants. Multi-tenant design reveals the limits of centralization. The more tenants you have, the more coordination you need. Eventually, centralization becomes a bottleneck. That's when organizations shift to a federated model. Each tenant owns its own modules and consumes from others through process.
825
01:08:49,440 --> 01:08:57,440
Not through shared registries. The architectural question is what's shared and what isn't. That answer determines your entire governance model.
826
01:08:57,440 --> 01:09:12,440
Measuring landing zone health. KPI is that matter. You can't improve what you don't measure. Most organizations measure activity. They track how many policies they deployed or how many resources were created. Activity metrics feel productive. But in reality, they're just noise. What matters is the outcome.
827
01:09:12,440 --> 01:09:22,440
You need to know if your landing zone is actually helping teams or just creating the illusion of control. Provisioning time is the best indicator of governance health. This metric is non-negotiable.
828
01:09:22,440 --> 01:09:41,440
It answers the one question that matters. Can teams use the platform at the speed of their business? You must measure the time from the initial request until the infrastructure is ready for a workload. This isn't just about creating a subscription. It's the full journey from the vending machine through validation and configuration. The industry baseline is under 30 minutes.
829
01:09:41,440 --> 01:09:57,440
If you are measuring in days, your governance is a problem. If you are measuring in hours, you are close. But you aren't there yet. Provisioning time compounds. When a team waits five hours for a resource instead of 30 minutes, they lose a full work day. That is lost shipping velocity. That is developer frustration.
830
01:09:57,440 --> 01:10:07,440
That is exactly where Shadow IT starts to look attractive. This metric isn't just operational. It's strategic. It tells you if teams will use your platform or build around it. Policy compliance needs context to be useful.
831
01:10:07,440 --> 01:10:28,440
The number by itself is almost meaningless. 98% sounds great until you look at what you are measuring. If you are checking for tags on a VM, that 2% gap might be fine. But if you are measuring whether critical databases have encryption, 98% is a total failure. The metric matters. But the threshold matters more. Track these rates month over month. If compliance stays at 98%, your environment is stable.
832
01:10:28,440 --> 01:10:48,440
If it starts dropping, something is wrong. Teams are getting less careful. Or your policies are becoming impossible to follow. A downward trend is a diagnostic signal. It means your policies aren't practical or your enforcement is broken. The number shows the problem. But the trend shows if you are actually fixing it. Configuration drift is governance breakdown made visible. You designed a hierarchy and assigned your policies.
833
01:10:48,440 --> 01:11:05,440
Then six months later someone manually changed a setting. Someone created a subscription in the wrong place. Someone assigned a role directly instead of using inheritance. The environment drifted away from the design. Drift happens. The only question is how fast you catch it. Measure the percentage of resources that actually match their intended state.
834
01:11:05,440 --> 01:11:20,440
Automated tools should scan and compare your resources to the desired configuration. If 5% of your resources have drifted, you finally have visibility. What you do next depends on the change. A team enabling extra logs for debugging is fine. A security grouping open to the public is not.
835
01:11:20,440 --> 01:11:33,440
Time to remediate tells you how fast you respond when things break. Once drift is detected, how long does it take to fix? If it takes weeks, the drift piles up. If it takes days, you're responsive. If it's automated, the drift only lasts until the next policy cycle.
836
01:11:33,440 --> 01:11:47,440
This metric proves whether your governance is reactive or proactive. Shared services uptime is a governance metric. Not just an operational one. If your logging workspace goes down, you are flying blind. If your policy engine is unavailable, your rules stop being enforced.
837
01:11:47,440 --> 01:11:59,440
If your identity system fails, your deployments can't authenticate. Governance collapses when these services fail. You have to track it. Developers satisfaction correlates with productivity more than almost any other stat. Survey your teams.
838
01:11:59,440 --> 01:12:18,440
Ask them how easy it is to deploy or how fast they get support. If satisfaction scores decline, teams are losing confidence in the platform. That is when shadow 80 takes over. That is when teams start building their own alternatives. These metrics aren't just for a dashboard. They are diagnostics. They are how you understand if your landing zone is actually working. These numbers should drive the next evolution of your model.
