Cloud governance plays a very important role in the adaptation of the cloud. Cloud governance defines the guidelines for the cloud, i.e. the restrictions that should apply in the cloud, but also the freedom that every user can have. The goal is to enable as much automation and self-service as possible while maintaining security and compliance.

The topic is so important that we have given it its own website and info graphic. The infographic aims to make the basic principles of Azure governance easier to understand by building and expanding space station. The steps are intended to illustrate typical sections when building a cloud environment. However, they are not as separate as they are shown in the info graphic. The transitions are fluid and operation is also possible with basic steps.


The first step describes the absolute basics. The hull of the space station must be intact. It requires a secure entry/exit and the individual sections within the station are separate from each other, but can also be reached by the astronauts.

A similar approach is taken with governance in Azure. The first topics to be worked out are network (sections in the space station) and security (the secure entrance). The network is very difficult to adapt later on and therefore the first decisions should be made with foresight. Everything that can be reached in Azure public is attacked and spied on within a few minutes. Therefore, technical security measures such as firewalls and network separation must be started right at the beginning.


At this stage, all the basics are set up and the work has begun. The space station grows and can be expanded within the defined limits. This is illustrated by the transparent lines.

For Azure, this means the Cloud Foundation is ready to go. Communication paths are monitored and new landing zones can be created with the coordinated network areas. The landing zones are usually intended for well-known workloads.


For one thing, the tasks on the space station have increased, so the crew has grown and the tasks are divided. On the other hand, new types of modules are now coming to the space station, i.e. adaptations for new interfaces have to be made.

At the beginning, often only a few employees deal with the operation of the Azure environment. But as the number of workloads increases, so does the operations team. For example, the network team not only has to handle the firewalls in Azure, but also network security groups or a new split of tasks has to be found. It may also be necessary to define new landing zone archetypes, for example for SAP or data.


As the tasks and the docked modules increase more and more, more and more has to be automated. The astronauts got to know their specific tasks and can outsource parts of them to machines/robots. The robots can now connect new modules, for example.

Even if the idea of automation should resonate right from the start, it is necessary at the latest with increasing workloads and landing zones. Because the cloud team has gained experience of the set of rules they need and what could be automated. The infrastructure should be set up with Infrastructure-as-Code, backups should be carried out with PaaS services and policies should be implemented.


The space station is still in operation and has undergone minor expansions here and there. The astronaut team is stable and well-rehearsed and all roles are filled. It is reviewed at regular intervals, what can be improved and whether there is perhaps a new type of module that has not been supported so far.

For the cloud environment, this phase means full integration into the company processes. Everyone is familiar with Azure and can run all coordinated types of workloads. New Azure services will still have to be included in the operating model and there will be new workloads sometimes, but integration is no longer a real challenge. Regular governance reviews provide information on the status and future direction.


The comparison to the space station may not quite fit in all places, but the info graphic shows the growth of an environment from the first steps to automated operation very well. The 5 disciplines of Microsoft’s Azure Governance are often not easy to understand, so we are trying to make the topic a little more accessible.

The governance should follow the MVP idea, i.e. really start with a small base and only grow as far as necessary. There is no need to train a large operations team if there is only one unproductive workload in the first year. But it is still important not to miss this transition.

We also recommend to perform governance reviews at regular intervals. They can have a report character, i.e. show what has changed in the last few weeks. But they can also be the starting point for new plans that are discussed with the Cloud Center of Excellence.