Now Reading: Azure at Scale: The Tooling Lie
-
01
Azure at Scale: The Tooling Lie
1
00:00:00,000 –> 00:00:02,860
Azure at scale, why tooling is the architectural lie?
2
00:00:02,860 –> 00:00:06,100
Most organizations believe Azure scale is a tooling problem.
3
00:00:06,100 –> 00:00:08,420
If they buy the right CICD suite,
4
00:00:08,420 –> 00:00:10,740
the right monitoring stack, the right IAC framework,
5
00:00:10,740 –> 00:00:11,880
the chaos will stop.
6
00:00:11,880 –> 00:00:13,240
They are wrong.
7
00:00:13,240 –> 00:00:15,600
Scale fails as drift, cues,
8
00:00:15,600 –> 00:00:17,180
and just this one’s exceptions
9
00:00:17,180 –> 00:00:18,820
that turn into permanent back channels.
10
00:00:18,820 –> 00:00:20,280
Tooling doesn’t prevent entropy.
11
00:00:20,280 –> 00:00:21,120
It accelerates it.
12
00:00:21,120 –> 00:00:22,980
In this episode, you’ll get an operating model
13
00:00:22,980 –> 00:00:24,880
that survives growth, audits, and outages
14
00:00:24,880 –> 00:00:27,380
because it makes intent enforceable.
15
00:00:27,380 –> 00:00:29,480
Azure landing zones are the early anchor.
16
00:00:29,480 –> 00:00:32,120
The place where org design becomes enforceable.
17
00:00:32,120 –> 00:00:33,860
First define the failure mode.
18
00:00:33,860 –> 00:00:36,980
The enterprise scale trap, velocity turns into drag.
19
00:00:36,980 –> 00:00:37,920
Here’s the pattern.
20
00:00:37,920 –> 00:00:39,580
Cloud starts as velocity.
21
00:00:39,580 –> 00:00:40,640
Then the bill shows up.
22
00:00:40,640 –> 00:00:41,720
Then the audit shows up.
23
00:00:41,720 –> 00:00:42,960
Then the incident shows up.
24
00:00:42,960 –> 00:00:44,560
And suddenly your cloud transformation
25
00:00:44,560 –> 00:00:47,480
looks like a distributed argument about who owns what.
26
00:00:47,480 –> 00:00:50,080
Most enterprises begin with the migration mindset.
27
00:00:50,080 –> 00:00:52,160
Lift, shift, declare victory.
28
00:00:52,160 –> 00:00:55,200
Projects finish, operations begin, entropy starts.
29
00:00:55,200 –> 00:00:58,280
Because a cloud estate is not a set of completed projects.
30
00:00:58,280 –> 00:01:00,420
It’s a long-lived system that accumulates
31
00:01:00,420 –> 00:01:04,360
exceptions, special cases, and inconsistent execution parts.
32
00:01:04,360 –> 00:01:05,960
Every shortcut becomes a precedent.
33
00:01:05,960 –> 00:01:07,880
Every precedent becomes a policy gap.
34
00:01:07,880 –> 00:01:09,880
And every gap becomes a future incident review
35
00:01:09,880 –> 00:01:11,000
with your name on it.
36
00:01:11,000 –> 00:01:13,840
If you’re a CIO, this is the part you usually miss.
37
00:01:13,840 –> 00:01:15,400
Cloud debt is not technical debt.
38
00:01:15,400 –> 00:01:16,360
It’s decision debt.
39
00:01:16,360 –> 00:01:18,760
It’s the backlog of unresolved ownership questions
40
00:01:18,760 –> 00:01:21,000
your organization postponed while shipping features.
41
00:01:21,000 –> 00:01:23,360
Now, the most common phrase that signals you’ve entered
42
00:01:23,360 –> 00:01:26,320
the trap is, every team does DevOps differently.
43
00:01:26,320 –> 00:01:27,800
That sounds like empowerment.
44
00:01:27,800 –> 00:01:30,800
In reality, it’s compound interest on complexity.
45
00:01:30,800 –> 00:01:33,160
One team builds pipelines in Azure DevOps.
46
00:01:33,160 –> 00:01:34,880
Another uses GitHub actions.
47
00:01:34,880 –> 00:01:37,000
A third uses whatever the last contractor liked.
48
00:01:37,000 –> 00:01:39,000
Everyone pins terraform versions differently.
49
00:01:39,000 –> 00:01:40,480
Secrets land in different places.
50
00:01:40,480 –> 00:01:42,000
Logging is optional.
51
00:01:42,000 –> 00:01:43,440
Tagging is a suggestion.
52
00:01:43,440 –> 00:01:44,760
And you still tell yourself it’s fine
53
00:01:44,760 –> 00:01:46,080
because they’re autonomous.
54
00:01:46,080 –> 00:01:46,960
They’re not autonomous.
55
00:01:46,960 –> 00:01:48,000
They’re ungoverned.
56
00:01:48,000 –> 00:01:49,760
And ungoverned systems don’t scale.
57
00:01:49,760 –> 00:01:50,560
They sprawl.
58
00:01:50,560 –> 00:01:53,400
This is where cloud sprawl becomes the comfortable diagnosis.
59
00:01:53,400 –> 00:01:55,240
It’s not wrong, but it’s not specific enough
60
00:01:55,240 –> 00:01:56,000
to fix anything.
61
00:01:56,000 –> 00:01:57,000
sprawl is a symptom.
62
00:01:57,000 –> 00:01:59,000
The disease is that you have yaml everywhere
63
00:01:59,000 –> 00:02:00,320
and intent nowhere.
64
00:02:00,320 –> 00:02:02,360
Your controls exist as documents and meetings
65
00:02:02,360 –> 00:02:03,840
instead of enforced defaults.
66
00:02:03,840 –> 00:02:05,360
Your standards are guidance.
67
00:02:05,360 –> 00:02:07,640
That teams root around under delivery pressure.
68
00:02:07,640 –> 00:02:09,520
Your platform team becomes a help desk
69
00:02:09,520 –> 00:02:11,160
because governance lives in humans.
70
00:02:11,160 –> 00:02:13,320
Now, here’s where most organizations mess up.
71
00:02:13,320 –> 00:02:15,920
They respond to the symptoms with centralization
72
00:02:15,920 –> 00:02:17,360
by incident response.
73
00:02:17,360 –> 00:02:18,160
Something breaks.
74
00:02:18,160 –> 00:02:19,360
Security gets nervous.
75
00:02:19,360 –> 00:02:20,600
Finance gets loud.
76
00:02:20,600 –> 00:02:23,920
So the default move is to pull control back to a central team.
77
00:02:23,920 –> 00:02:26,680
They take ownership of networking, identity, subscriptions,
78
00:02:26,680 –> 00:02:29,360
pipelines, approvals, maybe even deployments.
79
00:02:29,360 –> 00:02:30,320
It feels safe.
80
00:02:30,320 –> 00:02:31,200
It is not.
81
00:02:31,200 –> 00:02:32,560
That move creates cues.
82
00:02:32,560 –> 00:02:33,880
Cues create bypasses.
83
00:02:33,880 –> 00:02:35,760
Biparses create shadow standards.
84
00:02:35,760 –> 00:02:37,560
Shadow standards create drift.
85
00:02:37,560 –> 00:02:39,840
And drift is the mechanism by which your policies
86
00:02:39,840 –> 00:02:41,960
quietly stop matching reality.
87
00:02:41,960 –> 00:02:44,800
If you run a platform team, this is the trap you’ll recognize.
88
00:02:44,800 –> 00:02:46,880
You didn’t choose to become a ticket factory.
89
00:02:46,880 –> 00:02:48,560
The system designed you into one.
90
00:02:48,560 –> 00:02:50,720
Every ambiguous decision right turns into a ticket.
91
00:02:50,720 –> 00:02:52,320
Every ticket becomes a wait time.
92
00:02:52,320 –> 00:02:54,520
Every wait time becomes an exception request.
93
00:02:54,520 –> 00:02:56,360
And exceptions are entropy generators.
94
00:02:56,360 –> 00:02:59,960
If you’re a cloud architect, this is the uncomfortable truth.
95
00:02:59,960 –> 00:03:02,480
Most architecture at enterprise scale
96
00:03:02,480 –> 00:03:05,840
is just org chart problems with a yaml file attached.
97
00:03:05,840 –> 00:03:08,720
You can draw the best hub and spoke diagram on the planet.
98
00:03:08,720 –> 00:03:11,240
If nobody has clear authority to enforce network attachment
99
00:03:11,240 –> 00:03:13,960
at subscription creation, your diagram is decorative.
100
00:03:13,960 –> 00:03:16,560
You can write a policy initiative that looks beautiful.
101
00:03:16,560 –> 00:03:18,800
If exception handling is favors and side deals,
102
00:03:18,800 –> 00:03:20,400
your policy is aspirational.
103
00:03:20,400 –> 00:03:22,800
You can publish a golden terraform module.
104
00:03:22,800 –> 00:03:24,680
If teams can fork it without consequence,
105
00:03:24,680 –> 00:03:27,160
you’ve just created hundreds of permanent snowflakes.
106
00:03:27,160 –> 00:03:29,680
Azure behaves like a distributed decision engine.
107
00:03:29,680 –> 00:03:32,400
Every team interaction, every approval, every role assignment,
108
00:03:32,400 –> 00:03:35,280
every policy exception is part of the authorization graph
109
00:03:35,280 –> 00:03:36,680
that shapes what happens next.
110
00:03:36,680 –> 00:03:38,920
That means your operating model isn’t a PowerPoint.
111
00:03:38,920 –> 00:03:40,360
It’s the set of decision pathways
112
00:03:40,360 –> 00:03:43,120
the organization actually uses when under pressure.
113
00:03:43,120 –> 00:03:44,760
Over time, those pathways accumulate,
114
00:03:44,760 –> 00:03:46,640
missing policies create obvious gaps,
115
00:03:46,640 –> 00:03:48,440
drifting policies create ambiguity,
116
00:03:48,440 –> 00:03:50,200
exceptions create alternate routes
117
00:03:50,200 –> 00:03:52,040
and alternate routes become the real system.
118
00:03:52,040 –> 00:03:54,480
This clicked for me when I watched the same movie repeat.
119
00:03:54,480 –> 00:03:57,560
Organizations spend months evaluating tools,
120
00:03:57,560 –> 00:04:01,000
then deploy them, then celebrate platform modernization.
121
00:04:01,000 –> 00:04:03,160
Six months later, they’re slower than before.
122
00:04:03,160 –> 00:04:04,760
Not because the tools are bad,
123
00:04:04,760 –> 00:04:06,720
but because tools made it easier for every team
124
00:04:06,720 –> 00:04:09,520
to express its own interpretation of how we do cloud
125
00:04:09,520 –> 00:04:11,520
at small scale that looks like agility.
126
00:04:11,520 –> 00:04:13,320
At enterprise scale, it’s fragmentation.
127
00:04:13,320 –> 00:04:15,640
So the foundational misunderstanding is this.
128
00:04:15,640 –> 00:04:17,600
An operating model is not a tool chain.
129
00:04:17,600 –> 00:04:19,480
It’s a decision system who decides,
130
00:04:19,480 –> 00:04:21,400
who builds, who runs, who pays,
131
00:04:21,400 –> 00:04:24,160
and how exceptions work when the system says no.
132
00:04:24,160 –> 00:04:27,160
Before we argue about pipelines, terraform, or portals,
133
00:04:27,160 –> 00:04:30,560
you need that definition because everything else inherits it.
134
00:04:30,560 –> 00:04:32,720
What an operating model actually means.
135
00:04:32,720 –> 00:04:34,240
So let’s define it cleanly,
136
00:04:34,240 –> 00:04:36,280
because most orgs use operating model
137
00:04:36,280 –> 00:04:38,760
as a polite synonym for governance meetings.
138
00:04:38,760 –> 00:04:41,560
An operating model is the decision system for cloud
139
00:04:41,560 –> 00:04:43,720
who has authority to make which decisions,
140
00:04:43,720 –> 00:04:45,480
how those decisions get implemented
141
00:04:45,480 –> 00:04:48,040
and how they get funded and audited once they’re real.
142
00:04:48,040 –> 00:04:49,640
Not once, continuously.
143
00:04:49,640 –> 00:04:52,000
Because cloud is not a migration milestone.
144
00:04:52,000 –> 00:04:53,920
Cloud is a long-lived product capability,
145
00:04:53,920 –> 00:04:57,040
your organization owns forever, whether you admit it or not.
146
00:04:57,040 –> 00:04:59,960
If you remember nothing else from this section, remember this.
147
00:04:59,960 –> 00:05:02,600
The operating model is the control plane for human behavior.
148
00:05:02,600 –> 00:05:04,720
It’s how you enforce assumptions at scale
149
00:05:04,720 –> 00:05:08,400
without needing heroics, tribal knowledge, or constant escalation.
150
00:05:08,400 –> 00:05:10,800
And yes, that means it has to include finance and risk
151
00:05:10,800 –> 00:05:12,800
because in cloud, those aren’t stakeholders.
152
00:05:12,800 –> 00:05:14,600
They are runtime dependencies.
153
00:05:14,600 –> 00:05:17,240
Most organizations try to solve this with standardization.
154
00:05:17,240 –> 00:05:19,240
They publish standards, naming standards,
155
00:05:19,240 –> 00:05:22,040
tagging standards, pipeline standards, logging standards.
156
00:05:22,040 –> 00:05:24,360
Then they act surprised when none of it sticks.
157
00:05:24,360 –> 00:05:27,000
Because the thing most people miss is that standardization
158
00:05:27,000 –> 00:05:29,320
without enforceability is just documentation.
159
00:05:29,320 –> 00:05:31,000
In reality, you need constraints,
160
00:05:31,000 –> 00:05:34,880
minimum viable constraints, not maximum control.
161
00:05:34,880 –> 00:05:38,320
If you’re a CIO or CTO, here’s the uncomfortable implication,
162
00:05:38,320 –> 00:05:40,560
you are not designing cloud governance.
163
00:05:40,560 –> 00:05:42,800
You are designing delegation and funding.
164
00:05:42,800 –> 00:05:46,120
You’re deciding what gets centralized as shared capability,
165
00:05:46,120 –> 00:05:47,920
what gets delegated to product teams,
166
00:05:47,920 –> 00:05:50,960
and what gets measured so you can tell if the system is working.
167
00:05:50,960 –> 00:05:54,320
If you don’t do that explicitly, the organization will still make those choices.
168
00:05:54,320 –> 00:05:56,880
It’ll just do it in the worst possible way during incidents.
169
00:05:56,880 –> 00:06:00,120
Now, the simplest model that actually works is to treat cloud
170
00:06:00,120 –> 00:06:02,560
as a product operating model with decision rights.
171
00:06:02,560 –> 00:06:05,960
Cloud platforms don’t scale because engineers are talented.
172
00:06:05,960 –> 00:06:09,120
They scale because the organization converges on consistent pathways,
173
00:06:09,120 –> 00:06:11,960
predictable ways to create environments, predictable controls,
174
00:06:11,960 –> 00:06:14,240
predictable exceptions, predictable accountabilities.
175
00:06:14,240 –> 00:06:15,760
So what are the moving parts?
176
00:06:15,760 –> 00:06:18,680
First, decision rights, who owns the platform baseline
177
00:06:18,680 –> 00:06:20,520
and who owns workload outcomes?
178
00:06:20,520 –> 00:06:22,440
That boundary needs to be written down like adults
179
00:06:22,440 –> 00:06:25,680
because otherwise your autonomy turns into someone else will fix it.
180
00:06:25,680 –> 00:06:27,000
Second, delivery system.
181
00:06:27,000 –> 00:06:30,000
This is the part everyone obsesses over because it has tools.
182
00:06:30,000 –> 00:06:33,760
But delivery is just the mechanism by which change enters production.
183
00:06:33,760 –> 00:06:35,840
If delivery isn’t aligned with governance,
184
00:06:35,840 –> 00:06:39,280
teams will route around governance every time.
185
00:06:39,280 –> 00:06:41,680
Third, shared services.
186
00:06:41,680 –> 00:06:44,840
Things that must be consistent to be safe and efficient at scale.
187
00:06:44,840 –> 00:06:47,440
Identity integration, network connectivity,
188
00:06:47,440 –> 00:06:49,240
logging and monitoring foundations,
189
00:06:49,240 –> 00:06:52,560
policy enforcement and often subscription provisioning.
190
00:06:52,560 –> 00:06:54,480
Shared services are not about control.
191
00:06:54,480 –> 00:06:57,080
They’re about reducing duplication and reducing blast radius.
192
00:06:57,080 –> 00:06:58,440
Fourth, guardrails.
193
00:06:58,440 –> 00:07:01,240
This is where guardrails not gates actually matters.
194
00:07:01,240 –> 00:07:02,360
Gates stop the business.
195
00:07:02,360 –> 00:07:05,480
Guardrails constrain the shape of change, so it remains safe.
196
00:07:05,480 –> 00:07:08,400
Guardrails need to be automated, visible and measurable.
197
00:07:08,400 –> 00:07:10,800
If your guardrails require humans to be awake
198
00:07:10,800 –> 00:07:13,080
and in a good mood, you don’t have guardrails.