839
01:12:18,440 --> 01:12:41,440
The evolution trap. Why landing zones become stale? Landing zones designed five years ago were built for the world of five years ago, virtual machines, web applications, databases, containers. These were the standard patterns everyone understood. You could build a hierarchy that handled them perfectly. Your network design made sense, your storage strategy worked, and your compute quota stayed within reasonable limits, everything fit the model.
840
01:12:41,440 --> 01:13:02,440
Then the world shifted. AI workloads arrived. Machine learning pipelines started demanding massive GPU clusters. Foundation model inference required specialized hardware that didn't exist when you started. Data science workflows began moving terabytes of data between regions just to handle training and inference. These workloads don't fit the old patterns. They break the structural assumptions you built into your landing zone.
841
01:13:02,440 --> 01:13:19,440
For example, an old landing zone might have a policy that only allows standard compute SKUs in dev environments. That policy was smart when dev meant testing simple web applications. But it fails the moment a data science team needs to test on the same high end hardware they'll use in production. The policy stops being a guardrail and becomes an obstacle.
842
01:13:19,440 --> 01:13:26,440
Teams start requesting exceptions. Eventually those exceptions become the rule. And once that happens, the policy itself becomes meaningless.
843
01:13:26,440 --> 01:13:42,440
The network design that worked for app deployments also fails when it meets AI. A machine learning pipeline needs to move data from storage to compute and back again. And it does this constantly. In your old design, all that traffic is forced through a central firewall, the cost, the latency, the architectural friction.
844
01:13:42,440 --> 01:13:50,440
It's prohibitive, but by the time you realize this, you've already built the firewall and connected every resource to it. You've already written the policies that assume this is the only path.
845
01:13:50,440 --> 01:14:03,440
Changing it now requires a full redesign and redesigning at scale is expensive. The compute quotas you set are suddenly too restrictive for modern work. A team might need to scale in AI workload to 100 GPUs, but your hard quota only allows 10.
846
01:14:03,440 --> 01:14:17,440
That limit was reasonable when you were thinking about application servers, but it's absurd for machine learning training. To change that quota, you have to change the management group policy, which means you might affect other teams, which requires coordination, which requires approval. It takes time.
847
01:14:17,440 --> 01:14:26,440
The cost of redesigning after you've deployed is exponentially higher than designing for evolution from the start. You already have infrastructure in the wild. Teams are using it. Work loads are running.
848
01:14:26,440 --> 01:14:34,440
Changing your network topology now means potential downtime. Changing the hierarchy means moving subscriptions and re-evaluating how policies are inherited.
849
01:14:34,440 --> 01:14:42,440
Changing quotas might even force teams to migrate their existing resources. Every single change carries an operational cost and a massive coordination overhead.
850
01:14:42,440 --> 01:14:52,440
Organizations that design for evolution from the start have a different experience. They build versioning into their landing zone from day one. They create clear deprecation policies. They document the migration paths.
851
01:14:52,440 --> 01:15:01,440
When a new workload type like AI appears, they evaluate if the landing zone needs to change. They release a new version. They publish a migration guide. They give teams a window to upgrade.
852
01:15:01,440 --> 01:15:05,440
Teams opt into the new version when it actually makes sense for their specific workloads.
853
01:15:05,440 --> 01:15:18,440
Versioning is the mechanism that allows for safe evolution. You treat the landing zone like software. Version 1 supports your traditional workloads. Version 2 adds support for AI. Version 3 introduces specialized networking for high performance computing.
854
01:15:18,440 --> 01:15:27,440
Teams can stay on version 1 if they don't need the new features or they can choose to upgrade. The path is documented and the breaking changes are already known. Migration is supported but it isn't forced.
855
01:15:27,440 --> 01:15:39,440
Deprecation policies are how you avoid the nightmare of running 8 versions in parallel. You might support version 2 while you're releasing version 3. You give teams 6 months to move from 1 to 2. After that window closes, version 1 is officially unsupported.
