Cloud Adoption Framework, Scaffolding and Azure Virtual Datacenter

<Updated 11th July 2019>

Since we started to help customers of all sizes to deploy cloud technologies, we have developed many frameworks which all evolved in parallel over time. You may have heard about: Cloud Adoption Framework, Cloud Operations Model, Entreprise Cloud Strategy, Entreprise Scaffolding and maybe a couple more.

The CAF is dead, long live the CAF!

A couple of weeks ago, we published a new version of CAF – Cloud Adoption Framework for Azure, which consolidates all of our engineering and field best practices, as well as patterns that we’ve seen from big entreprises going to the cloud.

CAF has now five main sections which guide you throughout the whole circle:


  1. Plan
  2. Ready
  3. Migrate
  4. Manage
  5. Govern

This model is very realistic and field inspired, including some discussions around adoption with one or more cloud providers.


One of the most intimidating aspects of cloud adoption is the governance: how to manage new risks that are involved with cloud deployments and how to accompany that with entreprise processes and policies (and how does it remain current).

It is of course an iterative process that will evolve as you add new services into your environment: from dev/test to prod, and from legacy 3-tiers application to a brand new cloud-native application.

We distinguish 5 disciplines in governance:

  1. Cost management
  2. Security baseline
  3. Resource consistency
  4. Identity baseline
  5. Deployment Acceleration

But the difficulty is the first step: how do I get a minimal viable product (MVP) for my first cloud deployment?


Actions: In order to avoid you the blank page syndrome, we have prepared you some actions:

  1. Determine your immediate objectives with cloud, and the readiness of your organization. Cloud Assessment Tool: 
  2. Establish your governance MVP:
    1. Small to Medium Entreprises
    2. Large Entreprises

For all those journey we document a minimum viable product across the five disciplines, we explain the design decisions we took for you, the discussion points and alternative design considerations.

When we define governance, we also think about compliance to the rules, and automatic remediation methods for it: this is called Azure Policy.

Along the way, if you are going for ongoing compliance, why not going to continuous integration and continuous deployment for your infrastructure?


If you want to have a look at all of that in action, check at:

Azure Scaffolding

We used to talk a lot of  “scaffolding” as it is an excellent checklist, or set of mandatory technical implentation details for a good cloud deployment. It is being replaced by the “landing zone” construct (see next section).

Here is a refresher picture about what scaffolding includes:


Important readings on Azure Scaffolding:

Azure Landing Zones

Landing Zone is our new construct to describe a good deployment, its replacing the scaffolding idea but takes all of its good ideas.


It has the idea of primitives which includes all mandatory decisions:

  • Management Groups
  • Resource Groups
  • Naming Standards
  • Number of subscriptions

On the technical implementations of Governance it includes all of:

  • Policies
  • Cost
  • Monitoring
  • Identity

Moreover, it comes with all set of decision trees in order to help you when it comes to implementation with your customers/partners:


Azure Virtual Datacenter

Azure VDC is a set of concepts, implentation guidance and automation scripts that allows you to build a highly available and highly secure datacenter, based on Microsoft Azure services.


You can find all the materials here: 

Check at the automation scripts and all the archetypes that allow you to deploy a VDC environment fast – based on Docker and Python :

As last reference, as usual, our Azure Architecture Center

That’s it, now you will have a very well architected Azure deployment!


Azure Governance in the real world

In this session, we review the fundamentals behind a well managed Azure environment: Azure Management Groups, Azure Policy and Blueprints.



Download the slides here

Demo 1: Architecture Center, Service Trust Portal


Demo 2: Azure Management Groups & Azure Policy


Demo 3: Create custom policies with Terraform


Demo 4: Azure Blueprints



Follow the new sessions coming up on the Azure APAC webinar series: 

As usual, feel free to reach out if you have any question!


Improve your application security and compliance with Azure

Please find below materials from our online session for 29th August 2018 10am Singapore time!

Microsoft Azure enables you to meet the compliance requirements for data confidentiality, while ensuring data integrity and availability at all times. Tune in to this webinar to find out more about the available security technologies for your application and learn more about the security tools to help you meet the data compliance and protection requirements for your organization.

On-demand content


Video of the session



Azure Privacy and Compliance

Azure Firewall

Azure Security Center


As usual, feel free to reach out if you have any question!



Azure Infrastructure Fundamentals Webinars – part 2

In this article we continue to review our online sessions covering Azure Infrastructure fundamentals that went live couple of weeks ago. Please find below the links to the sessions, the slides, demos and step by steps guides to reproduce the demos!


Session 3: Azure Backup and Disaster Recovery

Azure Site Recovery and Backup are two features that allow you to easily build Disaster Recovery and Backup plans. In this session, we will review the different options that are available to build a DRP that you can rely on.

Session on demand:


1. Backup

2. Disaster recovery

Demos references:


Session 4: Azure Compliance and security

The security and compliance session review the fundamentals of Azure security in both technical and non-technical terms. After a review of certification against the best in class policies and procedures, we will spend some time reviewing the technologies that customers can leverage to deploy solutions.

Session on demand:


1. Azure Security Center

2. Azure Key Vault

Demo references:

That’s it for today, in the next post, more details on the other episodes of the serie!


My Azure RFP Toolbox

<Updated on 24th July 2018>

During the last years as an architect for Azure services, there is a set of questions and areas that always come-up, you will find here the reference materials I use to answer RFP or customer enquiries. This post assumes you already have some Azure expertise in the subjects covered, but are in search of good reference materials for documentation purposes.