199
00:07:13,080 –> 00:07:14,760
You have a social process.
200
00:07:14,760 –> 00:07:15,920
Fifth, accountability.
201
00:07:15,920 –> 00:07:16,680
Who is on call?
202
00:07:16,680 –> 00:07:17,840
Who owns the SLOs?
203
00:07:17,840 –> 00:07:18,840
Who owns cost?
204
00:07:18,840 –> 00:07:21,160
Who owns policy compliance remediation?
205
00:07:21,160 –> 00:07:24,160
And critically, who has the authority to trade off speed versus risk?
206
00:07:24,160 –> 00:07:26,360
If you can’t answer those questions quickly,
207
00:07:26,360 –> 00:07:27,920
you don’t have accountability.
208
00:07:27,920 –> 00:07:29,800
You have diffusion.
209
00:07:29,800 –> 00:07:32,840
Now let’s anchor this in Azure Early, so it doesn’t stay abstract.
210
00:07:32,840 –> 00:07:36,080
Azure landing zones are where this operating model becomes enforceable.
211
00:07:36,080 –> 00:07:37,480
Not because ALZ is magic.
212
00:07:37,480 –> 00:07:41,920
Because ALZ is the first place you can encode organizational boundaries into management groups,
213
00:07:41,920 –> 00:07:46,080
subscription structure, identity patterns, network attachment and policy baselines,
214
00:07:46,080 –> 00:07:49,800
it is literally org design expressed as an enforceable control plane.
215
00:07:49,800 –> 00:07:53,960
If you run a platform team, the point of ALZ isn’t to deploy the landing zone.
216
00:07:53,960 –> 00:07:55,320
That’s day one theater.
217
00:07:55,320 –> 00:07:57,160
The point is to operate it as a product,
218
00:07:57,160 –> 00:08:01,400
version changes, measurable adoption and explicit exception pathways.
219
00:08:01,400 –> 00:08:03,360
If you’re an architect, this is the pivot.
220
00:08:03,360 –> 00:08:07,360
Stop treating operating model as culture and start treating it as architecture.
221
00:08:07,360 –> 00:08:10,240
Culture is what happens when architecture fails to constrain behavior.
222
00:08:10,240 –> 00:08:11,840
Next, we’ll make this measurable.
223
00:08:11,840 –> 00:08:17,600
Because if you can’t measure it, you can’t defend it in an audit or a budget review.
224
00:08:17,600 –> 00:08:19,880
The three metrics that expose the lie.
225
00:08:19,880 –> 00:08:23,120
Tooling debates stay comfortable because they’re qualitative.
226
00:08:23,120 –> 00:08:27,840
Everyone can argue forever about best CICD or the right IAC language,
227
00:08:27,840 –> 00:08:30,400
and nobody has to admit their operating model is broken.
228
00:08:30,400 –> 00:08:31,720
Metrics don’t allow that escape.
229
00:08:31,720 –> 00:08:34,960
If you measure the right three things, the lie shows up immediately.
230
00:08:34,960 –> 00:08:38,000
You don’t have a platform problem, you have a decision system problem.
231
00:08:38,000 –> 00:08:39,400
And the reason this works is simple.
232
00:08:39,400 –> 00:08:42,880
These metrics trace the actual pathways teams use under pressure.
233
00:08:42,880 –> 00:08:45,080
Not the ones you describe in a steering committee.
234
00:08:45,080 –> 00:08:46,440
Here are the three.
235
00:08:46,440 –> 00:08:47,720
First, lead time.
236
00:08:47,720 –> 00:08:48,880
Not are we shipping?
237
00:08:48,880 –> 00:08:52,720
But how long it takes for a change to go from committed to running in production?
238
00:08:52,720 –> 00:08:55,040
Dora popularized this metric for a reason.
239
00:08:55,040 –> 00:08:58,280
It exposes friction that teams stop noticing because they’re used to it.
240
00:08:58,280 –> 00:09:01,360
If your lead time is long, it’s rarely because engineers are slow.
241
00:09:01,360 –> 00:09:04,640
It’s because your delivery system is full of hidden gates.
242
00:09:04,640 –> 00:09:08,800
Manual approvals bespoke pipelines, inconsistent environments,
243
00:09:08,800 –> 00:09:11,160
security reviews that happen at the end,
244
00:09:11,160 –> 00:09:13,920
and platform dependencies that require tickets.
245
00:09:13,920 –> 00:09:16,400
If you’re a CIO, this is the implication.
246
00:09:16,400 –> 00:09:19,600
Lead time is the business cost of your internal bureaucracy,
247
00:09:19,600 –> 00:09:21,080
expressed as calendar time.
248
00:09:21,080 –> 00:09:22,440
You can call it governance.
249
00:09:22,440 –> 00:09:24,280
The business experiences it as delay.
250
00:09:24,280 –> 00:09:27,440
If you run a platform team, lead time is also a mirror.
251
00:09:27,440 –> 00:09:30,280
Every time you demand alignment through bespoke reviews,
252
00:09:30,280 –> 00:09:32,680
you admit that become days at scale.
253
00:09:32,680 –> 00:09:35,320
Second, time to first environment.
254
00:09:35,320 –> 00:09:37,360
This is the metric almost nobody measures,
255
00:09:37,360 –> 00:09:39,360
which is why the ticket factory survives.
256
00:09:39,360 –> 00:09:41,760
It’s the time from we need a new workload environment
257
00:09:41,760 –> 00:09:44,560
to we have a usable govern place to deploy.
258
00:09:44,560 –> 00:09:48,400
In Azure terms, it’s the time from request to an appropriately placed subscription
259
00:09:48,400 –> 00:09:50,280
with baseline RBIAC network attachment,
260
00:09:50,280 –> 00:09:52,600
logging and policy already in effect.
261
00:09:52,600 –> 00:09:56,600
This metric is ruthless because it captures platform friction at the starting line.
262
00:09:56,600 –> 00:09:58,400
You can have elite engineering teams
263
00:09:58,400 –> 00:10:02,480
and still lose if it takes three weeks to get a subscription and a network connection.
264
00:10:02,480 –> 00:10:03,960
And here’s the uncomfortable truth.
265
00:10:03,960 –> 00:10:06,760
Long time to first environment creates shadow infrastructure.
266
00:10:06,760 –> 00:10:07,720
People don’t wait.
267
00:10:07,720 –> 00:10:08,560
They root around.
268
00:10:08,560 –> 00:10:09,800
They use old subscriptions.
269
00:10:09,800 –> 00:10:12,560
They reuse test environments for production like work.
270
00:10:12,560 –> 00:10:14,320
They deploy into places they can access.
271
00:10:14,320 –> 00:10:15,840
They create temporary exceptions.
272
00:10:15,840 –> 00:10:17,960
Those exceptions don’t expire on their own.
273
00:10:17,960 –> 00:10:21,720
If you’re an architect, this is where ALZ stops being a reference diagram
274
00:10:21,720 –> 00:10:23,840
and becomes a real operating model anchor.
275
00:10:23,840 –> 00:10:26,280
Subscription vending is not a convenience feature.
276
00:10:26,280 –> 00:10:28,400
It is the mechanism that makes autonomy real
277
00:10:28,400 –> 00:10:30,040
while keeping governance intact.
278
00:10:30,040 –> 00:10:32,160
Third, policy compliance rate.
279
00:10:32,160 –> 00:10:36,640
Not we have policies, but how many resources are actually compliant with your critical baseline
280
00:10:36,640 –> 00:10:39,000
and how quickly non-compliance gets remediated.
281
00:10:39,000 –> 00:10:42,800
This metric is how you distinguish governance theatre from intent enforcement.
282
00:10:42,800 –> 00:10:46,520
Azure policy and initiatives can measure this for you, but they can’t make you care.
283
00:10:46,520 –> 00:10:50,960
The platform will happily show you a red compliance dashboard for months while everyone pretends it’s fine.
284
00:10:50,960 –> 00:10:52,960
If you’re a CIO, this is the implication.
285
00:10:52,960 –> 00:10:56,280
Policy compliance rate is ordered readiness expressed as a number.
286
00:10:56,280 –> 00:10:57,800
It’s also incident likelihood.
287
00:10:57,800 –> 00:10:59,200
Low compliance is not a report.
288
00:10:59,200 –> 00:11:00,200
It is a prediction.
289
00:11:00,200 –> 00:11:05,240
If you run a platform team, compliance rate is also how you prove you’re not just doing tickets.
290
00:11:05,240 –> 00:11:07,960
You’re maintaining a baseline that stays true over time.
291
00:11:07,960 –> 00:11:10,040
Now, notice what these three metrics have in common.
292
00:11:10,040 –> 00:11:11,120
They are boundary metrics.
293
00:11:11,120 –> 00:11:14,520
They measure the health of the interfaces between teams, platform and product,
294
00:11:14,520 –> 00:11:17,080
security and delivery, finance and engineering.
295
00:11:17,080 –> 00:11:18,720
They don’t care what tool you use.
296
00:11:18,720 –> 00:11:21,880
They care whether the system produces predictable outcomes.
297
00:11:21,880 –> 00:11:24,880
And once you instrument these, you’ll see the real failure mode.
298
00:11:24,880 –> 00:11:26,880
The organization optimizes locally.
299
00:11:26,880 –> 00:11:30,080
Teams optimize for shipping, security optimizes for blocking risk,
300
00:11:30,080 –> 00:11:34,080
finance optimizes for budget control, platform optimizes for throughput.
301
00:11:34,080 –> 00:11:35,720
Everyone wins locally.
302
00:11:35,720 –> 00:11:37,200
The enterprise loses globally.
303
00:11:37,200 –> 00:11:38,480
That’s why these metrics work.
304
00:11:38,480 –> 00:11:40,440
They force a single view of reality.
305
00:11:40,440 –> 00:11:46,520
Next, we turn these numbers into structure because metrics without ownership boundaries are just dashboard art.
306
00:11:46,520 –> 00:11:50,000
Decision rights, platform versus product written down like adults.
307
00:11:50,000 –> 00:11:53,720
So here’s the part everyone avoids because it forces uncomfortable clarity.
308
00:11:53,720 –> 00:11:55,160
Decision rights.
309
00:11:55,160 –> 00:11:58,880
Not who helps, not who reviews, not who has an opinion,
310
00:11:58,880 –> 00:12:03,920
who actually owns the outcome and therefore absorbs the consequences when it fails.
311
00:12:03,920 –> 00:12:06,400
If you don’t write this down, Azure will still run.
312
00:12:06,400 –> 00:12:07,680
People will still deploy.
313
00:12:07,680 –> 00:12:09,520
Policies will still exist somewhere,
314
00:12:09,520 –> 00:12:11,560
but the system will behave like a rumour network,
315
00:12:11,560 –> 00:12:14,040
whichever team answers fastest becomes the owner
316
00:12:14,040 –> 00:12:17,160
and whichever team escalates hardest gets the exception.
317
00:12:17,160 –> 00:12:18,080
That is not governance.
318
00:12:18,080 –> 00:12:19,680
That is conditional chaos.
319
00:12:19,680 –> 00:12:22,200
The clean boundary is platform versus product.
320
00:12:22,200 –> 00:12:27,080
Platform teams own the baselines, identity integration, network connectivity patterns,
321
00:12:27,080 –> 00:12:31,080
policy and management group structure, logging and monitoring foundations,
322
00:12:31,080 –> 00:12:33,400
and the mechanisms that create govern space.
323
00:12:33,400 –> 00:12:35,120
The platform owns the paved road.
324
00:12:35,120 –> 00:12:36,680
The platform does not own every car.
325
00:12:36,680 –> 00:12:40,760
Product teams own workload outcomes, workload configuration inside the boundary,
326
00:12:40,760 –> 00:12:45,240
their SLOs, their on-call, their data handling decisions, and their unit economics.
327
00:12:45,240 –> 00:12:47,920
If they want autonomy, they take the cost of autonomy.
328
00:12:47,920 –> 00:12:49,360
That’s the trade.
329
00:12:49,360 –> 00:12:51,480
If you’re a CIO, the implication is simple.
330
00:12:51,480 –> 00:12:53,640
You are buying risk distribution.
331
00:12:53,640 –> 00:12:56,840
When you centralize cloud, you centralize risk and queues.
332
00:12:56,840 –> 00:13:00,600
When you decentralize cloud, you decentralize risk and inconsistency.
333
00:13:00,600 –> 00:13:04,200
Decision rights are how you choose which failure mode you’re willing to live with.
334
00:13:04,200 –> 00:13:07,920
If you run a platform team, this is where you usually fail by being too helpful.
335
00:13:07,920 –> 00:13:11,040
You accept responsibility for things you constantly operate.
336
00:13:11,040 –> 00:13:14,840
You say yes to bespoke networking, bespoke identity exceptions, bespoke pipelines.
337
00:13:14,840 –> 00:13:17,360
You become the dependency that every team must wait for.
338
00:13:17,360 –> 00:13:19,240
Then everyone blames you for being slow.
339
00:13:19,240 –> 00:13:20,520
That’s not a staffing problem.
340
00:13:20,520 –> 00:13:22,200
That’s an ownership design problem.
341
00:13:22,200 –> 00:13:24,800
So what does written down like adults actually look like?
342
00:13:24,800 –> 00:13:26,120
It’s a simple matrix.
343
00:13:26,120 –> 00:13:27,280
Rows are decisions.
344
00:13:27,280 –> 00:13:28,080
Columns are roles.
345
00:13:28,080 –> 00:13:29,680
You don’t need a fancy racey.
346
00:13:29,680 –> 00:13:34,160
You need platform decides or product decides plus the enforcement mechanism.
347
00:13:34,160 –> 00:13:38,360
For example, management groups, structure, and subscription placement platform decides.
348
00:13:38,360 –> 00:13:41,880
Enforced by subscription, vending, and management group policy inheritance.
349
00:13:41,880 –> 00:13:45,160
Identity and access baseline platform decides.
350
00:13:45,160 –> 00:13:48,520
Enforced by role design, PM patterns, and least privileged defaults.
351
00:13:48,520 –> 00:13:52,080
Network attachment and egress model platform decides.
352
00:13:52,080 –> 00:13:56,840
Enforced by network architecture that workloads attached to by default, not by ticket.
353
00:13:56,840 –> 00:13:58,960
Policy baseline platform decides.
354
00:13:58,960 –> 00:14:03,760
Enforced by initiatives applied at management group scope with documented exception pathways.
355
00:14:03,760 –> 00:14:06,160
Observability baseline platform decides.
356
00:14:06,160 –> 00:14:10,080
Enforced by diagnostic settings policies and required telemetry patterns.
357
00:14:10,080 –> 00:14:12,280
Then product side decisions.
358
00:14:12,280 –> 00:14:15,720
Work load resource selection inside allowed regions and SKUs.
359
00:14:15,720 –> 00:14:18,080
Product decides within policy constraints.
360
00:14:18,080 –> 00:14:19,560
Silos and error budgets.
361
00:14:19,560 –> 00:14:22,280
Product decides and owns the page when they miss them.
362
00:14:22,280 –> 00:14:25,640
Deployment cadence and change management inside the pipeline guard rails.
363
00:14:25,640 –> 00:14:27,920
Product decides and owns the blast radius.
364
00:14:27,920 –> 00:14:28,920
Cost targets.
365
00:14:28,920 –> 00:14:29,920
Product decides.
366
00:14:29,920 –> 00:14:33,560
And finance expects an answer that isn’t as you are as expensive.
367
00:14:33,560 –> 00:14:35,040
Now here’s where most people mess up.
368
00:14:35,040 –> 00:14:36,760
They treat exceptions as shameful.
369
00:14:36,760 –> 00:14:38,560
They treat exceptions as favors.
370
00:14:38,560 –> 00:14:40,960
They treat exceptions as a side channel.
371
00:14:40,960 –> 00:14:42,400
Exceptions are not shameful.
372
00:14:42,400 –> 00:14:44,000
They are inevitable.
373
00:14:44,000 –> 00:14:46,480
But unmanaged exceptions are entropy generators.
374
00:14:46,480 –> 00:14:49,840
They convert a deterministic security model into a probabilistic one.
375
00:14:49,840 –> 00:14:53,320
Because every exception creates a special rule, someone will forget to revisit.
376
00:14:53,320 –> 00:14:56,960
So you need an exception pathway that is designed, not improvised.
377
00:14:56,960 –> 00:15:02,800
That means every exception has an owner, a reason, a compensating control and an expiration.
378
00:15:02,800 –> 00:15:04,680
If it can’t expire, it isn’t an exception.
379
00:15:04,680 –> 00:15:07,000
It’s your new baseline and you should admit that.
380
00:15:07,000 –> 00:15:10,360
In Azure terms, this is where ALZ stops being a deployment and becomes a product.
381
00:15:10,360 –> 00:15:11,640
You don’t just apply policies.
382
00:15:11,640 –> 00:15:12,640
You run policies.
383
00:15:12,640 –> 00:15:13,640
You measure compliance.
384
00:15:13,640 –> 00:15:14,640
You review exceptions.
385
00:15:14,640 –> 00:15:16,200
You retire all deviations.