856
01:15:39,440 --> 01:15:48,440
No new deployments are allowed on the old version. Existing ones can stay, but they're no longer considered current. This creates a natural pressure to stay updated without forcing a crisis.
857
01:15:48,440 --> 01:15:58,440
Migration paths act as the operational bridge between these versions. You don't just announce a new version and walk away. You provide the steps, the tools and the support. You run the training sessions and answer the hard questions.
858
01:15:58,440 --> 01:16:07,440
Teams will need help moving subscriptions or reconfiguring their policies. You make that help available. The goal is to keep the platform current without forcing every team to move at the same time.
859
01:16:07,440 --> 01:16:15,440
Some teams will upgrade immediately because they need the new power. Others will wait because their workloads aren't affected by the changes. They upgrade when it's convenient for them.
860
01:16:15,440 --> 01:16:25,440
That distributed timeline spreads out the operational load so the platform team isn't buried under support requests. Teams get help when they need it. The platform evolves. The teams evolve with it.
861
01:16:25,440 --> 01:16:33,440
But this evolution is only possible if you build for it from the start. That's the inversion. You don't design a static landing zone. And hope it stays relevant. You design a versioned platform.
862
01:16:33,440 --> 01:16:42,440
You build flexibility into the hierarchy and plan for workloads you haven't seen yet. You build the mechanism for safe change. That mechanism is what keeps you current when the world inevitably changes.
863
01:16:42,440 --> 01:16:50,440
The decision framework went to centralize, went to distribute. The biggest mistake organizations make is treating centralization and distribution as opposing philosophies.
864
01:16:50,440 --> 01:16:56,440
One side fights for centralized control. The other fights for decentralized autonomy. They debate as if you're forced to pick a side. You don't.
865
01:16:56,440 --> 01:17:04,440
The right architecture centralizes some things and distributes others. The real discipline is knowing which is which. The framework is simple but it requires total clarity.
866
01:17:04,440 --> 01:17:11,440
Centralize what must be uniform. Security baselines, compliance controls, identity systems, encryption standards.
867
01:17:11,440 --> 01:17:17,440
The core infrastructure that everything else depends on. These aren't matters of opinion. They are the non-negotiable foundations of the environment.
868
01:17:17,440 --> 01:17:25,440
When you centralize these, you ensure the organization is consistent. You guarantee that a resource in one region meets the same security bar as a resource in another.
869
01:17:25,440 --> 01:17:32,440
You stop the compliance variance that makes audits a nightmare. Core services like network connectivity and shared logging must be centralized.
870
01:17:32,440 --> 01:17:37,440
This isn't just because it's easier to manage. It's because distributed identity systems don't trust each other.
871
01:17:37,440 --> 01:17:47,440
Distributed login creates massive visibility gaps. Distributed networking leads to routing conflicts. The cost of distributing these core pieces always exceeds the benefit of the autonomy you think you're gaining.
872
01:17:47,440 --> 01:17:53,440
So you centralize them. You build them once and you build them well. They become the foundation that every other team builds on top of.
873
01:17:53,440 --> 01:18:00,440
On the other side, you distribute what must move fast. Product decisions, application architecture, local data models, experimental workloads.
874
01:18:00,440 --> 01:18:11,440
When a product team needs to choose between Cosmos DB or a managed PostgreSQL instance, that's their call. It shouldn't be a central decision. If an engineering team wants to try a new language or a different framework, that's their choice to make.
875
01:18:11,440 --> 01:18:18,440
When a data science team needs to tweak their ML pipeline, they should have the responsibility to do it. Distribution here is what enables speed.
876
01:18:18,440 --> 01:18:21,440
Centralizing these choices would only create bottlenecks.
877
01:18:21,440 --> 01:18:28,440
The hybrid model is where the real work happens. Central policy with distributed execution. You set the policies at the center to define the boundaries.
878
01:18:28,440 --> 01:18:35,440
Resources must be encrypted. Traffic must follow approved paths. Identity must plug into the corporate directory. These are the rules of the road.
