Azure Governance as space station

The first step describes the absolute basics. The hull of the space station must be intact. It requires a secure entry/exit and the individual sections within the station are separate from each other, but can also be reached by the astronauts.

A similar approach is taken with governance in Azure. The first topics to be worked out are network (sections in the space station) and security (the secure entrance). The network is very difficult to adapt later on and therefore the first decisions should be made with foresight. Everything that can be reached in Azure public is attacked and spied on within a few minutes. Therefore, technical security measures such as firewalls and network separation must be started right at the beginning.

At this stage, all the basics are set up and the work has begun. The space station grows and can be expanded within the defined limits. This is illustrated by the transparent lines.

For Azure, this means the Cloud Foundation is ready to go. Communication paths are monitored and new landing zones can be created with the coordinated network areas. The landing zones are usually intended for well-known workloads.

For one thing, the tasks on the space station have increased, so the crew has grown and the tasks are divided. On the other hand, new types of modules are now coming to the space station, i.e. adaptations for new interfaces have to be made.

At the beginning, often only a few employees deal with the operation of the Azure environment. But as the number of workloads increases, so does the operations team. For example, the network team not only has to handle the firewalls in Azure, but also network security groups or a new split of tasks has to be found. It may also be necessary to define new landing zone archetypes, for example for SAP or data.

As the tasks and the docked modules increase more and more, more and more has to be automated. The astronauts got to know their specific tasks and can outsource parts of them to machines/robots. The robots can now connect new modules, for example.

Even if the idea of automation should resonate right from the start, it is necessary at the latest with increasing workloads and landing zones. Because the cloud team has gained experience of the set of rules they need and what could be automated. The infrastructure should be set up with Infrastructure-as-Code, backups should be carried out with PaaS services and policies should be implemented.

The space station is still in operation and has undergone minor expansions here and there. The astronaut team is stable and well-rehearsed and all roles are filled. It is reviewed at regular intervals, what can be improved and whether there is perhaps a new type of module that has not been supported so far.

For the cloud environment, this phase means full integration into the company processes. Everyone is familiar with Azure and can run all coordinated types of workloads. New Azure services will still have to be included in the operating model and there will be new workloads sometimes, but integration is no longer a real challenge. Regular governance reviews provide information on the status and future direction.