386
00:15:16,200 –> 00:15:19,360
And you need an escalation path that doesn’t depend on heroics.
387
00:15:19,360 –> 00:15:22,520
Product teams should know exactly what happens when a policy blocks them.
388
00:15:22,520 –> 00:15:25,960
Where they request deviation, how quickly they get an answer.
389
00:15:25,960 –> 00:15:29,520
And what no looks like when the risk isn’t worth it.
390
00:15:29,520 –> 00:15:31,680
Because when no is ambiguous teams don’t stop.
391
00:15:31,680 –> 00:15:32,680
They root around.
392
00:15:32,680 –> 00:15:35,160
Once ownership is explicit, something weird happens.
393
00:15:35,160 –> 00:15:36,320
Tickets stop being a workflow.
394
00:15:36,320 –> 00:15:37,360
They become a symptom.
395
00:15:37,360 –> 00:15:38,880
And symptoms are fixable.
396
00:15:38,880 –> 00:15:43,080
Next we turn this into team design that survives scale because decision rights without team
397
00:15:43,080 –> 00:15:45,840
interfaces still collapses back into tickets.
398
00:15:45,840 –> 00:15:49,560
Team design that survives scale, platform teams as product teams.
399
00:15:49,560 –> 00:15:53,400
Now the part that separates organizations that scale from organizations that keep hiring,
400
00:15:53,400 –> 00:15:54,400
team design.
401
00:15:54,400 –> 00:15:57,760
Because once you’ve written down decision rights, you still have to build a system that
402
00:15:57,760 –> 00:16:01,640
makes those decisions executable without constant negotiation.
403
00:16:01,640 –> 00:16:03,720
And the platform team is the pressure point.
404
00:16:03,720 –> 00:16:07,880
If you build it wrong, it becomes the queue that throttles the entire enterprise.
405
00:16:07,880 –> 00:16:09,040
So here’s the reframe.
406
00:16:09,040 –> 00:16:13,080
A platform team is not an infrastructure team that happens to use Azure.
407
00:16:13,080 –> 00:16:15,760
And it is a product team that happens to ship constraints.
408
00:16:15,760 –> 00:16:17,400
That distinction matters.
409
00:16:17,400 –> 00:16:21,280
If your platform team measures success by tickets closed or projects delivered, you’ve
410
00:16:21,280 –> 00:16:22,280
already lost.
411
00:16:22,280 –> 00:16:24,320
Those are throughput metrics for a help desk.
412
00:16:24,320 –> 00:16:27,720
A platform exists to reduce cognitive load for product teams.
413
00:16:27,720 –> 00:16:32,240
To make the paved road so easy and so safe that most teams never need to think about the
414
00:16:32,240 –> 00:16:33,840
underlying platform at all.
415
00:16:33,840 –> 00:16:37,160
If you run a platform team, your backlog shouldn’t be more features.
416
00:16:37,160 –> 00:16:39,040
Your backlog should be developer pain.
417
00:16:39,040 –> 00:16:40,280
Where are people getting stuck?
418
00:16:40,280 –> 00:16:43,400
What forces exceptions?
419
00:16:43,400 –> 00:16:45,400
What takes days that should take minutes?
420
00:16:45,400 –> 00:16:46,400
What makes teams reinvent the same plumbing?
421
00:16:46,400 –> 00:16:49,400
And which parts of the platform are so ambiguous that people keep opening tickets just to
422
00:16:49,400 –> 00:16:51,400
ask what the policy even means?
423
00:16:51,400 –> 00:16:53,440
If you’re a CIO, this is the implication.
424
00:16:53,440 –> 00:16:56,080
You don’t fund a platform team to build infrastructure.
425
00:16:56,080 –> 00:16:58,040
You fund it to build leverage.
426
00:16:58,040 –> 00:17:02,920
Every self-service pathway they create removes future head-count demand in operations, security
427
00:17:02,920 –> 00:17:05,400
reviews, and cloud enablement committees.
428
00:17:05,400 –> 00:17:10,080
Now, team topology matters here because platform teams don’t scale by centralizing everything.
429
00:17:10,080 –> 00:17:11,920
They scale by having clean interfaces.
430
00:17:11,920 –> 00:17:13,400
The core pattern is simple.
431
00:17:13,400 –> 00:17:15,920
Stream-aligned teams deliver business workloads.
432
00:17:15,920 –> 00:17:21,560
Platform teams deliver reusable capabilities, enabling teams close skill gaps and help adoption.
433
00:17:21,560 –> 00:17:23,040
The platform doesn’t approve work.
434
00:17:23,040 –> 00:17:26,840
It provides a paved road with guardrails that makes the safe thing the default thing, and
435
00:17:26,840 –> 00:17:28,560
the interface is the product.
436
00:17:28,560 –> 00:17:32,760
Self-service matters, templates matter, docs matter, API’s matter because every manual interaction
437
00:17:32,760 –> 00:17:36,600
you require becomes a ticket later and every ticket later becomes a bypass.
438
00:17:36,600 –> 00:17:39,200
So the platform team needs to ship in these forms.
439
00:17:39,200 –> 00:17:42,920
First, a subscription and environment creation pathway.
440
00:17:42,920 –> 00:17:46,080
Not an email, not a form, a mechanism.
441
00:17:46,080 –> 00:17:51,800
Ideally automated management group placement, baseline tags, R-back scaffolding, network attachment,
442
00:17:51,800 –> 00:17:55,080
logging baseline, and policy initiatives applied at creation.
443
00:17:55,080 –> 00:17:59,400
This is how you make time to first environment drop without hiring more humans.
444
00:17:59,400 –> 00:18:01,520
Second, a delivery baseline.
445
00:18:01,520 –> 00:18:05,000
Standard pipeline templates that teams can adopt with minimal changes where variation is
446
00:18:05,000 –> 00:18:06,840
constrained but not outlawed.
447
00:18:06,840 –> 00:18:09,920
The platform team should provide the default scaffolding.
448
00:18:09,920 –> 00:18:14,920
Secure secrets handling, standard build and deploy stages, consistent artifact patterns,
449
00:18:14,920 –> 00:18:20,400
and guardrails that keep privileged execution from becoming an unmonitored attack surface.
450
00:18:20,400 –> 00:18:22,680
Third, shared observability.
451
00:18:22,680 –> 00:18:27,360
A logging and monitoring baseline that produces usable telemetry, not a pick your own adventure
452
00:18:27,360 –> 00:18:28,760
of dashboards.
453
00:18:28,760 –> 00:18:31,400
If every team logs differently, you don’t have observability.
454
00:18:31,400 –> 00:18:34,560
You have a distributed storytelling problem during incidents.
455
00:18:34,560 –> 00:18:38,640
Both building blocks, standard modules that teams consume rather than fork.
456
00:18:38,640 –> 00:18:43,360
AVM and well-managed IAC modules are the antidote to snowflake infrastructure, but only if
457
00:18:43,360 –> 00:18:45,120
you treat them like products.
458
00:18:45,120 –> 00:18:48,760
Version, reviewed, documented, and upgraded on purpose.
459
00:18:48,760 –> 00:18:50,520
Now here’s where most people mess up.
460
00:18:50,520 –> 00:18:54,920
They build the platform as a pile of controls, then they wonder why developers hate it.
461
00:18:54,920 –> 00:18:58,320
Controls without capability feel like punishment, and punished teams don’t comply.
462
00:18:58,320 –> 00:19:01,760
They root around, so you need paved road adoption, not forced adherence.
463
00:19:01,760 –> 00:19:04,520
That means the platform must be faster than the alternatives.
464
00:19:04,520 –> 00:19:09,200
If the easiest way to get a compliant environment is to use the platform, teams will adopt it.
465
00:19:09,200 –> 00:19:13,600
If the easiest way is to copy a repo from a coworker and tweak it until it deploys,
466
00:19:13,600 –> 00:19:18,000
your platform will become irrelevant, and your policy compliance rate will become fiction.
467
00:19:18,000 –> 00:19:19,160
And yes, this is measurable.
468
00:19:19,160 –> 00:19:20,160
You’re not guessing.
469
00:19:20,160 –> 00:19:22,160
You measure time to first environment.
470
00:19:22,160 –> 00:19:25,560
You measure paved road adoption as a percentage of workloads.
471
00:19:25,560 –> 00:19:29,000
You measure exceptions and whether exception volume trends down over time.
472
00:19:29,000 –> 00:19:32,080
If exception volume trends up, your paved road is failing.
473
00:19:32,080 –> 00:19:33,640
The system is telling you that.
474
00:19:33,640 –> 00:19:36,800
Next we’ll look at the predictable failure mode when you don’t do this.
475
00:19:36,800 –> 00:19:39,680
The platform team becomes a ticket factory.
476
00:19:39,680 –> 00:19:42,440
Failure story A, the platform team became a ticket factory.
477
00:19:42,440 –> 00:19:43,720
This failure mode is boring.
478
00:19:43,720 –> 00:19:44,760
That’s why it’s so dangerous.
479
00:19:44,760 –> 00:19:46,240
It starts with good intent.
480
00:19:46,240 –> 00:19:48,720
A central platform team wants to protect the estate.
481
00:19:48,720 –> 00:19:52,120
Security wants fewer surprises, networking wants fewer random v-nets.
482
00:19:52,120 –> 00:19:56,120
Finance wants fewer mystery invoices, so the platform team becomes the choke point for anything
483
00:19:56,120 –> 00:19:57,800
that feels foundational.
484
00:19:57,800 –> 00:20:03,360
Subscriptions, network peering, firewall rules, identity integration, policy exemptions,
485
00:20:03,360 –> 00:20:05,920
pipeline approvals, even basic telemetry.
486
00:20:05,920 –> 00:20:09,840
The step one looks like control, it feels responsible, it even looks like maturity in an audit
487
00:20:09,840 –> 00:20:12,120
slide deck, then adoption happens.
488
00:20:12,120 –> 00:20:13,720
A few early workloads land.
489
00:20:13,720 –> 00:20:15,120
People request new environments.
490
00:20:15,120 –> 00:20:17,680
A couple of teams show up every week then every day.
491
00:20:17,680 –> 00:20:21,960
Suddenly you’re running an enterprise cloud, and the platform team is still operating
492
00:20:21,960 –> 00:20:24,360
like it’s onboarding three apps a quarter.
493
00:20:24,360 –> 00:20:25,760
So step two arrives quietly.
494
00:20:25,760 –> 00:20:29,840
Cues The backlog fills with small asks that aren’t actually small.
495
00:20:29,840 –> 00:20:36,840
The company is currently in the same position as the company.
496
00:20:36,840 –> 00:20:44,840
The company is currently in the same position as the company.
497
00:20:44,840 –> 00:20:49,840
The company is currently in the same position as the company.
498
00:20:49,840 –> 00:20:53,840
The company is currently in the same position as the company.
499
00:20:53,840 –> 00:20:57,840
The company is currently in the same position as the company.
500
00:20:57,840 –> 00:21:04,360
This closed average wait time, SLA compliance, that’s not a platform strategy, that’s survival.
501
00:21:04,360 –> 00:21:06,680
Step three is where the estate breaks.
502
00:21:06,680 –> 00:21:08,280
Teams root around you.
503
00:21:08,280 –> 00:21:09,760
They don’t do it because they’re malicious.
504
00:21:09,760 –> 00:21:12,720
They do it because delivery pressure doesn’t care about your backlog.
505
00:21:12,720 –> 00:21:15,800
So they reuse an old subscription because it already exists.
506
00:21:15,800 –> 00:21:18,880
They deploy into a dev environment because it has network access.
507
00:21:18,880 –> 00:21:21,560
They copy someone else’s pipeline because it worked once.
508
00:21:21,560 –> 00:21:23,440
They stash secrets wherever they can.
509
00:21:23,440 –> 00:21:25,840
They disable diagnostics because it blocks deployment.
510
00:21:25,840 –> 00:21:29,240
They avoid tagging because nobody enforced it at creation time.
511
00:21:29,240 –> 00:21:34,080
And the platform team is blamed for the drift that this behavior creates, that distinction matters.
512
00:21:34,080 –> 00:21:37,280
The platform team did not create the drift by being incompetent.
513
00:21:37,280 –> 00:21:40,200
The platform team created drift by being the only path.
514
00:21:40,200 –> 00:21:44,280
When you make the govern path slow, you force the organization to invent undgoverned parts.
515
00:21:44,280 –> 00:21:46,520
Now the predictable reaction is the worst one.
516
00:21:46,520 –> 00:21:49,560
The platform team optimizes for ticket throughput.
517
00:21:49,560 –> 00:21:50,560
They create forms.
518
00:21:50,560 –> 00:21:51,800
They create approval boards.
519
00:21:51,800 –> 00:21:55,640
They create a service now taxonomy of cloud requests that nobody understands.
520
00:21:55,640 –> 00:21:59,040
They add a weekly architecture review meeting to reduce rework.
521
00:21:59,040 –> 00:22:02,760
They define a standard subscription request template that still takes two weeks because
522
00:22:02,760 –> 00:22:03,840
it depends on humans.
523
00:22:03,840 –> 00:22:05,880
The queue keeps growing, but now it’s organized.
524
00:22:05,880 –> 00:22:10,240
This is what process maturity looks like when the operating model is failing.
525
00:22:10,240 –> 00:22:12,440
If you’re a CIO, here’s what to notice.
526
00:22:12,440 –> 00:22:16,840
You just build a central team that can’t scale linearly with demand and then you made the entire
527
00:22:16,840 –> 00:22:18,720
organization dependent on it.
528
00:22:18,720 –> 00:22:20,720
This doesn’t fail by one dramatic outage.
529
00:22:20,720 –> 00:22:23,480
It fails by slow suffocation lead time climbs.
530
00:22:23,480 –> 00:22:25,360
Shadow, it grows.
531
00:22:25,360 –> 00:22:29,720
Ccompliance becomes performative because the real work moved outside the visible pathways.
532
00:22:29,720 –> 00:22:30,720
So what’s the fix?
533
00:22:30,720 –> 00:22:33,360
The fix is not higher, more platform engineers.
534
00:22:33,360 –> 00:22:36,080
That is how you pay for architectural erosion with headcount.
535
00:22:36,080 –> 00:22:40,600
The fix is to convert services into products and tickets into self-service pathways.
536
00:22:40,600 –> 00:22:43,920
Subscription creation becomes vending, not a request.
537
00:22:43,920 –> 00:22:47,360
If a product team needs a new environment, they should be able to get a govern subscription
538
00:22:47,360 –> 00:22:48,360
in minutes.
539
00:22:48,360 –> 00:22:52,880
With management group placement, baseline tags, R-back scaffolding, network attachment,
540
00:22:52,880 –> 00:22:55,720
policy initiatives applied automatically.
541
00:22:55,720 –> 00:22:58,480
Network integration becomes an interface, not a meeting.
542
00:22:58,480 –> 00:23:04,040
If workloads attached to HubSpoke or VWAN through a defined pattern, the platform team stops
543
00:23:04,040 –> 00:23:07,680
hand-crafting peering and starts maintaining a standard topology.
544
00:23:07,680 –> 00:23:10,560
Pipelines become templates, not bespoke reviews.
545
00:23:10,560 –> 00:23:14,560
Teams can vary within defined boundaries, but they don’t reinvent privileged execution
546
00:23:14,560 –> 00:23:15,560
from scratch.
547
00:23:15,560 –> 00:23:17,760
And exceptions become a first-class mechanism.
548
00:23:17,760 –> 00:23:19,600
Tracked, reviewed and expired.
549
00:23:19,600 –> 00:23:21,320
Not favors, not back channels.
550
00:23:21,320 –> 00:23:24,600
If exception volume trends up, that’s a platform product signal.
551
00:23:24,600 –> 00:23:26,280
The paved road isn’t good enough.
552
00:23:26,280 –> 00:23:28,400
Now, measure the new system like a product.
553
00:23:28,400 –> 00:23:31,280
Time to first environment becomes the primary KPI.
554
00:23:31,280 –> 00:23:34,000
Paved road adoption becomes the adoption metric.
555
00:23:34,000 –> 00:23:36,280
Exception volume becomes the entropy indicator.
556
00:23:36,280 –> 00:23:39,440
And policy compliance rate becomes the ordered ready scoreboard.
557
00:23:39,440 –> 00:23:41,440
That’s the moment the ticket factory starts dying.
558
00:23:41,440 –> 00:23:46,600
Not because people tried harder, because the operating model stopped rewarding bypasses.
559
00:23:46,600 –> 00:23:50,280
The paved road, standardization that doesn’t feel like punishment.
560
00:23:50,280 –> 00:23:54,680
The paved road is the antidote to the ticket factory, but it’s also where most organizations
561
00:23:54,680 –> 00:23:57,640
accidentally build a new kind of bureaucracy.
562
00:23:57,640 –> 00:23:59,280
A paved road is not standards.
563
00:23:59,280 –> 00:24:00,280
It is not a wiki.
564
00:24:00,280 –> 00:24:03,320
It is not a PDF called CloudGuyldline’s V12 final final.
565
00:24:03,320 –> 00:24:07,840
It is a capability, a pre-approved path that is faster than improvisation and safer than
566
00:24:07,840 –> 00:24:08,840
creativity.
567
00:24:08,840 –> 00:24:10,560
That distinction matters.
568
00:24:10,560 –> 00:24:14,080
Most organizations try to standardize by telling teams what not to do.
569
00:24:14,080 –> 00:24:19,440
No public endpoints, no wildcard rolls, no random v-nets, no local pipeline hacks, and
570
00:24:19,440 –> 00:24:23,280
then they act confused when developers treat security like an obstacle course.
571
00:24:23,280 –> 00:24:27,000
Because you didn’t ship a road, you shipped a list of potholes, a real paved road is
572
00:24:27,000 –> 00:24:30,840
opinionated, it gives defaults, it removes choices.
573
00:24:30,840 –> 00:24:32,360
And it does that for one reason.
574
00:24:32,360 –> 00:24:34,720
Cognitive load is the real tax at scale.
575
00:24:34,720 –> 00:24:38,600
Every additional decision a product team has to make is another place they can drift.
576
00:24:38,600 –> 00:24:42,080
Another place they can invent, another place they can fork away from your intent.
577
00:24:42,080 –> 00:24:44,560
If you run a platform team, here’s the rule.
578
00:24:44,560 –> 00:24:47,360
The paved road must be the path of least resistance.
579
00:24:47,360 –> 00:24:51,440
If the road is slower than the back roads, the organization will not learn.
580
00:24:51,440 –> 00:24:53,760
It will root around, always.
581
00:24:53,760 –> 00:24:56,120
And if you’re a CIO, this is the implication.
582
00:24:56,120 –> 00:24:58,840
Paved roads are how you buy speed without buying chaos.
583
00:24:58,840 –> 00:25:01,920
They are also how you reduce audit scope without freezing delivery.
584
00:25:01,920 –> 00:25:03,360
You are not funding compliance.
585
00:25:03,360 –> 00:25:05,160
You are funding repeatability.
586
00:25:05,160 –> 00:25:07,400
Now a quick clarification people confuse.
587
00:25:07,400 –> 00:25:10,240
Golden paths and paved roads are related but not identical.
588
00:25:10,240 –> 00:25:14,960
A golden path is a specific end-to-end workflow for a common scenario.
589
00:25:14,960 –> 00:25:19,760
New web service with standard logging, pipeline and deployment or new data workload with approved
590
00:25:19,760 –> 00:25:21,840
networking and diagnostics.
591
00:25:21,840 –> 00:25:23,440
A paved road is broader.
592
00:25:23,440 –> 00:25:27,240
It’s the set of default routes and components that golden paths are built from.
593
00:25:27,240 –> 00:25:28,880
And both need escape hatches.
594
00:25:28,880 –> 00:25:31,400
Not because you’re nice because reality exists.
595
00:25:31,400 –> 00:25:35,520
The mistake that ruins everything is pretending escape hatches don’t exist.
596
00:25:35,520 –> 00:25:36,520
They do.
597
00:25:36,520 –> 00:25:38,720
They’re just undocumented, social and inconsistent.
598
00:25:38,720 –> 00:25:42,160
That’s what turns exception handling into entropy, so build the escape hatch.
599
00:25:42,160 –> 00:25:43,160
Make it explicit.
600
00:25:43,160 –> 00:25:44,880
Give it friction, but not shame.
601
00:25:44,880 –> 00:25:47,440
Now what actually belongs on the paved road in Azure?
602
00:25:47,440 –> 00:25:50,920
First, subscription and environment creation that’s already governed.
603
00:25:50,920 –> 00:25:52,320
Not request a subscription.
604
00:25:52,320 –> 00:25:53,320
Provision it.
605
00:25:53,320 –> 00:25:55,280
Make it land in the right management group.
606
00:25:55,280 –> 00:25:56,480
Apply baseline tags.
607
00:25:56,480 –> 00:25:58,400
Apply baseline R-back scaffolding.
608
00:25:58,400 –> 00:25:59,920
Attach it to the network baseline.
609
00:25:59,920 –> 00:26:00,920
Apply policy initiatives.
610
00:26:00,920 –> 00:26:01,920
Turn on logging defaults.
611
00:26:01,920 –> 00:26:02,920
That’s the starting line.
612
00:26:02,920 –> 00:26:05,880
Second, pipeline templates that constrain variation.
613
00:26:05,880 –> 00:26:07,240
Not one pipeline for every team.
614
00:26:07,240 –> 00:26:10,840
A small set of sanctioned templates build deploy infra.
615
00:26:10,840 –> 00:26:13,120
They should handle secrets correctly by default.
616
00:26:13,120 –> 00:26:17,320
Make pipelines as privileged execution and provide consistent change evidence for audit.
617
00:26:17,320 –> 00:26:20,600
Third, IIC modules that teams consume not clone.
618
00:26:20,600 –> 00:26:25,840
This is where AVM style building blocks matter, not as marketing but as entropy control.
619
00:26:25,840 –> 00:26:29,880
Version modules with controlled upgrades beat a thousand forks with silent drift.
620
00:26:29,880 –> 00:26:32,280
Fourth, observability defaults.
621
00:26:32,280 –> 00:26:34,960
Diagnostic settings activity logs baseline metrics and alerts.
622
00:26:34,960 –> 00:26:37,680
Teams can add more but they can’t opt out without an exception.
623
00:26:37,680 –> 00:26:42,520
If your logging baseline is optional, your incident response will be interpretive theater.
624
00:26:42,520 –> 00:26:45,400
Fifth, tagging defaults tied to cost ownership.
625
00:26:45,400 –> 00:26:46,400
This isn’t pedantry.
626
00:26:46,400 –> 00:26:50,200
Tagging is how you map variable consumption to an accountable owner.
627
00:26:50,200 –> 00:26:53,880
Without it, show back his fiction and charge back his political warfare.
628
00:26:53,880 –> 00:26:55,400
Now here’s where orgs fail.
629
00:26:55,400 –> 00:26:57,840
They publish guidance, not capability.
630
00:26:57,840 –> 00:26:59,760
They create reference repos nobody uses.
631
00:26:59,760 –> 00:27:02,400
They create terraform modules nobody trusts.
632
00:27:02,400 –> 00:27:06,080
They create a recommended logging pattern that breaks the first time someone deploys a
633
00:27:06,080 –> 00:27:08,360
service Microsoft added last week.
634
00:27:08,360 –> 00:27:11,200
And then they blame developers for not following the paved road.
635
00:27:11,200 –> 00:27:13,360
Developers don’t adopt roads because you asked.
636
00:27:13,360 –> 00:27:15,000
They adopt roads because roads work.
637
00:27:15,000 –> 00:27:16,400
So build the road like a product.
638
00:27:16,400 –> 00:27:18,840
That means documentation that matches reality,
639
00:27:18,840 –> 00:27:22,720
versioning deprecation, support boundaries, a feedback loop and metrics,
640
00:27:22,720 –> 00:27:24,960
paved road adoption, time to first environment,
641
00:27:24,960 –> 00:27:27,040
exception volume trend and compliance rate.
642
00:27:27,040 –> 00:27:28,680
And you need guard rails, not gates.
643
00:27:28,680 –> 00:27:30,720
Guard rails are fast feedback and enforced defaults.
644
00:27:30,720 –> 00:27:32,520
Gates are meetings.
645
00:27:32,520 –> 00:27:36,400
A deny policy that blocks obviously unsafe deployments can be a guard rail.
646
00:27:36,400 –> 00:27:40,040
The three week approval chain is a gate, one scales, one collapses.
647
00:27:40,040 –> 00:27:41,720
Finally make exceptions visible.
648
00:27:41,720 –> 00:27:44,640
If a team needs to deviate, they should create an exception record that is
649
00:27:44,640 –> 00:27:47,600
reviewable, has a compensating control and expires.
650
00:27:47,600 –> 00:27:50,480
That turns deviation from a secret into a managed risk.
651
00:27:50,480 –> 00:27:52,200
And once you do that, something else happens.
652
00:27:52,200 –> 00:27:55,240
You can see which parts of the paved road are failing because
653
00:27:55,240 –> 00:27:57,280
exception volume clusters around friction.
654
00:27:57,280 –> 00:27:59,760
That’s the system telling you what to fix next.
655
00:27:59,760 –> 00:28:02,800
Now the road has to attach to governance somewhere real.
656
00:28:02,800 –> 00:28:05,840
In Azure, that attachment point is the landing zone.
657
00:28:05,840 –> 00:28:09,120
Azure landing zones, where org design becomes enforceable.
658
00:28:09,120 –> 00:28:12,040
Azure landing zones are where the paved road stops being a philosophy
659
00:28:12,040 –> 00:28:14,920
and becomes something as you can actually enforce.
660
00:28:14,920 –> 00:28:17,640
Most people treat ALZ like a deployment artifact.
661
00:28:17,640 –> 00:28:20,280
Run the accelerator, get the management groups, policies,
662
00:28:20,280 –> 00:28:22,320
network scaffolding and call it done.
663
00:28:22,320 –> 00:28:23,680
That is the shallow version.
664
00:28:23,680 –> 00:28:27,200
The real value is that ALZ turns your org chart into a control plane.
665
00:28:27,200 –> 00:28:29,640
It gives you a place to encode decision rights.
666
00:28:29,640 –> 00:28:32,560
So the platform behaves the same way on Tuesday afternoon as it does
667
00:28:32,560 –> 00:28:34,680
during an incident at 2am.
668
00:28:34,680 –> 00:28:36,320
And this is the uncomfortable truth.
669
00:28:36,320 –> 00:28:39,400
Without a landing zone, your enterprise is not operating as you.
670
00:28:39,400 –> 00:28:40,520
It is negotiating Azure.
671
00:28:40,520 –> 00:28:43,600
Every workload becomes a bespoke discussion about where it goes,
672
00:28:43,600 –> 00:28:47,160
how it connects, who can access it and what compliance means to date.
673
00:28:47,160 –> 00:28:48,120
That does not scale.
674
00:28:48,120 –> 00:28:49,360
It just accumulates.
675
00:28:49,360 –> 00:28:51,880
So think about ALZ in architectural terms.
676
00:28:51,880 –> 00:28:53,600
It is not an architecture diagram.
677
00:28:53,600 –> 00:28:55,520
It is a hierarchy and enforcement surface.
678
00:28:55,520 –> 00:28:58,240
Management groups become the policy inheritance tree.
679
00:28:58,240 –> 00:29:00,560
Subscriptions become the unit of delegation.
680
00:29:00,560 –> 00:29:03,160
Azure policy initiatives become the baseline assumptions
681
00:29:03,160 –> 00:29:04,680
you enforce at scale.
682
00:29:04,680 –> 00:29:07,640
And the network baseline becomes your blast radius boundary.
683
00:29:07,640 –> 00:29:12,920
Those four things are the levers that make autonomy with alignment real.
684
00:29:12,920 –> 00:29:14,840
If you’re a CIO, this is the implication.
685
00:29:14,840 –> 00:29:16,640
ALZ is not a networking project.
686
00:29:16,640 –> 00:29:18,320
It’s the control plane for delegation.
687
00:29:18,320 –> 00:29:21,480
It defines what the platform team can safely delegate to product teams
688
00:29:21,480 –> 00:29:24,560
without renegotiating security and compliance every sprint.
689
00:29:24,560 –> 00:29:27,640
If you treat it as infrastructure, you’ll find it once and then wonder why it
690
00:29:27,640 –> 00:29:28,320
rots.
691
00:29:28,320 –> 00:29:30,480
If you’re a platform lead, ALZ is a product.
692
00:29:30,480 –> 00:29:31,720
Day two is the point.
693
00:29:31,720 –> 00:29:35,840
Version it, change it deliberately, measure adoption, track exception volume.
694
00:29:35,840 –> 00:29:38,280
Because the moment ALZ becomes a one time deployment,
695
00:29:38,280 –> 00:29:42,120
it becomes stale documentation with armed templates attached.
696
00:29:42,120 –> 00:29:45,960
Now, ALZ forces a split that many enterprises pretend doesn’t exist.
697
00:29:45,960 –> 00:29:49,080
Platform landing zones versus application landing zones.
698
00:29:49,080 –> 00:29:52,040
Platform landing zones are shared services and baselines,
699
00:29:52,040 –> 00:29:55,240
connectivity patterns, identity integration assumptions,
700
00:29:55,240 –> 00:29:59,000
logging and monitoring foundations, policy and governance posture.
701
00:29:59,000 –> 00:30:02,720
This is where you standardize once and stop paying the duplication tax.
702
00:30:02,720 –> 00:30:05,240
Application landing zones are where product teams live,
703
00:30:05,240 –> 00:30:09,800
workload subscriptions, environments and resource deployments that produce business outcomes.
704
00:30:09,800 –> 00:30:12,440
The platform team should not be hand editing those workloads.
705
00:30:12,440 –> 00:30:14,240
If they are, you didn’t build a platform.
706
00:30:14,240 –> 00:30:15,720
You built an approvals team.
707
00:30:15,720 –> 00:30:19,760
The eight ALZ design areas are useful here, but not as documentation theater.
708
00:30:19,760 –> 00:30:22,160
They are prompts for operating model decisions,
709
00:30:22,160 –> 00:30:26,160
billing and tenant design, identity and access, resource organization,
710
00:30:26,160 –> 00:30:30,960
network topology, security, management governance and platform automation and DevOps.
711
00:30:30,960 –> 00:30:33,760
Each design area is a place where you either codify intent
712
00:30:33,760 –> 00:30:36,000
or you leave a gap that becomes an exception later.
713
00:30:36,000 –> 00:30:38,960
And you can see why ALZ matters for the three headline metrics.
714
00:30:38,960 –> 00:30:42,080
Lead time drops when teams stop waiting for bespoke platform work
715
00:30:42,080 –> 00:30:44,000
and instead inherit working defaults.
716
00:30:44,000 –> 00:30:48,320
Time to first environment drops when subscriptions are created inside a pre-governed structure,
717
00:30:48,320 –> 00:30:50,240
not negotiated into existence.
718
00:30:50,240 –> 00:30:52,640
Policy compliance rate becomes measurable
719
00:30:52,640 –> 00:30:55,840
because policy is applied consistently through management groupscope,
720
00:30:55,840 –> 00:30:57,520
not recommended in a wiki.
721
00:30:57,520 –> 00:30:59,360
Now here’s the misuse pattern that kills it.
722
00:30:59,360 –> 00:31:00,880
ALZ treated as a starter kit.
723
00:31:00,880 –> 00:31:04,480
Teams deploy it, then they let project teams create subscriptions wherever they want,
724
00:31:04,480 –> 00:31:07,600
or they let networking drift into point-to-point peering exceptions,
725
00:31:07,600 –> 00:31:09,760
or they treat policy exemptions as permanent.
726
00:31:09,760 –> 00:31:12,640
Over time, the landing zone becomes a historical artifact
727
00:31:12,640 –> 00:31:14,480
that no longer reflects reality.
728
00:31:14,480 –> 00:31:16,800
And once that happens, the org stops trusting the platform
729
00:31:16,800 –> 00:31:18,880
and starts rebuilding its own pathways.
730
00:31:18,880 –> 00:31:20,800
So if you want the landing zone to stay real,
731
00:31:20,800 –> 00:31:22,960
you need one pressure point that never lies.
732
00:31:22,960 –> 00:31:26,240
Subscription creation, that’s where delegation becomes enforceable.
733
00:31:26,240 –> 00:31:28,880
Because if you can control what happens at creation time,
734
00:31:28,880 –> 00:31:30,960
management group placement, baseline tags,
735
00:31:30,960 –> 00:31:34,800
RBAC scaffolding, network attachment, policy initiatives, logging defaults,
736
00:31:34,800 –> 00:31:36,640
you’ve stopped fighting drift after the fact.
737
00:31:36,640 –> 00:31:38,800
You’ve moved enforcement to the starting line.
738
00:31:38,800 –> 00:31:40,800
And that’s where we go next, subscription vending,
739
00:31:40,800 –> 00:31:42,640
because autonomy isn’t something you grant,
740
00:31:42,640 –> 00:31:44,080
it’s something you engineer.
741
00:31:44,080 –> 00:31:47,600
Subscription vending, autonomy with guardrails in one mechanism.
742
00:31:47,600 –> 00:31:51,120
Subscription vending is where most enterprises accidentally confess
743
00:31:51,120 –> 00:31:52,880
they don’t trust their own operating model.
744
00:31:52,880 –> 00:31:56,240
They say they want autonomy, but then a product team needs a subscription
745
00:31:56,240 –> 00:31:59,040
and the process is open a ticket, wait, negotiate,
746
00:31:59,040 –> 00:32:01,600
and hope the platform team is in a generous mood.
747
00:32:01,600 –> 00:32:04,400
That isn’t governance, that’s a queue dressed up as control.
748
00:32:04,400 –> 00:32:07,360
Vending fixes that by moving control to the starting line.
749
00:32:07,360 –> 00:32:09,600
A good subscription vending flow gives product teams
750
00:32:09,600 –> 00:32:12,240
a governed, pre-wired place to deploy without asking permission
751
00:32:12,240 –> 00:32:13,200
for the basics.
752
00:32:13,200 –> 00:32:16,080
It’s autonomy with guardrails expressed as a mechanism.
753
00:32:16,080 –> 00:32:19,120
Creation with enforcement, not provisioning with exceptions.
754
00:32:19,120 –> 00:32:21,680
If you’re a CIO, here’s the implication.
755
00:32:21,680 –> 00:32:24,000
Subscription vending is not an automation project.
756
00:32:24,000 –> 00:32:25,600
It’s your delegation model made real.
757
00:32:25,600 –> 00:32:28,400
It’s the difference between scaling by design and scaling by hiring.
758
00:32:28,400 –> 00:32:31,040
If you run a platform team, here’s the uncomfortable truth.
759
00:32:31,040 –> 00:32:34,080
If you don’t build vending, you will become the vending machine.
760
00:32:34,080 –> 00:32:35,360
Humans don’t scale.
761
00:32:35,360 –> 00:32:36,560
APIs do.
762
00:32:36,560 –> 00:32:39,200
So what does vending actually mean in azure terms?
763
00:32:39,200 –> 00:32:40,880
It means when a subscription is created,
764
00:32:40,880 –> 00:32:42,480
four things happen deterministically.
765
00:32:42,480 –> 00:32:44,000
First, it lands in the right place.
766
00:32:44,000 –> 00:32:46,080
Management group placement is not a suggestion.
767
00:32:46,080 –> 00:32:47,360
It’s the inheritance model.
768
00:32:47,360 –> 00:32:49,600
If a subscription lands outside your hierarchy,
769
00:32:49,600 –> 00:32:51,840
you just created an ungoverned island.
770
00:32:51,840 –> 00:32:53,760
An island’s become incident magnets.
771
00:32:53,760 –> 00:32:56,880
Second, it gets baseline identity and access scaffolding.
772
00:32:56,880 –> 00:32:58,320
Not everyone gets owner.
773
00:32:58,320 –> 00:33:00,000
You attach the right R-back groups,
774
00:33:00,000 –> 00:33:01,760
enforce least privileged patterns
775
00:33:01,760 –> 00:33:03,600
and make privileged access time bound
776
00:33:03,600 –> 00:33:04,880
through your chosen process.
777
00:33:04,880 –> 00:33:06,720
You don’t debate this per subscription.
778
00:33:06,720 –> 00:33:08,240
You apply it as a default.
779
00:33:08,240 –> 00:33:10,480
Third, it attaches to the network baseline.
780
00:33:10,480 –> 00:33:14,240
Whether you use hub and spoke or vwn is an implementation choice.
781
00:33:14,240 –> 00:33:17,600
The operating model point is that workloads don’t invent networking.
782
00:33:17,600 –> 00:33:18,400
They inherit it.
783
00:33:18,400 –> 00:33:21,360
Egress control, DNS patterns, private endpoint strategy,
784
00:33:21,360 –> 00:33:24,080
those are platform decisions that have to be consistent
785
00:33:24,080 –> 00:33:26,320
if you want to predictable blast radius.
786
00:33:26,320 –> 00:33:28,000
Fourth, it gets baseline governance.
787
00:33:28,000 –> 00:33:28,720
Tags applied.
788
00:33:28,720 –> 00:33:29,920
Policy initiatives assigned.
789
00:33:29,920 –> 00:33:31,520
Logging defaults turned on.
790
00:33:31,520 –> 00:33:33,760
The point is that the subscription is born compliant
791
00:33:33,760 –> 00:33:35,680
enough to be safe, not compliant
792
00:33:35,680 –> 00:33:37,440
after the first audit finds it.
793
00:33:37,440 –> 00:33:38,640
Now, notice what’s missing.
794
00:33:38,640 –> 00:33:40,160
A bespoke approval chain.
795
00:33:40,160 –> 00:33:42,320
Vending doesn’t mean no approvals.
796
00:33:42,320 –> 00:33:45,440
It means approvals are scoped to deviations, not to existence.
797
00:33:45,440 –> 00:33:48,400
Teams shouldn’t need a meeting to start work inside the paved road.
798
00:33:48,400 –> 00:33:50,560
They should only need a review when they want to leave it.
799
00:33:50,560 –> 00:33:51,920
This is where most people mess up.
800
00:33:51,920 –> 00:33:54,160
They build a vending process that still requires humans
801
00:33:54,160 –> 00:33:55,920
to approve every subscription every time
802
00:33:55,920 –> 00:33:57,520
because someone is afraid of sprawl.
803
00:33:57,520 –> 00:34:00,480
But the point of vending is to make sprawl governed.
804
00:34:00,480 –> 00:34:01,520
sprawl is inevitable.
805
00:34:01,520 –> 00:34:05,520
The only question is whether it happens inside your control plane or outside it.
806
00:34:05,520 –> 00:34:08,240
And yes, the word sprawl is still the wrong diagnosis.
807
00:34:08,240 –> 00:34:10,640
The real failure mode is unmanaged creation.
808
00:34:10,640 –> 00:34:12,320
Vending makes creation managed.
809
00:34:12,320 –> 00:34:14,320
So how do you know your vending is working?
810
00:34:14,320 –> 00:34:16,320
You measure time to first environment.
811
00:34:16,320 –> 00:34:18,880
If it’s minutes to hours, your platform is functioning.
812
00:34:18,880 –> 00:34:22,080
If it’s days to weeks, you’ve built a ticket factory with better branding.
813
00:34:22,080 –> 00:34:25,200
You also measure paved road adoption at creation.
814
00:34:25,200 –> 00:34:27,200
What percentage of subscriptions are created
815
00:34:27,200 –> 00:34:29,840
through the vending path versus side channels?
816
00:34:29,840 –> 00:34:31,920
Side channels are where governance goes to die
817
00:34:31,920 –> 00:34:33,200
and you measure exception volume
818
00:34:33,200 –> 00:34:34,480
because exceptions should exist
819
00:34:34,480 –> 00:34:36,000
but they should be visible,
820
00:34:36,000 –> 00:34:37,520
reviewed and expired.
821
00:34:37,520 –> 00:34:39,040
If exceptions trend upward,
822
00:34:39,040 –> 00:34:40,160
your road is failing.
823
00:34:40,160 –> 00:34:41,520
Either the road is too narrow
824
00:34:41,520 –> 00:34:43,200
or the guard rails are too strict
825
00:34:43,200 –> 00:34:46,000
or the platform team is shipping policy without capability.
826
00:34:46,000 –> 00:34:48,560
Now, a quick warning for architects
827
00:34:48,560 –> 00:34:50,560
don’t confuse vending with a portal.
828
00:34:50,560 –> 00:34:51,760
The portal is an interface.
829
00:34:51,760 –> 00:34:53,520
Vending is enforcement.
830
00:34:53,520 –> 00:34:54,800
If a user can click a button
831
00:34:54,800 –> 00:34:56,160
and still create a subscription
832
00:34:56,160 –> 00:34:57,840
that bypasses network attachment,
833
00:34:57,840 –> 00:34:59,760
policy assignment or tagging,
834
00:34:59,760 –> 00:35:01,520
then the portal is theatre.
835
00:35:01,520 –> 00:35:04,400
The system will root around it the first time it’s inconvenient.
836
00:35:04,400 –> 00:35:05,920
The wind condition is simple.
837
00:35:05,920 –> 00:35:08,240
The fastest path to a usable Azure environment
838
00:35:08,240 –> 00:35:10,080
is also the most compliant path.
839
00:35:10,080 –> 00:35:11,840
And once you have that, the platform team
840
00:35:11,840 –> 00:35:14,320
stops being a bottleneck and starts being leverage.
841
00:35:14,320 –> 00:35:15,920
Now the starting line is solved.
842
00:35:15,920 –> 00:35:17,200
The ongoing problem is drift
843
00:35:17,200 –> 00:35:20,240
and drift is where Azure policy stops being governance
844
00:35:20,240 –> 00:35:21,920
and becomes intent enforcement.
845
00:35:21,920 –> 00:35:25,600
Guard rails at scale as your policy
846
00:35:25,600 –> 00:35:28,240
plus initiatives as intent enforcement.
847
00:35:28,240 –> 00:35:30,160
Vending gets you a govern starting line
848
00:35:30,160 –> 00:35:32,240
but scale doesn’t fail at the starting line.
849
00:35:32,240 –> 00:35:33,600
It fails six months later
850
00:35:33,600 –> 00:35:35,760
when the estate has changed hands 20 times,
851
00:35:35,760 –> 00:35:37,120
three teams rotated
852
00:35:37,120 –> 00:35:40,000
and the original rules exist only in a slide deck
853
00:35:40,000 –> 00:35:41,840
that nobody opens, that is drift.
854
00:35:41,840 –> 00:35:44,160
And drift is what exposes the tooling line
855
00:35:44,160 –> 00:35:46,560
because drift doesn’t happen because you lack the tool.
856
00:35:46,560 –> 00:35:49,440
Drift happens because your intent was never enforceable
857
00:35:49,440 –> 00:35:52,240
and the platform did exactly what distributed systems do.
858
00:35:52,240 –> 00:35:54,800
It degraded toward the easiest local behavior.
859
00:35:54,800 –> 00:35:57,280
This is where Azure policy stops being governance theatre
860
00:35:57,280 –> 00:35:58,480
and becomes what it actually is
861
00:35:58,480 –> 00:36:00,320
an enforcement engine for assumptions.
862
00:36:00,320 –> 00:36:02,400
If you’re a CIO, the implication is blunt.
863
00:36:02,400 –> 00:36:03,840
Policy is not documentation.
864
00:36:03,840 –> 00:36:06,160
Policy is the only scalable mechanism
865
00:36:06,160 –> 00:36:07,120
you have to make.
866
00:36:07,120 –> 00:36:08,960
We don’t do that here true in the real system.
867
00:36:08,960 –> 00:36:11,360
It is audit evidence, it is risk reduction
868
00:36:11,360 –> 00:36:12,720
and it is a cost control system
869
00:36:12,720 –> 00:36:15,760
when tagging and SQ constraints are part of the baseline.
870
00:36:15,760 –> 00:36:17,440
If you run a platform team,
871
00:36:17,440 –> 00:36:20,800
policy is also your escape from becoming the perpetual reviewer.
872
00:36:20,800 –> 00:36:22,720
If a human has to approve every safe decision,
873
00:36:22,720 –> 00:36:24,800
you design a gate, gates don’t scale.
874
00:36:24,800 –> 00:36:27,440
Now Azure policy by itself is a pile of knobs.
875
00:36:27,440 –> 00:36:30,080
Initiatives are how you turn it into something operable.
876
00:36:30,080 –> 00:36:32,000
An initiative is a bundled baseline,
877
00:36:32,000 –> 00:36:34,640
a curated set of definitions applied consistently
878
00:36:34,640 –> 00:36:35,840
at the right scope.
879
00:36:35,840 –> 00:36:38,880
It reduces the number of places you can get inconsistent.
880
00:36:38,880 –> 00:36:40,320
It also makes reporting sane
881
00:36:40,320 –> 00:36:42,400
because you are measuring one unit of intent
882
00:36:42,400 –> 00:36:44,240
instead of 50 independent opinions.
883
00:36:44,240 –> 00:36:46,880
That distinction matters because at enterprise scale,
884
00:36:46,880 –> 00:36:49,280
you don’t lose control through missing policies.
885
00:36:49,280 –> 00:36:51,360
You lose control through inconsistent application
886
00:36:51,360 –> 00:36:52,640
of almost the same policies.
887
00:36:52,640 –> 00:36:56,880
Now enforcement posture is where adults get separated from PowerPoint.
888
00:36:56,880 –> 00:37:01,200
Azure gives you effects like deny, modify, audit, deploy, if not exists.
889
00:37:01,200 –> 00:37:02,560
None of these are best.
890
00:37:02,560 –> 00:37:04,080
They are trade-offs in pain.
891
00:37:04,080 –> 00:37:05,280
Denies immediate control.
892
00:37:05,280 –> 00:37:07,280
It also breaks deployments, which means
893
00:37:07,280 –> 00:37:09,680
teams will either comply or they will escalate
894
00:37:09,680 –> 00:37:10,720
or they will root around.
895
00:37:10,720 –> 00:37:13,280
If you deny too early without a paved road,
896
00:37:13,280 –> 00:37:16,000
you just thought teams that governance is a blocker.
897
00:37:16,000 –> 00:37:17,760
Modify is the pragmatic, compromise.
898
00:37:17,760 –> 00:37:19,840
The platform fixes the baseline for you.
899
00:37:19,840 –> 00:37:21,680
Text get applied, settings get corrected.
900
00:37:21,680 –> 00:37:24,080
It’s a guardrail that doesn’t require a ticket.
901
00:37:24,080 –> 00:37:26,160
Audit is how most enterprises live forever.
902
00:37:26,160 –> 00:37:28,240
It creates dashboards, not outcomes.
903
00:37:28,240 –> 00:37:29,440
Audit tells you you’re wrong.
904
00:37:29,440 –> 00:37:31,120
It doesn’t stop you from staying wrong.
905
00:37:31,120 –> 00:37:32,800
Deploy if not exists is powerful,
906
00:37:32,800 –> 00:37:34,960
but it has operational consequences.
907
00:37:34,960 –> 00:37:37,520
Delays, remediation tasks and eventual consistency
908
00:37:37,520 –> 00:37:40,160
that confuses teams when a resource looks fine
909
00:37:40,160 –> 00:37:42,320
but becomes non-compliant later.
910
00:37:42,320 –> 00:37:43,600
That’s not a reason to avoid it.
911
00:37:43,600 –> 00:37:44,960
That’s a reason to design for it.
912
00:37:44,960 –> 00:37:46,560
Now here’s the foundational mistake.
913
00:37:46,560 –> 00:37:49,920
Treating policy exemptions as a one-time administrative action.
914
00:37:49,920 –> 00:37:51,200
Exemptions are not paperwork.
915
00:37:51,200 –> 00:37:53,040
They are entropy generators.
916
00:37:53,040 –> 00:37:55,520
Every exemption creates a parallel reality
917
00:37:55,520 –> 00:37:58,160
where your baseline is no longer deterministic.
918
00:37:58,160 –> 00:38:01,280
Over time the estate becomes a collection of special cases
919
00:38:01,280 –> 00:38:03,520
and your compliance rate becomes a polite fiction
920
00:38:03,520 –> 00:38:06,880
because the real system is the set of exemptions no one remembers.
921
00:38:06,880 –> 00:38:08,160
So you need an exception process
922
00:38:08,160 –> 00:38:10,480
that treats exemptions like radioactive material,
923
00:38:10,480 –> 00:38:12,480
controlled, labeled and time bound.
924
00:38:12,480 –> 00:38:15,280
Owner, reason, compensating, control,
925
00:38:15,280 –> 00:38:17,280
expiration, review cadence.
926
00:38:17,280 –> 00:38:19,200
If it cannot expire, it is not an exemption.
927
00:38:19,200 –> 00:38:21,280
It is policy drift you are refusing to name.
928
00:38:21,280 –> 00:38:23,760
This is also why the compliance metric matters.
929
00:38:23,760 –> 00:38:26,480
Policy compliance rate isn’t a vanity KPI.
930
00:38:26,480 –> 00:38:28,160
It’s the externalized truth
931
00:38:28,160 –> 00:38:30,800
of whether your operating model still matches reality.
932
00:38:30,800 –> 00:38:32,960
And meantime to remediate non-compliance
933
00:38:32,960 –> 00:38:34,480
is the second half of the story.
934
00:38:34,480 –> 00:38:36,400
You’re not measuring whether problems exist.
935
00:38:36,400 –> 00:38:38,080
You’re measuring whether you can close them
936
00:38:38,080 –> 00:38:40,720
before they become incidents or audit findings.
937
00:38:40,720 –> 00:38:42,160
If you’re a cloud architect,
938
00:38:42,160 –> 00:38:44,160
this is the hard lesson policy design
939
00:38:44,160 –> 00:38:46,640
without remediation design is just moralizing.
940
00:38:46,640 –> 00:38:48,320
Azure will happily tell you what’s wrong.
941
00:38:48,320 –> 00:38:50,240
It won’t fix your org’s willingness to act,
942
00:38:50,240 –> 00:38:52,080
so keep it operational.
943
00:38:52,080 –> 00:38:53,440
Start with a baseline initiative
944
00:38:53,440 –> 00:38:55,680
that maps to your paved road assumptions.
945
00:38:55,680 –> 00:38:58,640
A loud regions, require tags, diagnostics,
946
00:38:58,640 –> 00:39:01,360
network constraints, identity constraints.
947
00:39:01,360 –> 00:39:04,240
Keep the baseline small enough to enforce consistently
948
00:39:04,240 –> 00:39:06,320
then expand it intentionally.
949
00:39:06,320 –> 00:39:08,480
And when you need to raise the enforcement posture,
950
00:39:08,480 –> 00:39:10,720
do it like an engineer, not like a crusade.
951
00:39:10,720 –> 00:39:13,120
Pick one control, provide the paved road,
952
00:39:13,120 –> 00:39:14,960
communicate the exception path,
953
00:39:14,960 –> 00:39:17,760
then flip from audit to modify or deny.