879
01:18:35,440 --> 01:18:43,440
But the specific implementation, how a team encrypts their data or which key vault they use is distributed. Teams decide how to meet the policy. They don't decide whether to meet it.
880
01:18:43,440 --> 01:18:51,440
This requires a shift in how you think about control. Traditional control is prescriptive. Do it exactly this way. Use this specific template. Follow this configuration.
881
01:18:51,440 --> 01:18:54,440
Distributed execution is focused on the outcome.
882
01:18:54,440 --> 01:19:02,440
Achieve this security result. Meet this compliance requirement. How you get there is your choice. As long as the final result is correct, the trade-offs here are very explicit.
883
01:19:02,440 --> 01:19:09,440
Centralization buys you consistency and enforces your standards. It reduces variance and guarantees everyone is moving in the same direction.
884
01:19:09,440 --> 01:19:15,440
But the cost is speed. Decisions take longer and implementation requires more coordination. Distributed execution buys you that speed back.
885
01:19:15,440 --> 01:19:22,440
Teams don't have to wait for central approval or fit into a rigid template. The cost here is variance. Different teams will do things differently.
886
01:19:22,440 --> 01:19:30,440
Meet stronger monitoring to catch mistakes and better systems for managing exceptions. To make this work, you have to make these decisions explicit. Create a governance decision document.
887
01:19:30,440 --> 01:19:36,440
Not just a list of policies. A document that clearly states what is centralized and why. It should explain what is distributed and why.
888
01:19:36,440 --> 01:19:45,440
And it should define how you'll revisit those choices. Then you actually have to revisit them. Check in quarterly or annually. Look at it whenever the organization changes or new workloads emerge.
889
01:19:45,440 --> 01:19:56,440
Maybe you discover that something you thought you could distribute actually needs to be centralized. Your organizational maturity will shape what you can safely distribute. A young organization with limited engineering depth can't distribute much.
890
01:19:56,440 --> 01:20:03,440
The teams don't have the experience yet to implement standards on their own. They need those prescriptive templates. They need central enforcement to stay safe.
891
01:20:03,440 --> 01:20:11,440
But as the organization matures, you can start pushing more power to the edges. Teams gain the expertise to implement policies themselves.
892
01:20:11,440 --> 01:20:20,440
They develop the discipline to follow outcomes without needing a step by step guide. This maturity assessment has to be honest. It can't be aspirational or flattering. It has to be real.
893
01:20:20,440 --> 01:20:32,440
What is your actual capability right now based on that reality? What can you safely hand over to the teams? As their capability grows, your distribution expands. That's the evolution. The framework is what allows that progression to happen.
894
01:20:32,440 --> 01:20:40,440
The decision isn't permanent. It changes as the organization grows and as threats shift, it changes as new technologies appear. And as teams prove, they can handle the responsibility.
895
01:20:40,440 --> 01:20:47,440
The framework gives you a way to make these decisions on purpose. It stops you from drifting into a model that only exists because nobody ever stopped to question it.
896
01:20:47,440 --> 01:21:01,440
This framework is what leads you directly into the implementation. Building for the next five years, future-proofing your design, landing zones aren't destinations. That's the fundamental misunderstanding. You don't build one, deploy it, and declare success.
897
01:21:01,440 --> 01:21:05,440
You think you've built infrastructure for the next five years? Wrong.
898
01:21:05,440 --> 01:21:14,440
Landing zones are foundations. They're meant to support what you don't yet know you'll build. And that requires a different design philosophy than optimizing for what exists today.
899
01:21:14,440 --> 01:21:24,440
The problem is obvious in retrospect. You design for virtual machines because that's what you deploy now. You design network paths for web applications because that's what your organization runs. You set compute quotas based on current usage patterns.
900
01:21:24,440 --> 01:21:34,440
These are all rational decisions based on your current reality. But then, machine learning arrives or GPU intensive workloads or real-time data streaming at scale.
901
01:21:34,440 --> 01:21:46,440
And suddenly, the foundation you build doesn't accommodate these things. The network topology is wrong. The quotas are insufficient. The storage strategy doesn't work. You could have anticipated this. Not perfectly. But you could have built slack into your design.