Networking and connectivity

When you design a solution running in Azure, it will most of the time run on Virtual Networks, you can connect those to:

  • Your datacenter via IPsec VPN: you use the internet to transport IPsec-encrypted packets. Since it’s the internet, there’s no SLA on the link availability, but the IPsec gateway is backed by a 99.95% SLA and the speed can go up to 1 Gbps.
  • Your datacenter via ExpressRoute: it’s a private connection, SLA-backed by your service provider up to 99.95%. The speed can go up to 10 Gbps if necessary.
  • Internet via a Public IP: that public IP endpoint is highly available, load balanced if needed, protected by our DoS protection service. Those operations are done by Azure but you can leverage Network Virtual Appliances from the marketplace in order to add additional features like layer-7 inspection. If you want to use WAF-as-a-Service, you can also leverage Azure Application Gateway.

ExpressRoute Locations –

Microsoft cloud services and network security –

Azure Network Security Best Practices –

Reference architecture – Hybrid Networking – 


High availability, Disaster Recovery and SLA

When you build solutions on Azure, your choose the physical location of your data, which is replicated on 3 hard disk drives (based on Locally Redundant Storage), it can be replicated to another region in order to offer additional redundancy in a location with hundreds miles from the previous (3 additional copies of your data).

High availability for virtual machines is achieved:

  • In-Region:
    • If you deploy an Azure VM on Premium storage, the VM automatically gets a 99.9% uptime SLA!
    • You can achieve HA at 99.95% uptime by placing multiples machines serving users inside an availability set with a load balancer in front.
    • You can achieve HA at 99.99% uptime by placing multiples machines serving users inside an availability zone with a standard load balancer in
  • Across-regions: by duplicating the first deployment in another region. You replicate the data using application-level replication or Azure Site Recovery, then you load balance the solution using Traffic Manager.

SLA for the main Azure elements:

VM For all Virtual Machines that have two or more instances deployed in the same Availability Set, we guarantee you will have Virtual Machine Connectivity
to at least one instance at least 99.95% of the time.For any Single Instance Virtual Machine using premium storage for all Operating System Disks and Data Disks, we guarantee you will have Virtual
Machine Connectivity of at least 99.9%.
Storage We guarantee that at least 99.9% (99% for Cool Access Tier) of the time, we will successfully process requests to read data from Locally Redundant Storage (LRS), Zone Redundant Storage (ZRS), and Geo Redundant Storage (GRS) Accounts.
ExpressRoute We guarantee a minimum of 99.95% ExpressRoute Dedicated Circuit availability.
IPsec Gateway We guarantee 99.9% availability for each Basic Gateway for VPN or Basic Gateway for ExpressRoute.

We guarantee 99.95% availability for each Standard, High Performance, VpnGw1, VpnGw2, VpnGw3 Gateway for VPN.

We guarantee 99.95% availability for each Standard, High Performance, Ultra Performance Gateway for ExpressRoute.

Application Gateway We guarantee that each Application Gateway Cloud Service having two or more medium or larger instances will be available at least 99.95% of the time.
Azure Site Recovery For each Protected Instance configured for On-Premises-to-On-Premises Failover, we guarantee at least 99.9% availability of the Site Recovery service.

For each Protected Instance configured for On-Premises-to-Azure planned and unplanned Failover, we guarantee a two-hour Recovery Time Objective

Datacenter and Service Recovery: How Microsoft services recovers from a DC loss –

Availability checklist –

Data security, isolation and confidentiality

In a context of datacenter migration, usual questions are: how is my data secured, how is it isolated from other tenants and how can I protect my data in-transit, at-rest, and even in-processing.

You can get started with our RFI standard responses templates:

A good reference is the getting started with Azure security paper:

Encryption at rest:

Isolation in the Azure Public Cloud –

Azure Data Encryption-at-Rest –

Encryption in transit:

Azure encryption technologies: Protect personal data in transit with encryption –

Encryption in processing:

Azure confidential computing :

Data security is also about backup, wo you can use:


Datacenter operations & compliance

Azure will very likely exceed any possible best practices and compliance regulation level that you see in a customer-run datacenter. Azure does not usually allow customers to directly audit against best practices, however we are working to certify Azure against the most relevant certifications, in the world, regionally, and locally as well as the most strict industry standards.

All certifications information can be found in the Azure Trust Center –

If you need to download the certification audit reports or the certificate Service Trust Portal – 

Overview of Microsoft Azure compliance –

How Microsoft Azure can help organizations become compliant with the EU GDPR –

Azure Solutions Blueprint for PCI DSS-compliant environments –

Microsoft Azure HIPAA/HITECH Act Implementation Guidance –


Threat protection, detection and incident response

How does Microsoft protect instances, how does Microsoft and I do incident response? Is there a DoS protection service include and IDS/IPS? Can I or a partner conduct penetration testing to a solution in Azure?

Azure Advanced Threat Detection –

Azure Logging and auditing –

Security Incent Response in Azure –

Penetration testing of your solution – 

Integration of SIEM with Azure – 

Azure Security Center is a great complement to all the security mechanisms present in Azure, and the good news is, there’s a free tier, so use it everywhere.

Azure Security Center Detection Capabilities –

Using Azure Security Center for an incident response –


Operations Excellence

How do I operate, manage, an environment in Azure, how do I manage separation of roles and duties, how is done RBAC?

Customers can integrate their on-premises Active Directory with Azure Active Directory and then manage, delegate access using RBAC. When customer use Azure Active Directory, they can use all feature of Azure Active Directory Premium and also enable Just in time admin, which will elevat

Introduction to operational security in Azure –

Azure Security Management and Monitoring Overview –

Governance in Azure –

Identity management –


Let’s conclude with the Azure Security best practices and patterns collection:

Our VM sizes reference:

You might also need the Visio template in order to produce the architecture diagrams: 


Have fun answering RFP, don’t hesitate to suggest your additional items in the comments section!

Stay updated on Twitter: