Azure
When the audit selects Azure, we build the infrastructure layer from these native services — all codified with Terraform/OpenTofu modules. The architecture mirrors the AWS build one-for-one; only the primitives differ.
Subscription & isolation
Section titled “Subscription & isolation”- Management groups and subscriptions to isolate environments and blast radius (e.g. production vs. non-production).
- Azure Policy guardrails and baseline assignments applied across the hierarchy.
Networking
Section titled “Networking”- Virtual Network (VNet) with public/private subnets across Availability Zones.
- Route tables, NAT gateway, and network security groups.
- Private endpoints for data stores so they’re never directly exposed.
Identity & access
Section titled “Identity & access”- Microsoft Entra ID for identity, least-privilege RBAC by default.
- Workload identity so Kubernetes workloads obtain scoped Azure permissions without long-lived secrets.
Compute & Kubernetes
Section titled “Compute & Kubernetes”- Azure Kubernetes Service (AKS) as the managed control plane for the containerization layer.
- Node pools with cluster autoscaling.
- Azure Database for PostgreSQL / Azure SQL for relational databases — zone-redundant, automated backups, point-in-time restore.
- Blob Storage for object storage, artifacts, and backups, with lifecycle management.
Ingress, DNS & TLS
Section titled “Ingress, DNS & TLS”- Application Gateway / Load Balancer fronting the cluster ingress.
- Azure DNS for DNS, with managed TLS certificates.
Security & encryption
Section titled “Security & encryption”- Key Vault for keys, secrets, and certificates; encryption at rest across data stores and disks.
- Platform and application secrets surfaced into the cluster via the secrets workflow.
Baseline telemetry
Section titled “Baseline telemetry”- Azure Monitor for cloud-level metrics and logs at the subscription boundary — complemented by the full Grafana observability stack running in-cluster.