Cloud Governance for Azure with Enterprise Scale

In order for public cloud to be used sustainably and in a controlled manner in the enterprise environment, efficient and customised cloud governance is required

Author: Michael Wachter

Many companies realise that existing IT governance procedures cannot be adapted to the more dynamic situation of a public cloud and are therefore asking themselves the question: «How do we address the governance demands for public cloud within our company?»

If you are also asking yourself this question, this blog offers you an introduction to cloud governance for Azure.

What is Cloud Governance?

Governance is a form of control and generally refers to the control and regulation system in the sense of structures (structural and procedural organisation) of a political-social unit such as the state, administration, municipality, private or public organisation. [Source: Wikipedia]

Cloud governance focuses on steering the use of a (public) cloud.

Why Cloud Governance?

In a data centre or a private cloud, mainly the two services compute and storage can be obtained. Other services such as network, backup, IAM, etc. are provided by the data centre or private cloud.

In a public cloud, on the other hand, many other services can be obtained in addition to compute and storage. These also include services that are centrally specified in the private cloud. Therefore, the entire use of the public cloud must be regulated: what may be used when, how and where?

Cloud governance can basically be divided into the following topic blocks:

  • Cost management

    looks at issues such as budget overruns, underutilisation, oversized resources and influences of architecture decisions on cost development.

  • Basic security

    covers topics including data encryption, network isolation, securing external and internal access, DDoS protection, network monitoring and security auditing.

  • Identity handling

    addresses issues around unauthorised access, use of the same identity across multiple clouds/datacenters, optimal authentication methods and identity verification.

  • Resource consistency

    concerns the handling of labels, subscriptions, operating systems, monitoring and emergency situations.

  • Accelerate deployment

    to provide visibility for remediation and verify configuration security.

Cloud governance thus creates the basis for an iterative process to define guard rails for the use of a public cloud.

Enterprise Scale helps with Cloud Governance for Azure

Enterprise Scale is a framework from Microsoft for setting up cloud governance to manage the state of an Azure environment. It can be compared very well with the planning of a large city:

Tabelle_MWA Blog_EN.png
Table 1: Comparison of urban planning and enterprise scale

The framework is based on best practices and Microsoft's experience with (Azure) customers. It is modular, offers a very good introduction to cloud governance and scales with needs.

A landing zone is a subscription that is provided for the implementation of a workload. For smaller Azure environments, a Landing Zone can also be a Resource Group (see below). A workload can be defined in different ways:

  • One environment (e.g. Prod) per application
  • One environment (e.g. Prod) for the entire company
  • The Azure footprint of a department, e.g. HR
  • A mix of the above and other criteria.

The framework itself is based on the principles:

  1. Democratisation of subscriptions

  2. Policy-based governance

  3. A single level of control and management

  4. Application-centred and archetype-neutral

  5. Alignment with native Azure designs and roadmaps

These principles are considered in the discussion across different topics, such as IAM and network. As part of this discussion, an initial set of rules is created that can be iteratively expanded. For example, cloud usage could initially be limited to two regions. As the company grows abroad, additional regions could be added (if needed).

Furthermore, during the discussion, a better picture emerges of how one intends to group the workloads. For this grouping, the framework focuses primarily on the tenant, the hierarchy of management groups and subscriptions. If necessary, resource groups can also be included.

LinkedIn Artikel _744px x 400 px (1).png
Figure 1: Azure hierarchy levels

The framework can therefore be used for large Azure environments with many subscriptions, as well as for small Azure environments with few, or in extreme cases, even only one subscription.

Cloud governance is established and enforced by means of this grouping. For example, a Kubernetes or OpenShift cluster could be set up in one landing zone as a central service and at the same time the setup of a Kubernetes or OpenShift in another landing zone could be blocked. In this way:

  • Autonomy for innovation and transformation created,
  • Security and Compliance By-Default implemented and
  • Governance At-Scale is achieved through sustainable cloud engineering.


Enterprise Scale offers a very good introduction to cloud governance for Azure. On the one hand, the individual topics are intensively explored with considerations and recommendations; on the other hand, it is modular and can be tailored to your needs. Enterprise Scale thus provides an excellent basis for discussion within your company.

We have had very good experiences with the framework and its implementation. However, there are still open questions (e.g. handling multiple Azure AD tenants, MCA instead of EA) to which the framework does not provide a clear answer. The framework can still help as a comparison in these cases. It is important that those people are involved in the discussion who will later take over the tasks in the areas of operations, network and security.

Your ipt expert

I look forward to hearing from you