How We Fully Automated Environment Cloning for a Finance Transformation Program

The breakthrough was not in the code. It was in cloning Active Directory, IP spaces, and identities into isolated environments, making cutover trivial by design.

Tags: Architecture, Azure, VMware, Active Directory, Hybrid Cloud, Environment Design

Context

A global enterprise is executing a multi-year finance transformation program spanning several regions. The program involves migrating legacy finance systems (some operational for over a decade) to modern platforms. While non-production environments did exist, they had drifted significantly from production over time. Without GitOps, CI/CD, or any form of managed lifecycle, these environments had become unreliable: configurations diverged, patches were inconsistent, and teams could not trust test results.

The program required multiple non-production environments (development, testing, staging, training, UAT), each refreshed regularly from production data. The infrastructure spans hybrid cloud (Azure + VMware) across multiple regions, governed by strict regulatory compliance requirements. Every environment refresh involves cloning virtual machines, reconfiguring network boundaries, updating DNS, adjusting database connections, and validating services across two distinct platforms.

The requirement from day one was clear: deliver environment refreshes as rapidly as possible with zero manual intervention. However, speed alone was not the primary challenge. The architecture had to enable the transformation program itself.

The design: clone everything, change nothing

The conventional approach to non-production environments involves building each one independently, with separate IP ranges, separate service accounts, separate Active Directory configuration, and maintaining them within the production network. Organisations then spend days adapting application configurations, connection strings, and security rules per environment. Every production cutover becomes a translation exercise, introducing risk at the most critical moment. We have since observed this pattern in other regions of the same programme where teams chose this traditional route, and the operational overhead confirmed our initial assessment.

We designed a fundamentally different approach: clone the entire environment as-is. Active Directory, IP address spaces, service principals, managed accounts, DNS, all replicated intact. Each cloned environment operates within complete network isolation, yet internally it is an exact replica of production.

The core principle: when non-production environments use identical IP addresses, identical service accounts, and identical Active Directory configuration as production, cutover becomes significantly simpler. Some minimal adjustments remain (firewall rules as pre-work, occasional discoveries at cutover), but the vast majority of application rules, configurations, and integration settings require no translation.

What gets cloned, what stays static

Not everything in the environment is cloned. The architecture distinguishes between components that must be replicated to preserve identity and components that remain shared or static across environments. Access into each isolated environment is restricted to VDI sessions or through a bypassed VMware management layer; there is no direct network path from the corporate network into the cloned environment.

Isolated Environment Boundary

Environment isolation architecture

Cloned per environment
  • Application servers
  • Databases
  • Domain controllers (AD)
  • DNS servers
  • File shares
Static / shared infrastructure
  • SD-WAN connectivity
  • Integration system VMs
Access layer
  • VDI sessions only
  • VMware management bypass
  • No direct corporate network access

Each isolated environment maintains identical IP spaces, service principals, and AD accounts as production. External connectivity is controlled via SD-WAN and integration VMs that bridge the isolation boundary.

This separation was critical. The cloned components carry the identity fabric that makes cutover seamless, while the static infrastructure provides the connectivity and integration points that each environment needs to function. The isolation boundary ensures that cloned AD controllers, identical IP spaces, and replicated service accounts do not conflict with production or with each other.

Impact on the transformation program

The finance transformation involved migrating complex rule engines, systems in which business logic is encoded as thousands of rules referencing specific accounts, IP addresses, and service identities. Under a traditional environment design, migrating these rules between environments requires rewriting references for each environment's unique configuration, a process that is both time-consuming and error-prone.

With the cloned environment approach, the program team could develop and validate rules in an isolated environment that was an exact replica of production. When ready for cutover, the rules were moved to production with minimal adjustment; the identities, IP addresses, and accounts were identical by design. Some items, such as firewall pre-work or configurations missed during initial cloning, surfaced at cutover time, but these were exceptions rather than the rule. The program team built their operational runbooks around this capability, and the integration proceeded predictably as a result.

Before: Traditional approach Build each environment independently Different IPs, accounts, service principals Adapt configurations per environment Cutover requires translation of every rule Days of environment preparation

After: Cloning approach Replicate production into isolation Identical IPs, accounts, service principals Minimal configuration changes required Cutover with near-zero translation 3–12 hours, fully automated

The automated refresh pipeline

The architecture would not deliver its intended value without reliable, repeatable automation. When triggered, the pipeline transitions an environment from stale to fully refreshed and validated, end to end, without manual intervention.

  1. Pre-validate source
  2. Delete old environment
  3. Clone via DR / VMware
  4. Configure network isolation
  5. Post-validate services & AD
  6. Apply environment deltas
  7. Run acceptance tests

Each stage includes a validation gate. If any step fails, the pipeline halts and reports the specific failure. The most critical gate is post-validation: confirming that Active Directory replication is healthy, service principals resolve correctly, and DNS functions within the isolated network boundary, all before any application-level changes are applied.

Implementation: the right tool for each layer

The implementation leverages multiple Infrastructure-as-Code tools, each selected for its strengths. Terraform manages cloud infrastructure and policy-as-code governance. Bicep handles Azure-native resources including pre-Terraform dependencies such as state storage and runner infrastructure. Packer produces immutable golden VM images, ensuring new desktops are provisioned pre-configured in minutes. GitHub Actions orchestrates the full pipeline with OIDC-based authentication, eliminating stored secrets entirely.

However, the tooling is secondary to the design. Any experienced engineer (or increasingly, AI) can produce well-structured Terraform. The differentiation lies in the architecture itself: the decision to clone identity fabrics, the design of network isolation that preserves internal IP spaces, and the construction of a validation pipeline that surfaces issues before they reach production.

AI can generate infrastructure code. What it cannot do is assess a client's legacy landscape, recognise that drifted environments are the core blocker to a multi-year transformation, and design a cloning architecture that resolves it. That level of contextual problem-solving is where experienced engineers deliver value.

Operational outcomes

Beyond the initial architecture, day-to-day operations are fully automated. Azure Functions handle AVD session host auto-scaling with retry logic for DSC extension failures. Serverless VM maintenance manages working-hours scheduling and cost optimisation. Pester-based infrastructure tests validate environment state after every change.

The operations team transitioned from reactive incident management to proactive architecture improvement. Every infrastructure change flows through Git with PR-based approvals, providing the compliance team with a complete audit trail, a requirement in a regulated industry operating across multiple jurisdictions.

Outcome

Before: Before Drifted, unmanaged non-production environments No CI/CD or GitOps lifecycle Environment setup measured in days Cutover required rewriting every configuration Manual operations, no audit trail

After: After Exact production replicas on demand Isolated environments with identical identities Refresh completed in 3–12 hours, fully automated Cutover with minimal translation Full Git history, PR-based approvals

The program team gained the ability to develop, test, and validate with confidence in environments that behaved exactly like production. The cutover process became predictable and repeatable. The client nominated and presented this approach at IDC's inaugural Future Enterprise Awards in the Best in Future of Digital Infrastructure category, where it was recognised as a top-3 finalist. Our team, including engineers who designed and delivered the automation, contributed directly to the work that earned that recognition.

This was a custom engagement tailored to the client's specific infrastructure and transformation needs. If your challenges feel similar (drifted environments, manual operations, complex hybrid cloud), our Advisory is a good starting point to explore what's right for your situation.

Need this for your project?

We cover this exact scenario. Strategy, delivery, or both. See the use case or get in touch.