The Azure Operating Compass

Moving beyond "ClickOps" to a true Platform Engineering model. This roadmap transforms your Azure environment from a collection of resources into a self-service product.

Phase 1: The Foundation

The Subscription Vending Machine

Stop creating subscriptions manually. The Vending Machine is an automated pipeline that dispenses fully-governed subscriptions (Landing Zones) to application teams upon request.

Realist Warning:

Avoid the "ClickOps" trap. If you are creating subscriptions in the Azure Portal manually, you have already lost control of your governance posture. The "Vending Machine" isn't optional for scale.

graph LR A[User Request] -->|ServiceNow/IDP| B(Orchestrator) B -->|GitHub Actions| C{Vending Logic} C -->|Terraform| D[New Sub] C -->|Bicep| E[VNet Peering] D --> F[Ready State] E --> F style A fill:#1e293b,stroke:#3b82f6,stroke-width:2px style F fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#fff

Fig 1: Logical Flow of Subscription Vending

Phase 2: The Guardrails

Policy-as-Code Strategy

Governance shouldn't be a PDF document. Embed your security and compliance requirements directly into the platform using Azure Policy, managed as code. 

// Sample: Enforce Regional Compliance
resource policy 'Microsoft.Authorization/policyAssignments@2022-06-01' = {
  name = 'deny-non-us-regions'
  scope = subscription()
  properties: {
    policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/...'
    parameters: {
      listOfAllowedLocations: {
        value: [ 'eastus', 'westus2' ]
      }
    }
  }
}
  • Custom Policy Definitions
  • Compliance Dashboards
  • Deny/Audit Effects
  • Automated Exemption Process
Phase 3: The Operation

Platform as a Product (PaaP)

The end state. Your platform team stops being a "ticket-taking" support desk and starts building internal products (templates, modules, agents) that empower developers.

  • Internal Developer Platform (IDP)
  • Service Catalog
  • "Paved Road" Templates
  • FinOps Integration

Reference Architectures

Official Microsoft ALZ Repo
Phase 4: The AI Frontier

AI-Ready Landing Zones

The Ultimate Test: Your platform is only mature if it can securely Vend an "AI Sandbox" in minutes. Adopting the "Shared Capabilities" model prevents quota starvation and enforces responsible AI.

graph LR User -->|https| AppGW(App Gateway WAF) AppGW -->|VNet Peering| Hub subgraph "AI Hub Subscription" Hub[Connectivity Hub] APIM[APIM Gateway] end subgraph "AI Spoke Subscription" OpenAI[Azure OpenAI] Search[AI Search] Private[Private Endpoint] end Hub -->|Private Link| Private APIM -->|Managed Identity| OpenAI Private -.-> OpenAI style OpenAI fill:#4c1d95,stroke:#8b5cf6,stroke-width:2px,color:#fff style APIM fill:#0f172a,stroke:#3b82f6,stroke-width:2px

Fig 2: The "Smart Router" Pattern for Enterprise AI

Essential Resources

Official AI Reference Bicep/Terraform Modules
OpenAI Networking Private Endpoints & DNS
Enterprise AI Adoption Strategic Governance

Ready to build this?

Book Strategy Call Read the "Logic" Behind This