954
00:39:17,760 –> 00:39:20,560
That’s how you keep guardrails from turning into gates.
955
00:39:20,560 –> 00:39:22,640
Next we have to talk about the delivery system
956
00:39:22,640 –> 00:39:25,040
because your pipelines are privileged execution.
957
00:39:25,040 –> 00:39:26,880
If you treat CI/CD like a hobby,
958
00:39:26,880 –> 00:39:28,640
governance will root around it.
959
00:39:28,640 –> 00:39:32,320
Enterprise DevOps that scales beyond CI/CD as a hobby.
960
00:39:32,320 –> 00:39:33,760
Now we talk about the delivery system
961
00:39:33,760 –> 00:39:35,840
because this is where organizations lie to themselves
962
00:39:35,840 –> 00:39:36,640
the hardest.
963
00:39:36,640 –> 00:39:39,120
They call it DevOps, but what they mean is we have pipelines.
964
00:39:39,120 –> 00:39:40,400
A pipeline is not DevOps,
965
00:39:40,400 –> 00:39:42,240
a pipeline is a delivery mechanism.
966
00:39:42,240 –> 00:39:43,520
And in Enterprise Azure,
967
00:39:43,520 –> 00:39:45,680
delivery is a privileged execution surface
968
00:39:45,680 –> 00:39:49,120
that can change production faster than any human approval chain.
969
00:39:49,120 –> 00:39:51,520
That means your delivery system is part of your control plane,
970
00:39:51,520 –> 00:39:53,280
whether you treated that way or not.
971
00:39:53,280 –> 00:39:55,040
If you’re a CIO, this is the implication.
972
00:39:55,040 –> 00:39:57,680
The delivery system is your change control system.
973
00:39:57,680 –> 00:39:59,440
It is how you prove to auditors
974
00:39:59,440 –> 00:40:02,000
that changes are reviewed, repeatable and attributable.
975
00:40:02,000 –> 00:40:04,080
If you don’t design it explicitly,
976
00:40:04,080 –> 00:40:06,480
you will reintroduce manual governance to compensate
977
00:40:06,480 –> 00:40:08,560
and you will destroy lead time to feel safe.
978
00:40:08,560 –> 00:40:10,000
If you run a platform team,
979
00:40:10,000 –> 00:40:11,360
this is where you usually fail
980
00:40:11,360 –> 00:40:13,120
by underestimating what you’re shipping.
981
00:40:13,120 –> 00:40:15,680
You think you’re shipping CI/CD templates.
982
00:40:15,680 –> 00:40:17,760
In reality, you’re shipping a standardized way
983
00:40:17,760 –> 00:40:20,240
to execute privileged actions against Azure
984
00:40:20,240 –> 00:40:22,320
at scale across hundreds of teams.
985
00:40:22,320 –> 00:40:23,840
That distinction matters.
986
00:40:23,840 –> 00:40:26,240
Most enterprises start with local DevOps.
987
00:40:26,240 –> 00:40:28,080
Every team builds its own pipelines,
988
00:40:28,080 –> 00:40:30,720
its own terraform workflow, its own secrets approach,
989
00:40:30,720 –> 00:40:33,680
its own environment naming, its own release choreography.
990
00:40:33,680 –> 00:40:36,960
It works until the first audit, the first breach investigation,
991
00:40:36,960 –> 00:40:38,240
or the first incident review
992
00:40:38,240 –> 00:40:40,080
when no one can answer a simple question
993
00:40:40,080 –> 00:40:43,440
what changed, who approved it, and what did it touch.
994
00:40:43,440 –> 00:40:46,240
That’s when the organization pivots into the wrong fix.
995
00:40:46,240 –> 00:40:49,680
Gates, CI app meetings, manual approvals for every deployment,
996
00:40:49,680 –> 00:40:52,080
security sign off as a required checkbox,
997
00:40:52,080 –> 00:40:54,000
ticket-based service connection creation.
998
00:40:54,000 –> 00:40:55,120
It feels like maturity.
999
00:40:55,120 –> 00:40:55,840
It is not.
1000
00:40:55,840 –> 00:40:58,000
It’s a latency injection mechanism.
1001
00:40:58,000 –> 00:40:59,280
The scalable model is different.
1002
00:40:59,280 –> 00:41:01,120
Constrain variation don’t outlaw it.
1003
00:41:01,120 –> 00:41:02,880
You standardize the high-risk parts
1004
00:41:02,880 –> 00:41:05,360
and you allow local flexibility everywhere else.
1005
00:41:05,360 –> 00:41:07,840
That means you ship a small set of pipeline templates
1006
00:41:07,840 –> 00:41:09,040
that teams consume,
1007
00:41:09,040 –> 00:41:11,120
and you make those templates the default interface
1008
00:41:11,120 –> 00:41:13,360
for deploying infrastructure and applications.
1009
00:41:13,360 –> 00:41:15,680
Teams can still choose their branching strategies.
1010
00:41:15,680 –> 00:41:17,520
They can still choose their deployment cadence.
1011
00:41:17,520 –> 00:41:19,440
They can still choose their service design.
1012
00:41:19,440 –> 00:41:21,120
But they do not get to invent a new
1013
00:41:21,120 –> 00:41:23,200
privileged execution model every sprint.
1014
00:41:23,200 –> 00:41:26,320
If you’re a cloud architect, focus on the invariant.
1015
00:41:26,320 –> 00:41:27,840
Pipelines run identities.
1016
00:41:27,840 –> 00:41:29,200
Identities have permissions.
1017
00:41:29,200 –> 00:41:31,200
Permissions shape blast radius.
1018
00:41:31,200 –> 00:41:33,360
So if your pipelines can run arbitrary scripts
1019
00:41:33,360 –> 00:41:34,640
with broad credentials,
1020
00:41:34,640 –> 00:41:36,240
you didn’t build a delivery system.
1021
00:41:36,240 –> 00:41:38,320
You built a distributed admin console.
1022
00:41:38,320 –> 00:41:40,000
The practical control points are boring
1023
00:41:40,000 –> 00:41:41,360
which is why they get skipped.
1024
00:41:41,360 –> 00:41:44,160
First, standard pipeline templates with guardrails.
1025
00:41:44,160 –> 00:41:46,560
The template should encode minimum evidence.
1026
00:41:46,560 –> 00:41:48,800
What artifact was deployed from what commit
1027
00:41:48,800 –> 00:41:51,200
by whom, with what approvals into what environment.
1028
00:41:51,200 –> 00:41:53,360
That is not bureaucracy. That is traceability.
1029
00:41:53,360 –> 00:41:55,680
Second, treat secrets and access
1030
00:41:55,680 –> 00:41:57,280
like production dependencies.
1031
00:41:57,280 –> 00:41:58,720
Use a real secret store
1032
00:41:58,720 –> 00:42:01,840
and stop pretending variables in a pipeline UIR good enough.
1033
00:42:01,840 –> 00:42:04,640
The system will root secrets into logs
1034
00:42:04,640 –> 00:42:06,560
into outputs into human screenshots.
1035
00:42:06,560 –> 00:42:07,520
That’s what systems do.
1036
00:42:07,520 –> 00:42:09,680
Your job is to reduce the probability surface.
1037
00:42:09,680 –> 00:42:11,680
Third, constrain infrastructure changes
1038
00:42:11,680 –> 00:42:13,200
with reproducibility.
1039
00:42:13,200 –> 00:42:14,640
If environments aren’t reproducible,
1040
00:42:14,640 –> 00:42:16,640
you will rebuild them under incident pressure
1041
00:42:16,640 –> 00:42:19,280
and you will introduce drift while trying to reduce it.
1042
00:42:19,280 –> 00:42:22,000
Infrastructure as code isn’t a nice to have at scale.
1043
00:42:22,000 –> 00:42:24,240
It is the only way to make environments less personal.
1044
00:42:24,240 –> 00:42:26,880
Fourth, get-ops patterns where they fit.
1045
00:42:26,880 –> 00:42:30,720
Not as a religion, but as a way to make desired state explicit and reviewable.
1046
00:42:30,720 –> 00:42:32,480
If the running state is the only truth,
1047
00:42:32,480 –> 00:42:33,520
you can’t govern it.
1048
00:42:33,520 –> 00:42:35,680
You can only discover it after it hurts you.
1049
00:42:35,680 –> 00:42:37,920
And then there’s the part people don’t like hearing.
1050
00:42:37,920 –> 00:42:40,640
Startup freedom doesn’t survive enterprise audits.
1051
00:42:40,640 –> 00:42:43,040
In a start-up, you can accept informal process
1052
00:42:43,040 –> 00:42:46,080
because the org can still hold the whole system in its head.
1053
00:42:46,080 –> 00:42:47,360
In an enterprise, you can’t.
1054
00:42:47,360 –> 00:42:50,320
You have too many teams, too many changes, too many dependencies,
1055
00:42:50,320 –> 00:42:51,600
and too much turnover.
1056
00:42:51,600 –> 00:42:53,680
So the delivery system must be standardized enough
1057
00:42:53,680 –> 00:42:55,360
that new teams can ship safely
1058
00:42:55,360 –> 00:42:58,000
without becoming experts in your organizational history.
1059
00:42:58,000 –> 00:43:00,000
That’s the entire point of a paved road.
1060
00:43:00,000 –> 00:43:03,120
Now, what does success look like in your three headline metrics?
1061
00:43:03,120 –> 00:43:05,600
Lead time drops when teams stop reinventing pipelines
1062
00:43:05,600 –> 00:43:07,600
and stop waiting on bespoke approvals.
1063
00:43:07,600 –> 00:43:09,280
Time to first environment drops
1064
00:43:09,280 –> 00:43:11,440
when the delivery system integrates with subscription
1065
00:43:11,440 –> 00:43:13,600
vending and the baseline pipeline can deploy
1066
00:43:13,600 –> 00:43:15,840
into a governed subscription immediately.
1067
00:43:15,840 –> 00:43:17,520
Policy compliance rate improves
1068
00:43:17,520 –> 00:43:20,000
when the delivery system stops being an escape hatch
1069
00:43:20,000 –> 00:43:22,480
and becomes a consistent enforcement surface.
1070
00:43:22,480 –> 00:43:25,360
Templates apply tags, enable diagnostics,
1071
00:43:25,360 –> 00:43:28,320
and deploy modules that already conform to policy baselines.
1072
00:43:28,320 –> 00:43:30,480
Once you nail this, everything else clicks
1073
00:43:30,480 –> 00:43:33,280
because repeatable delivery requires repeatable building blocks.
1074
00:43:33,280 –> 00:43:35,280
And that means modules not forks.
1075
00:43:35,280 –> 00:43:38,960
AVM+ISE repeatability as default, not a side project.
1076
00:43:38,960 –> 00:43:41,760
Once you accept that the delivery system is a control plane,
1077
00:43:41,760 –> 00:43:44,160
the next uncomfortable truth shows up.
1078
00:43:44,160 –> 00:43:45,680
Repeatability is not a preference.
1079
00:43:45,680 –> 00:43:48,720
It is the only way an enterprise survives its own turnover.
1080
00:43:48,720 –> 00:43:52,160
Most organizations treat infrastructure as code like a tool choice.
1081
00:43:52,160 –> 00:43:55,120
Terraform versus bicep, pipelines versus scripts,
1082
00:43:55,120 –> 00:43:57,200
repo structure arguments that never end.
1083
00:43:57,200 –> 00:43:59,040
But the actual problem isn’t syntax.
1084
00:43:59,040 –> 00:44:00,160
The problem is variance.
1085
00:44:00,160 –> 00:44:02,320
Every bespoke module, every copied repo,
1086
00:44:02,320 –> 00:44:05,280
every temporary tweak becomes a snowflake you will own forever,
1087
00:44:05,280 –> 00:44:06,800
whether you intend it or not.
1088
00:44:06,800 –> 00:44:09,600
And at Azure Scale snowflakes don’t melt, they multiply.
1089
00:44:09,600 –> 00:44:13,600
If you’re a CIO, here’s the implication.
1090
00:44:13,600 –> 00:44:16,480
Every forked infrastructure pattern is future operating cost,
1091
00:44:16,480 –> 00:44:18,000
not because it’s morally wrong,
1092
00:44:18,000 –> 00:44:20,560
because it’s a different failure mode your teams must remember
1093
00:44:20,560 –> 00:44:22,160
during incidents and audits.
1094
00:44:22,160 –> 00:44:25,600
The organization pays for that in lead time, rework, and human fatigue.
1095
00:44:25,600 –> 00:44:28,800
If you run a platform team, this is where you usually lose credibility.
1096
00:44:28,800 –> 00:44:30,480
You publish a reference module,
1097
00:44:30,480 –> 00:44:32,320
but it’s incomplete, undocumented,
1098
00:44:32,320 –> 00:44:34,320
and breaks the moment a real workload hits it.
1099
00:44:34,320 –> 00:44:35,440
So teams do what teams do.
1100
00:44:35,440 –> 00:44:37,280
They copy it, they patch it locally,
1101
00:44:37,280 –> 00:44:39,680
and now you have five forks with five security postures.
1102
00:44:39,680 –> 00:44:42,880
Congratulations, you just invented distributed platform engineering.
1103
00:44:42,880 –> 00:44:45,040
The alternative is to treat modules as products.
1104
00:44:45,040 –> 00:44:48,000
This is where AVM, Azure Verified Modules, maps
1105
00:44:48,000 –> 00:44:50,080
clearly to operating model intent,
1106
00:44:50,080 –> 00:44:51,760
not as a badge, as a discipline,
1107
00:44:51,760 –> 00:44:54,320
standardized building blocks that teams consume version
1108
00:44:54,320 –> 00:44:55,760
and upgrade deliberately.
1109
00:44:55,760 –> 00:44:59,360
AVM matters because it pushes you towards a default behavior,
1110
00:44:59,360 –> 00:45:00,880
reuse instead of reinvention.
1111
00:45:00,880 –> 00:45:04,800
That distinction matters because I see without module discipline
1112
00:45:04,800 –> 00:45:06,880
just moves drift from the portal to Git.
1113
00:45:06,880 –> 00:45:10,400
Now, there’s modules as products has a few non-negotiable properties.
1114
00:45:10,400 –> 00:45:12,560
Versioning if a module doesn’t have controlled versions,
1115
00:45:12,560 –> 00:45:14,240
you can’t reason about change impact.
1116
00:45:14,240 –> 00:45:15,760
You can’t coordinate upgrades,
1117
00:45:15,760 –> 00:45:18,000
you can’t audit what’s deployed, you’re just hoping.
1118
00:45:18,000 –> 00:45:21,200
Documentation, not a marketing page.
1119
00:45:21,200 –> 00:45:24,080
Real usage guidance, inputs, outputs, and constraints.
1120
00:45:24,080 –> 00:45:26,720
If the module requires tribal knowledge to use safely,
1121
00:45:26,720 –> 00:45:28,960
it’s not a module, it’s an entropy generator.
1122
00:45:28,960 –> 00:45:29,840
Testing and review.
1123
00:45:29,840 –> 00:45:33,280
Infrastructure is code, therefore it needs the same discipline.
1124
00:45:33,280 –> 00:45:37,120
Review gates that are fast, deterministic, and visible.
1125
00:45:37,120 –> 00:45:38,560
Guardrails, not committee meetings,
1126
00:45:38,560 –> 00:45:41,040
and finally upgrades as a managed process.
1127
00:45:41,040 –> 00:45:43,840
You don’t customize the module to fit your workload,
1128
00:45:43,840 –> 00:45:46,000
because the moment you do that, you didn’t customize.
1129
00:45:46,000 –> 00:45:49,600
You forked and a fork is a permanent liability with a friendly name.
1130
00:45:49,600 –> 00:45:52,080
If you’re an architect, this is one of those system laws.
1131
00:45:52,080 –> 00:45:54,080
The first fork feels like agility.
1132
00:45:54,080 –> 00:45:55,920
The 20th fork becomes an audit event.
1133
00:45:55,920 –> 00:45:59,120
So you need a pattern that keeps teams inside the paved road
1134
00:45:59,120 –> 00:46:00,720
while still letting them ship.
1135
00:46:00,720 –> 00:46:02,000
A simple model is,
1136
00:46:02,000 –> 00:46:05,440
platform team owns the module backlog and the release cadence.
1137
00:46:05,440 –> 00:46:07,920
Product teams consume modules and can request features
1138
00:46:07,920 –> 00:46:09,840
through normal backlog intake.
1139
00:46:09,840 –> 00:46:13,040
If a product team needs something truly unique,
1140
00:46:13,040 –> 00:46:14,800
that becomes an exception pathway decision,
1141
00:46:14,800 –> 00:46:16,640
not an ad hoc commit, and you measure it.
1142
00:46:16,640 –> 00:46:20,720
Paved road adoption isn’t just, did they use the pipeline?
1143
00:46:20,720 –> 00:46:22,880
It’s, did they deploy from sanctioned modules
1144
00:46:22,880 –> 00:46:25,040
or did they fork their own reality?
1145
00:46:25,040 –> 00:46:26,640
Module adoption is measurable.
1146
00:46:26,640 –> 00:46:27,760
Fork count is measurable.