902
01:21:46,440 --> 01:21:58,440
Not slack as in looseness. Slack as in deliberate unused capacity. Deliberate flexibility. Deliberately simple decision points that can evolve. Designing for unknown workloads starts with admitting ignorance. You don't know what you'll need in five years.
903
01:21:58,440 --> 01:22:12,440
Instead of building a structure that's optimal for today, build a structure that can adapt. That means modularity first, not monolithic designs that assume specific workload types. You need modular designs that let you add new layers, new capabilities, and new patterns without re-architecting the foundation.
904
01:22:12,440 --> 01:22:21,440
You need a network design that can accommodate high performance computing without changes. You need a hierarchy that can grow new branches for new organizational units without reorganizing existing ones.
905
01:22:21,440 --> 01:22:40,440
And you need versioning discipline as the evolution mechanism. You're not going to get this right on the first try. You'll learn. Technologies will change and requirements will shift. So build the mechanism for safe change from day one. You'll use it. And when you use it, it won't feel like a burden. It'll feel like your building for the reality of change instead of pretending change won't happen.
906
01:22:40,440 --> 01:22:59,440
Then there is flexibility and constraints your policies shouldn't specify implementation. They should specify outcomes. Don't say all data must be stored in West US. Say all customer data must remain within regional boundaries as defined by compliance requirements. Now you can add new regions. Teams can deploy in those regions. The policy still applies.
907
01:22:59,440 --> 01:23:08,440
And you didn't have to rewrite it. You also need documentation that explains the why you made design decisions. Why did you choose hub and spoke networking? Why did you structure the hierarchy this way? Why these policies?
908
01:23:08,440 --> 01:23:18,440
Five years from now, someone will be evaluating whether to change these decisions. They need to understand the original reasoning. Not to preserve it. But to make an informed decision about whether it still applies.
909
01:23:18,440 --> 01:23:35,440
Monitoring the horizon is how you catch when your foundation needs evolution. You're not waiting for things to break. You're watching. What new workload types are emerging in your industry. What technologies are gaining adoption in your peer organizations. What's changing in your regulatory landscape. What are teams asking for that your landing zone can't accommodate?
910
01:23:35,440 --> 01:23:44,440
That horizon watching is how you're proactive instead of reactive because the cost of inflexibility is brutal. Organizations locked into outdated patterns have three choices.
911
01:23:44,440 --> 01:23:56,440
Redesign, which costs millions and disrupts operations. Work around the foundation, which creates the shadow IT problems we discussed. Or accept the constraint, which means missing opportunities. None of those choices are acceptable.
912
01:23:56,440 --> 01:24:01,440
That's why building for evolution from the start is structural. It's how you avoid these choices altogether.
913
01:24:01,440 --> 01:24:16,440
The shift from static templates to living infrastructure isn't just technical. It's organizational. It says your designing systems that learn, that adapt, that improve because you're collecting data and responding to it. Not designing once and defending that design against reality.
914
01:24:16,440 --> 01:24:30,440
Landing zones work when they enable, when there are constraints that make sense, when the fastest path to compliance is the standard path. When asking permission is faster than seeking alternatives. Success isn't measured in how much you controlled. It's measured in how fast teams shipped.
915
01:24:30,440 --> 01:24:39,440
How many workloads started using the platform instead of building around it? Whether compliance improved because governance was practical. Instead of whether compliance improved because you were good at finding violations.
916
01:24:39,440 --> 01:24:51,440
Your first action ordered your current governance. Where's the friction? Where do teams wait? Where do they bypass? Those friction points are your diagnostic data. Fix them. The real work is harder. Aligning organizational structure with technical architecture.
917
01:24:51,440 --> 01:25:02,440
Making governance enablement instead of gatekeeping that takes intention. It takes discipline. It takes leadership that believes agility at scale requires design. Not control.
918
01:25:02,440 --> 01:25:05,780
Agility at scale is possible, you're building it now.















