How We Built a Cloud Platform from Scratch When Corporate IT Said No

When the corporate tenant would not grant DevOps-level permissions, the team provisioned a dedicated Azure tenant and built governance, networking, and identity entirely as code.

Tags: Azure, Governance, Infrastructure as Code, Identity, Networking, Swiss Enterprise

Context

A Swiss client needed a data & analytics cloud platform built from scratch. Corporate IT would not grant the DevOps-level permissions the team required; the principle of "you build it, you run it" was denied on the corporate tenant. The decision was made to provision a dedicated Azure tenant entirely owned by the project team.

This was a deliberate trade-off. A second tenant meant duplicating identity configuration, networking, and governance structures, adding unnecessary cost. But it unlocked something more valuable: full autonomy. From that point forward, every delay in the programme came from traditional IT processes that lacked automation and lean principles, never from the project team. The team could move at engineering speed and later scaled rapidly into data engineering and machine learning initiatives because of it.

Everything as code, every change audited

From the first commit, there was a non-negotiable rule: nothing gets created manually. Infrastructure, governance, identity, networking, firewall rules, compute policies, budgets, all defined in Terraform and version-controlled in Git. Every change flows through a pull request, is reviewed by a peer, and is merged only after automated security scanning passes.

When every infrastructure change is a Git commit, you get audit trails for free. No separate compliance process needed; the engineering workflow is the compliance workflow.

CI/CD pipelines enforce this discipline automatically. Trivy scans every Terraform plan for security misconfigurations; critical findings block the merge. OIDC-based authentication means zero secrets stored in pipelines. Microsoft Sentinel ingests Entra ID sign-in logs, audit logs, and risky service principal alerts continuously.

Five layers, built from zero

The platform follows a strict layered architecture. Each layer has its own Terraform state, its own pipeline, and clear dependency boundaries. Changes to one layer cannot accidentally affect another.

Cloud Platform Layers

Platform architecture

Audit & compliance
  • Microsoft Sentinel SIEM
  • Entra ID log integration
  • Centralised Log Analytics workspace
  • 90-day retention with archival
Foundation & governance
  • Management group hierarchy
  • Azure Policy-as-Code initiatives
  • Tag inheritance from subscription level
  • Custom policies: deny unsafe subnets, deny open NSGs
Connectivity & workloads
  • Hub-spoke networking with Azure Firewall Premium
  • ExpressRoute to on-premises
  • DNS Private Resolver for hybrid name resolution
  • Spoke VNets for workloads and shared services

Each layer is independently deployable with its own Terraform state. Layers expose outputs so dependent layers can reference them via remote state; for example, connectivity reads the hub VNet ID from the foundation layer. Foundation changes do not require redeploying connectivity. New workload spokes are added without touching shared services.

Firewall rules as YAML, not portal clicks

Azure Firewall Premium sits at the centre of the hub-spoke topology, controlling all egress traffic. What makes this operationally sustainable is how rules are managed: as YAML files in Git. Network rules and application rules are defined declaratively, loaded dynamically by Terraform, and applied through the standard pull request workflow. Changing a firewall rule is the same process as changing any other piece of infrastructure: commit, review, merge, deploy. No portal access required.

  1. YAML rule authored
  2. PR opened
  3. Trivy scan passes
  4. Peer review approved
  5. Terraform apply
  6. Firewall updated

Identity governance as code

Access to the platform is managed through Entra ID access packages, not manual group assignments. Each data product team has a dedicated Entra ID group. When someone needs access, they request it through an access package that enforces a two-tier approval workflow: first the requestor's manager, then the platform product owners as backup. Every access grant requires justification. Every grant is reviewed semi-annually. All of this is defined in Terraform and versioned in Git.

Onboarding a new team means adding a Terraform module; the access package, approval policy, review schedule, and group membership are all created in a single apply. No tickets, no portal workflows, no manual steps.

Outcome

Before: Before No cloud platform; everything manual No governance framework IT bottleneck for every change Firewall changes via portal tickets Identity managed manually in Entra ID No audit trail for infrastructure changes

After: After Five-layer platform, fully automated Policy-as-Code enforced across all resources Project team moves at engineering speed Firewall rules as YAML in Git Identity governance as Terraform modules Every change auditable in Git + Sentinel

The platform became the foundation for everything that followed. With governance, networking, and identity solved as code, the team was free to focus on what the client actually needed: a scalable data platform. How tens of isolated data products were built on top of this foundation will be covered in a follow-up article.

This is the type of engagement our Governance & Cloud Platform as Code use case covers. Whether you need strategic guidance first (Advisory) or engineers to deliver the implementation (Builders), we have built platforms like this from scratch, and they are running in production today.

Need this for your project?

We cover this exact scenario. Strategy, delivery, or both. See the use case or get in touch.