1147
00:46:27,760 –> 00:46:28,960
Upgrade lag is measurable.
1148
00:46:28,960 –> 00:46:31,600
Now bring this back to the three headline metrics.
1149
00:46:31,600 –> 00:46:34,960
Lead time improves when teams stop inventing infrastructure patterns
1150
00:46:34,960 –> 00:46:36,320
in every project.
1151
00:46:36,320 –> 00:46:38,880
They assemble workloads from known building blocks.
1152
00:46:38,880 –> 00:46:41,440
Time to first environment improves when environment scaffolding
1153
00:46:41,440 –> 00:46:44,080
is a reusable composition, not a bespoke engagement.
1154
00:46:44,080 –> 00:46:47,680
You can’t self serve environments if every environment is handcrafted.
1155
00:46:47,680 –> 00:46:50,960
Policy compliance rate improves when modules already embed the controls
1156
00:46:50,960 –> 00:46:52,560
you intend to enforce.
1157
00:46:52,560 –> 00:46:56,080
Tagging, diagnostics configuration, networking patterns,
1158
00:46:56,080 –> 00:47:00,080
security faults, policy then becomes validation, not constant conflict.
1159
00:47:00,080 –> 00:47:01,360
And yes, there’s a cost.
1160
00:47:01,360 –> 00:47:04,560
You are trading some local flexibility for global predictability.
1161
00:47:04,560 –> 00:47:05,760
That’s the trade you want.
1162
00:47:05,760 –> 00:47:09,840
Because Azure at scale is not about how fast you can build the first environment.
1163
00:47:09,840 –> 00:47:12,960
It’s about whether the hundredth environment looks like the first one
1164
00:47:12,960 –> 00:47:16,080
without needing the same humans to remember how it was done.
1165
00:47:16,080 –> 00:47:20,240
Next we talk about the layer that makes every incident either solvable or theatrical.
1166
00:47:20,240 –> 00:47:21,600
Shared observability.
1167
00:47:21,600 –> 00:47:24,320
Observability as a shared service, not a team preference.
1168
00:47:24,320 –> 00:47:27,520
Observability is where the enterprise finds out whether it built a platform
1169
00:47:27,520 –> 00:47:29,440
or just funded a collection of opinions.
1170
00:47:29,440 –> 00:47:32,880
Most organizations treat logging and monitoring as a team preference.
1171
00:47:32,880 –> 00:47:36,320
One team loves application insights, another team ships custom dashboards,
1172
00:47:36,320 –> 00:47:39,040
another team logs to whatever the vendor recommends.
1173
00:47:39,040 –> 00:47:42,960
And the fourth team forgets diagnostics entirely because nobody blocked the deployment.
1174
00:47:42,960 –> 00:47:44,160
That isn’t observability.
1175
00:47:44,160 –> 00:47:46,000
It’s a distributed narrative system.
1176
00:47:46,000 –> 00:47:48,880
And during an incident, narratives don’t restore service.
1177
00:47:48,880 –> 00:47:51,040
If you’re a CIO, here’s the implication.
1178
00:47:51,040 –> 00:47:54,240
Inconsistent telemetry turns every outage into a people problem.
1179
00:47:54,240 –> 00:47:58,000
Not because engineers are bad, but because you force them to reconstruct reality
1180
00:47:58,000 –> 00:48:00,400
from incompatible signals while customers wait.
1181
00:48:00,400 –> 00:48:05,120
That is operational risk created by governance drift, not by technical incompetence.
1182
00:48:05,120 –> 00:48:08,000
If you run a platform team, this is where you usually lose trust.
1183
00:48:08,000 –> 00:48:10,880
You can’t demand SLO ownership from product teams
1184
00:48:10,880 –> 00:48:15,840
while giving them a monitoring foundation that’s optional, fragmented, and priced like a surprise.
1185
00:48:15,840 –> 00:48:17,280
So the reframe is simple.
1186
00:48:17,280 –> 00:48:22,800
Observability is a shared service, like identity, like networking, like policy enforcement.
1187
00:48:22,800 –> 00:48:25,280
Teams can build on it, but they don’t get to reinvent it.
1188
00:48:25,280 –> 00:48:26,720
There are two reasons this works.
1189
00:48:26,720 –> 00:48:28,960
First, it creates a consistent incident language.
1190
00:48:28,960 –> 00:48:31,840
When every workload emits baseline telemetry in a consistent way,
1191
00:48:31,840 –> 00:48:34,320
you can write runbooks that apply across teams.
1192
00:48:34,320 –> 00:48:37,840
You can train on-call engineers without teaching 10 custom logging schemes.
1193
00:48:37,840 –> 00:48:40,960
You can correlate across subscriptions without archaeology.
1194
00:48:40,960 –> 00:48:42,560
Second, it creates evidence.
1195
00:48:42,560 –> 00:48:44,240
Or, it’s don’t care about your intentions.
1196
00:48:44,240 –> 00:48:45,440
They care about records.
1197
00:48:45,440 –> 00:48:46,160
What happened?
1198
00:48:46,160 –> 00:48:47,840
When? Who changed? What?
1199
00:48:47,840 –> 00:48:50,560
And whether you can show control in the real system,
1200
00:48:50,560 –> 00:48:53,440
Azure gives you the raw ingredients for this.
1201
00:48:53,440 –> 00:48:56,640
Azure Monitor, Log Analytics Workspaces,
1202
00:48:56,640 –> 00:49:01,360
Diagnostic Settings, and Activity Logs, but the platform won’t decide your strategy.
1203
00:49:01,360 –> 00:49:02,000
You will.
1204
00:49:02,000 –> 00:49:04,560
The foundational decision is workspace strategy.
1205
00:49:04,560 –> 00:49:06,960
Centralized versus segmented isn’t theology.
1206
00:49:06,960 –> 00:49:09,280
It’s an access and accountability decision.
1207
00:49:09,280 –> 00:49:13,040
A central workspace can simplify cross-team investigation and correlation.
1208
00:49:13,040 –> 00:49:17,200
Segmented workspaces can align to data access boundaries and compliance requirements,
1209
00:49:17,200 –> 00:49:18,000
either can work.
1210
00:49:18,000 –> 00:49:21,280
What doesn’t work is accidental sprawl.
1211
00:49:21,280 –> 00:49:25,520
Dozens of workspaces created per project because that’s what the portal wizard did.
1212
00:49:25,520 –> 00:49:27,440
And then nobody knows where the logs went.
1213
00:49:27,440 –> 00:49:30,880
So pick a model, publish it, and make it the default through the pay of droid.
1214
00:49:30,880 –> 00:49:32,800
And then enforce the baseline telemetry.
1215
00:49:32,800 –> 00:49:34,400
This is where most people miss the mechanics.
1216
00:49:34,400 –> 00:49:36,320
You don’t get a baseline by asking nicely.
1217
00:49:36,320 –> 00:49:39,680
You get a baseline by making it the default outcome of deployment.
1218
00:49:39,680 –> 00:49:43,920
For Azure Resources, that means diagnostic settings get configured as a standard,
1219
00:49:43,920 –> 00:49:45,600
not negotiated per team.
1220
00:49:45,600 –> 00:49:49,280
Activity logs get routed where your incident responders can actually query them.
1221
00:49:49,280 –> 00:49:51,600
Critical categories get collected consistently,
1222
00:49:51,600 –> 00:49:55,280
so security and operations aren’t guessing which table to search during pressure.
1223
00:49:55,280 –> 00:49:57,440
If you’re an architect, notice the pattern.
1224
00:49:57,440 –> 00:49:59,680
This is identical to policy and networking.
1225
00:49:59,680 –> 00:50:02,720
The default has to be enforceable, otherwise the system drifts.
1226
00:50:02,720 –> 00:50:04,880
Now define your operational metric correctly.
1227
00:50:04,880 –> 00:50:08,560
MTTR is not enough because MTTR collapses multiple failures into one number
1228
00:50:08,560 –> 00:50:09,920
and it hides the real issue.
1229
00:50:09,920 –> 00:50:12,800
You spend half the incident just figuring out what was happening.
1230
00:50:12,800 –> 00:50:16,800
So track mean time to detect and mean time to explain.
1231
00:50:16,800 –> 00:50:19,600
Mean time to detect tells you whether your signals are fast and reliable.
1232
00:50:19,600 –> 00:50:22,640
Mean time to explain tells you whether your telemetry is usable.
1233
00:50:22,640 –> 00:50:24,320
You can fix the system you understand.
1234
00:50:24,320 –> 00:50:26,320
You can’t fix the system you can’t describe.
1235
00:50:26,320 –> 00:50:29,440
And this is why team preference breaks at scale.
1236
00:50:29,440 –> 00:50:32,800
Preferences optimize locally, shared services optimize globally.
1237
00:50:32,800 –> 00:50:33,920
Now the cynical truth.
1238
00:50:33,920 –> 00:50:36,160
Observability becomes the first budget fight.
1239
00:50:36,160 –> 00:50:38,400
Logging costs money, retention costs money,
1240
00:50:38,400 –> 00:50:39,840
centralization costs money,
1241
00:50:39,840 –> 00:50:41,600
and if you don’t design the cost model,
1242
00:50:41,600 –> 00:50:43,360
teams will do what they always do.
1243
00:50:43,360 –> 00:50:45,280
They’ll reduce logging to reduce spend
1244
00:50:45,280 –> 00:50:47,920
and then they’ll act surprised when incidents take longer.
1245
00:50:47,920 –> 00:50:49,760
So link observability to accountability.
1246
00:50:49,760 –> 00:50:52,080
And if you want showback in unit economics to be real,
1247
00:50:52,080 –> 00:50:54,480
you need consistent tagging and cost ownership.
1248
00:50:54,480 –> 00:50:56,560
But you also need consistent telemetry
1249
00:50:56,560 –> 00:50:59,600
so you can tie cost to behavior, noisy logs,
1250
00:50:59,600 –> 00:51:02,400
high cardinality metrics, runaway ingestion,
1251
00:51:02,400 –> 00:51:03,680
unbounded retention.
1252
00:51:03,680 –> 00:51:05,360
Those are architectural outcomes.
1253
00:51:05,360 –> 00:51:06,400
They shouldn’t be invisible.
1254
00:51:06,400 –> 00:51:07,440
If you’re a CIO,
1255
00:51:07,440 –> 00:51:10,000
this is where governance stops being security
1256
00:51:10,000 –> 00:51:11,680
and becomes business control.
1257
00:51:11,680 –> 00:51:14,880
Your funding a capability that makes outages shorter,
1258
00:51:14,880 –> 00:51:18,000
audits easier and cost arguments factual instead of political.
1259
00:51:18,000 –> 00:51:19,440
And if you run a platform team,
1260
00:51:19,440 –> 00:51:22,640
this is how you prove value without becoming a ticket queue.
1261
00:51:22,640 –> 00:51:24,960
Ship the logging baseline, measure coverage,
1262
00:51:24,960 –> 00:51:26,240
measure time to detect,
1263
00:51:26,240 –> 00:51:27,840
and show the exception trend.
1264
00:51:27,840 –> 00:51:30,160
Because the moment teams can opt out, they will.
1265
00:51:30,160 –> 00:51:32,000
Not out of malice, out of pressure.
1266
00:51:32,000 –> 00:51:33,840
Next we talk about the other shared service
1267
00:51:33,840 –> 00:51:35,120
that defines blast radius,
1268
00:51:35,120 –> 00:51:36,720
whether you admitted or not.
1269
00:51:36,720 –> 00:51:38,320
The network baseline.
1270
00:51:38,320 –> 00:51:41,120
Network baselines happen spoke thinking beyond wiring.
1271
00:51:41,120 –> 00:51:43,120
Networking is where the enterprise discovers
1272
00:51:43,120 –> 00:51:44,560
whether it believes in blast radius.
1273
00:51:44,560 –> 00:51:46,320
Because identity is who can do things.
1274
00:51:46,320 –> 00:51:47,600
Policy is what is allowed.
1275
00:51:47,600 –> 00:51:49,360
Observability is what you can prove.
1276
00:51:49,360 –> 00:51:51,280
But the network is where failures travel.
1277
00:51:51,280 –> 00:51:53,440
And most organizations treat it like wiring.
1278
00:51:53,440 –> 00:51:55,840
As if it’s just connect the thing to the thing
1279
00:51:55,840 –> 00:51:56,720
then move on.
1280
00:51:56,720 –> 00:51:58,080
That is not what it is.
1281
00:51:58,080 –> 00:51:59,680
In an enterprise as your estate,
1282
00:51:59,680 –> 00:52:01,680
the network baseline is a security boundary
1283
00:52:01,680 –> 00:52:03,840
and operability boundary and a cost boundary.
1284
00:52:03,840 –> 00:52:06,240
It defines what can talk to what,
1285
00:52:06,240 –> 00:52:07,680
where traffic can exit,
1286
00:52:07,680 –> 00:52:09,600
how private services are consumed,
1287
00:52:09,600 –> 00:52:12,480
and how lateral movement happens when something goes wrong.
1288
00:52:12,480 –> 00:52:16,160
That distinction matters because breaches and outages
1289
00:52:16,160 –> 00:52:17,440
don’t spread through org charts.
1290
00:52:17,440 –> 00:52:18,880
They spread through routes.
1291
00:52:18,880 –> 00:52:20,720
If you’re a CIO, here’s the implication.
1292
00:52:20,720 –> 00:52:23,040
Networking is not a product selection debate.
1293
00:52:23,040 –> 00:52:24,720
It is an operating model boundary.
1294
00:52:24,720 –> 00:52:27,200
It decides which responsibilities live with the platform team
1295
00:52:27,200 –> 00:52:29,680
and which responsibilities are delegated to product teams.
1296
00:52:29,680 –> 00:52:31,040
If you get that boundary wrong,
1297
00:52:31,040 –> 00:52:32,560
you don’t just get bad architecture.
1298
00:52:32,560 –> 00:52:35,600
You get permanent exception pathways that become untouchable.
1299
00:52:35,600 –> 00:52:37,920
If you run a platform team, here’s the uncomfortable truth.
1300
00:52:37,920 –> 00:52:40,800
Every just this one’s network exception
1301
00:52:40,800 –> 00:52:41,920
becomes a future incident,
1302
00:52:41,920 –> 00:52:43,360
you can’t debug at 2 a.m.
1303
00:52:43,360 –> 00:52:45,120
Because nobody remembers why it exists.
1304
00:52:45,120 –> 00:52:47,760
Point to point peering, ad hoc firewall rules,
1305
00:52:47,760 –> 00:52:48,960
one off DNS hacks,
1306
00:52:48,960 –> 00:52:50,240
these aren’t misconfigurations,
1307
00:52:50,240 –> 00:52:52,320
they’re design omissions that became permanent.
1308
00:52:52,320 –> 00:52:53,840
So what does a baseline actually mean?
1309
00:52:53,840 –> 00:52:55,680
It means you pick a shared services pattern,
1310
00:52:55,680 –> 00:52:57,040
hub and spoke, or VWR,
1311
00:52:57,040 –> 00:52:58,960
or whatever your chosen reality is.
1312
00:52:58,960 –> 00:53:01,120
And then you treat it like a platform product.
1313
00:53:01,120 –> 00:53:02,960
A hub is where you centralize capabilities
1314
00:53:02,960 –> 00:53:05,040
that should not be reinvented per workload,
1315
00:53:05,040 –> 00:53:07,120
firewalling, egress control,
1316
00:53:07,120 –> 00:53:09,680
DNS strategy, private endpoint patterns,
1317
00:53:09,680 –> 00:53:11,360
shared ingress, jump access,
1318
00:53:11,360 –> 00:53:12,560
and network observability.
1319
00:53:12,560 –> 00:53:15,040
Spokes are where workloads live,
1320
00:53:15,040 –> 00:53:17,520
inside constraints with predictable routing.
1321
00:53:17,520 –> 00:53:19,120
And the point is not the diagram.
1322
00:53:19,120 –> 00:53:21,120
The point is that the hub is the place
1323
00:53:21,120 –> 00:53:23,280
where the platform team can enforce assumptions.
1324
00:53:23,280 –> 00:53:25,120
And the spokes are the place where product teams
1325
00:53:25,120 –> 00:53:27,920
can move fast without inventing their own perimeter.
1326
00:53:27,920 –> 00:53:29,760
If you want autonomy with alignment,
1327
00:53:29,760 –> 00:53:32,160
this is one of the most honest mechanisms you have.
1328
00:53:32,160 –> 00:53:33,760
Now, here’s where most people mess up.
1329
00:53:33,760 –> 00:53:35,840
They confuse centralization with control.
1330
00:53:35,840 –> 00:53:37,280
They centralize everything,
1331
00:53:37,280 –> 00:53:39,120
then they make every change a ticket.
1332
00:53:39,120 –> 00:53:40,880
Please add this firewall rule.
1333
00:53:40,880 –> 00:53:42,400
Please peer this vnet.
1334
00:53:42,400 –> 00:53:44,880
Please create this private DNS zone.
1335
00:53:44,880 –> 00:53:46,560
Please whitelist this IP.
1336
00:53:46,560 –> 00:53:48,880
And then they act surprised when teams bypass
1337
00:53:48,880 –> 00:53:51,440
the network baseline by deploying public endpoints
1338
00:53:51,440 –> 00:53:53,440
or by creating alternative routing
1339
00:53:53,440 –> 00:53:55,920
or by spinning up temporary connectivity
1340
00:53:55,920 –> 00:53:57,280
that becomes production.
1341
00:53:57,280 –> 00:53:59,280
The network baseline cannot be a help desk.
1342
00:53:59,280 –> 00:54:00,800
It has to be an interface.
1343
00:54:00,800 –> 00:54:02,720
In practice, that means the platform team
1344
00:54:02,720 –> 00:54:04,560
owns the connectivity substrate
1345
00:54:04,560 –> 00:54:05,840
and product teams attached to it
1346
00:54:05,840 –> 00:54:07,520
through a deterministic pattern.
1347
00:54:07,520 –> 00:54:09,920
Not through a meeting, not through a slack thread.
1348
00:54:09,920 –> 00:54:11,040
If you remember nothing else,
1349
00:54:11,040 –> 00:54:13,360
the network baseline is how you control blast radius
1350
00:54:13,360 –> 00:54:15,120
without controlling every deployment.
1351
00:54:15,120 –> 00:54:17,120
Now connect this back to ALZ and vending
1352
00:54:17,120 –> 00:54:19,600
because this is where the system actually becomes enforceable.
1353
00:54:19,600 –> 00:54:21,120
At subscription creation time,
1354
00:54:21,120 –> 00:54:23,440
you can attach a subscription to the network baseline,
1355
00:54:23,440 –> 00:54:25,040
place it in the right management group,
1356
00:54:25,040 –> 00:54:26,400
apply the policy initiative
1357
00:54:26,400 –> 00:54:28,080
that enforces network standards
1358
00:54:28,080 –> 00:54:29,600
and ensure the default route
1359
00:54:29,600 –> 00:54:32,160
and DNS patterns match the platform posture.
1360
00:54:32,160 –> 00:54:34,080
This is what prevents the first workload
1361
00:54:34,080 –> 00:54:35,920
from inventing its own perimeter
1362
00:54:35,920 –> 00:54:37,520
and it also prevents the platform team
1363
00:54:37,520 –> 00:54:40,320
from being dragged into every spoke as a human router.
1364
00:54:40,320 –> 00:54:43,120
From their product teams can still own their own spoke vnet,
1365
00:54:43,120 –> 00:54:44,960
their subnet, their NSGs,
1366
00:54:44,960 –> 00:54:47,120
and their application level connectivity decisions
1367
00:54:47,120 –> 00:54:48,400
within the guardrails.
1368
00:54:48,400 –> 00:54:49,200
They can still ship,
1369
00:54:49,200 –> 00:54:52,160
but they don’t get to define enterprise egress policy.
1370
00:54:52,160 –> 00:54:53,920
They don’t get to define the organization’s
1371
00:54:53,920 –> 00:54:55,120
private endpoint strategy.
1372
00:54:55,120 –> 00:54:57,440
They don’t get to decide that DNS is optional.
1373
00:54:57,440 –> 00:54:58,640
Those are platform decisions
1374
00:54:58,640 –> 00:55:00,720
because they affect every other team’s ability
1375
00:55:00,720 –> 00:55:02,000
to operate safely.
1376
00:55:02,000 –> 00:55:04,640
And the failure mode is predictable when you don’t do this.
1377
00:55:04,640 –> 00:55:06,480
The hub becomes mostly standard
1378
00:55:06,480 –> 00:55:08,240
and then it accretes exceptions.
1379
00:55:08,240 –> 00:55:11,120
Direct peering because someone needed lower latency,
1380
00:55:11,120 –> 00:55:14,080
special routes because a vendor required it,
1381
00:55:14,080 –> 00:55:17,760
temporary public access because private endpoints were too hard,
1382
00:55:17,760 –> 00:55:20,160
and DNS changes because nobody wanted to align
1383
00:55:20,160 –> 00:55:22,800
workspace boundaries with network boundaries.
1384
00:55:22,800 –> 00:55:24,880
Over time, the baseline stops being a baseline
1385
00:55:24,880 –> 00:55:26,720
that becomes an archaeological site.
1386
00:55:26,720 –> 00:55:29,040
So treat network exceptions like any other exception,
1387
00:55:29,040 –> 00:55:32,320
owner, reason, compensating control, expiration.
1388
00:55:32,320 –> 00:55:34,720
If you can’t expire it, make it the new baseline
1389
00:55:34,720 –> 00:55:36,480
and update the platform product
1390
00:55:36,480 –> 00:55:38,400
because unmanaged network exceptions
1391
00:55:38,400 –> 00:55:39,920
don’t just create drift.
1392
00:55:39,920 –> 00:55:41,680
They create invisible pathways
1393
00:55:41,680 –> 00:55:43,920
and invisible pathways are how both attackers
1394
00:55:43,920 –> 00:55:45,440
and outages move laterally.
1395
00:55:45,440 –> 00:55:46,960
Next scale turns into money
1396
00:55:46,960 –> 00:55:50,160
and money is the one control system nobody can ignore.
1397
00:55:50,160 –> 00:55:53,440
Financial and operational accountability
1398
00:55:53,440 –> 00:55:54,960
Finops as a control system.
1399
00:55:54,960 –> 00:55:56,240
Now scale turns into money
1400
00:55:56,240 –> 00:55:59,120
and money is the one control system nobody can ignore.
1401
00:55:59,120 –> 00:56:02,240
Most enterprises treat cost as an after the fact report.
1402
00:56:02,240 –> 00:56:05,200
You spend first, then finance shows up later with a chart
1403
00:56:05,200 –> 00:56:07,200
and everyone argues about why it happened.
1404
00:56:07,200 –> 00:56:09,440
That’s not Finops, that’s archaeology.
1405
00:56:09,440 –> 00:56:10,880
Finops is a control system.
1406
00:56:10,880 –> 00:56:15,040
It’s how you keep variable consumption tied to an accountable owner
1407
00:56:15,040 –> 00:56:17,200
in near real time with a feedback loop
1408
00:56:17,200 –> 00:56:19,920
that forces trade-offs into daylight.
1409
00:56:19,920 –> 00:56:22,560
Without that loop, cloud cost doesn’t get managed.
1410
00:56:22,560 –> 00:56:24,560
It just gets redistributed into politics.
1411
00:56:24,560 –> 00:56:26,320
If you’re a CIO, this is the implication
1412
00:56:26,320 –> 00:56:28,000
the cloud is a variable cost engine.
1413
00:56:28,000 –> 00:56:30,240
If you don’t build a variable cost operating model,
1414
00:56:30,240 –> 00:56:32,560
you will default back to capital style governance,
1415
00:56:32,560 –> 00:56:34,400
committees, quotas and blunt denial.
1416
00:56:34,400 –> 00:56:38,000
That protects the budget while it destroys lead time and innovation.
1417
00:56:38,000 –> 00:56:40,720
If you run a platform team, this is where you usually get blamed
1418
00:56:40,720 –> 00:56:42,080
for bills you didn’t approve.
1419
00:56:42,080 –> 00:56:44,960
And if you run product teams, this is where you discover the difference
1420
00:56:44,960 –> 00:56:46,640
between shipping and owning.
1421
00:56:46,640 –> 00:56:50,080
Because in Azure, every deployment is also a financial decision.
1422
00:56:50,080 –> 00:56:51,520
Start with the truth nobody wants.
1423
00:56:51,520 –> 00:56:53,280
Tags are not a naming convention.
1424
00:56:53,280 –> 00:56:54,960
Tags are the cost ownership map.
1425
00:56:54,960 –> 00:56:56,960
If a subscription or workload cannot be mapped
1426
00:56:56,960 –> 00:56:59,680
to a cost owner and an environment, you cannot do showback.
1427
00:56:59,680 –> 00:57:00,880
You can only do blame.
1428
00:57:00,880 –> 00:57:02,960
So the first Finops control is boring,
1429
00:57:02,960 –> 00:57:04,640
enforced tagging at creation.
1430
00:57:04,640 –> 00:57:07,120
Not later, not with a quarterly cleanup sprint.
1431
00:57:07,120 –> 00:57:10,480
At creation, through your vending path and policy baseline.
1432
00:57:10,480 –> 00:57:12,960
If you can’t do that, you don’t have cost governance.
1433
00:57:12,960 –> 00:57:14,640
You have a spreadsheet habit.
1434
00:57:14,640 –> 00:57:16,720
Then you graduate in stages because chargeback
1435
00:57:16,720 –> 00:57:18,080
too early creates rebellion.
1436
00:57:18,080 –> 00:57:20,400
Stage one is showback, transparent reporting
1437
00:57:20,400 –> 00:57:23,280
that makes costs visible by owner, team and environment.
1438
00:57:23,280 –> 00:57:26,080
It changes behavior because it makes consumption legible.
1439
00:57:26,080 –> 00:57:28,240
It also exposes the shared services problem.
1440
00:57:28,240 –> 00:57:30,320
The hub, the firewall, the logging workspace,
1441
00:57:30,320 –> 00:57:31,600
the platform subscriptions.
1442
00:57:31,600 –> 00:57:33,440
Those costs are real and they need a model
1443
00:57:33,440 –> 00:57:36,160
or they will be treated as someone else’s overhead forever.
1444
00:57:36,160 –> 00:57:38,880
Stage two is accountability, budgets, alerts
1445
00:57:38,880 –> 00:57:40,880
and anomaly detection per owner.
1446
00:57:40,880 –> 00:57:43,920
Not to punish teams but to force timely decisions.
1447
00:57:43,920 –> 00:57:45,680
This is where cost becomes operational.
1448
00:57:45,680 –> 00:57:47,200
Why did ingestion spike?
1449
00:57:47,200 –> 00:57:48,640
Why did egress jump?
1450
00:57:48,640 –> 00:57:50,400
Why did this environment never shut down?
1451
00:57:50,400 –> 00:57:52,320
Why is this SKU used here?
1452
00:57:52,320 –> 00:57:53,680
These aren’t finance questions.
1453
00:57:53,680 –> 00:57:55,520
There are architecture questions with a price tag.
1454
00:57:55,520 –> 00:58:00,000
Stage three, when culture can handle it, is chargeback.
1455
00:58:00,000 –> 00:58:01,920
Teams pay for what they consume
1456
00:58:01,920 –> 00:58:04,400
and shared services have an explicit pricing model.
1457
00:58:04,400 –> 00:58:06,400
This is where the organization stops pretending
1458
00:58:06,400 –> 00:58:08,240
cloud spend is centrally controllable
1459
00:58:08,240 –> 00:58:10,160
while remaining decentralized in delivery.
1460
00:58:10,160 –> 00:58:12,560
It isn’t if teams deploy teams must own.
1461
00:58:12,560 –> 00:58:14,400
Now connect this to the operating model mechanics
1462
00:58:14,400 –> 00:58:15,600
we’ve already built.
1463
00:58:15,600 –> 00:58:17,200
Subscription vending gives you the place
1464
00:58:17,200 –> 00:58:19,280
to attach cost ownership at the start.
1465
00:58:19,280 –> 00:58:22,640
Tax, cost center, product identifiers, environment.
1466
00:58:22,640 –> 00:58:24,880
As your policy initiatives give you enforcement,
1467
00:58:24,880 –> 00:58:28,480
require tags, modify missing tags, audit the rest.
1468
00:58:28,480 –> 00:58:30,400
The paved road gives you the default patterns
1469
00:58:30,400 –> 00:58:32,720
that avoid expensive improvisation.
1470
00:58:32,720 –> 00:58:35,280
And the delivery system gives you traceability
1471
00:58:35,280 –> 00:58:37,920
which pipeline deployed what into which environment
1472
00:58:37,920 –> 00:58:38,800
with whose approval.
1473
00:58:38,800 –> 00:58:41,360
If you’re an architect, this is the uncomfortable truth.
1474
00:58:41,360 –> 00:58:43,360
Cost is a reliability signal.
1475
00:58:43,360 –> 00:58:44,960
Unbounded logging is cost.
1476
00:58:44,960 –> 00:58:46,880
Over provisioned networking is cost.
1477
00:58:46,880 –> 00:58:48,480
Idol environments are cost.
1478
00:58:48,480 –> 00:58:50,000
These are also operational failures
1479
00:58:50,000 –> 00:58:52,560
because they indicate you don’t control life cycle.
1480
00:58:52,560 –> 00:58:55,200
So use unit economics, not just monthly totals,
1481
00:58:55,200 –> 00:58:58,160
pick one unit metric that makes sense in your world.
1482
00:58:58,160 –> 00:59:00,720
Cost per environment, cost per product team
1483
00:59:00,720 –> 00:59:03,120
or cost per deploy, then track it over time.
1484
00:59:03,120 –> 00:59:06,240
If unit cost rises while delivery slows, you’re not scaling.
1485
00:59:06,240 –> 00:59:08,720
You’re accumulating entropy with a larger invoice.
1486
00:59:08,720 –> 00:59:10,640
And tie it back to the three headline metrics
1487
00:59:10,640 –> 00:59:12,560
because this is where leaders can’t hide.
1488
00:59:12,560 –> 00:59:14,560
Lead time improves when teams aren’t blocked
1489
00:59:14,560 –> 00:59:17,920
by ad hoc budget panics and late stage procurement debates.
1490
00:59:17,920 –> 00:59:19,440
Time to first environment improves
1491
00:59:19,440 –> 00:59:21,440
when environments are created through vending
1492
00:59:21,440 –> 00:59:24,080
with predictable cost tags and baseline controls
1493
00:59:24,080 –> 00:59:26,080
not negotiated through finance.
1494
00:59:26,080 –> 00:59:28,160
Policy compliance rate improves
1495
00:59:28,160 –> 00:59:31,360
when governance includes cost controls that are enforceable,
1496
00:59:31,360 –> 00:59:35,920
not aspirational, required tags, allowed skews where it matters,
1497
00:59:35,920 –> 00:59:38,160
and diagnostics defaults that prevent
1498
00:59:38,160 –> 00:59:41,600
turn it off to save money from becoming a silent outage tags.
1499
00:59:41,600 –> 00:59:44,240
Finops isn’t cost-cutting, it’s truth maintenance.
1500
00:59:44,240 –> 00:59:45,600
And when truth becomes continuous,
1501
00:59:45,600 –> 00:59:47,600
the operating model stops relying on trust
1502
00:59:47,600 –> 00:59:49,280
and starts relying on signals.
1503
00:59:49,280 –> 00:59:52,160
Long term success, operating model as a living system.
1504
00:59:52,160 –> 00:59:53,600
Here’s the part leaders avoid.
1505
00:59:53,600 –> 00:59:55,440
The operating model is never implemented.
1506
00:59:55,440 –> 00:59:56,320
It’s maintained.
1507
00:59:56,320 –> 00:59:57,280
Drift is the default,
1508
00:59:57,280 –> 01:00:00,400
so enforcement is the job and enforcement requires a cadence.
1509
01:00:00,400 –> 01:00:02,160
Quarantly review three signals.
1510
01:00:02,160 –> 01:00:05,200
Lead time, time to first environment and policy compliance.
1511
01:00:05,200 –> 01:00:07,520
Then look at the entropy indicators behind them.
1512
01:00:07,520 –> 01:00:10,160
Paved road adoption, exception volume,
1513
01:00:10,160 –> 01:00:12,400
and mean time to remediate non-compliance.
1514
01:00:12,400 –> 01:00:14,160
If exceptions rise, the road is failing.
1515
01:00:14,160 –> 01:00:16,800
If remediation lags, governance is theater.
1516
01:00:16,800 –> 01:00:19,440
If lead time rises, you rebuild gates.
1517
01:00:19,440 –> 01:00:21,360
Treat the platform like a product.
1518
01:00:21,360 –> 01:00:25,440
Version changes, deprecations, and clear interfaces.
1519
01:00:25,440 –> 01:00:28,000
And right decision rights down because turnover is guaranteed
1520
01:00:28,000 –> 01:00:29,680
and memory is not.
1521
01:00:29,680 –> 01:00:31,920
Closing reflection plus seven-day action.
1522
01:00:31,920 –> 01:00:35,280
Azure at scale is leadership design, not technical assembly.
1523
01:00:35,280 –> 01:00:37,280
In the next seven days, run a 90-minute workshop
1524
01:00:37,280 –> 01:00:39,440
with platform security, networking,
1525
01:00:39,440 –> 01:00:41,200
and two to three product teams.
1526
01:00:41,200 –> 01:00:44,000
Output three artifacts, a decision rights matrix,
1527
01:00:44,000 –> 01:00:47,440
a paved road MVP backlog, three to five golden paths,
1528
01:00:47,440 –> 01:00:49,040
and an exception pathway with owner,
1529
01:00:49,040 –> 01:00:51,040
compensating control and expiration.
1530
01:00:51,040 –> 01:00:52,640
And if you can’t print those three things,
1531
01:00:52,640 –> 01:00:53,920
you don’t have an operating model.
1532
01:00:53,920 –> 01:00:58,880
You have intent, subscribe and watch the next episode on cost governance and platform maturity.
