Cloud & Infrastructure

Azure & Cloud Platform

Foundational

The cloud is powerful but insecure by default. It will run a public database in the wrong region with an over-privileged admin key, simply because you asked it to. To use Azure well, always choose the managed, secure, well-architected option on purpose. Data residency and identity are not small details. They are obligations.

Azure gives us managed services that remove a lot of repetitive work. But every resource comes with defaults, regions, networking, and access models. You must set them correctly for a regulated financial workload. The platform makes scale and resilience easy. Our job is to make sure what we deploy is private, identity-secured, in the right region, and aligned with the Well-Architected pillars (reliability, security, cost, operational excellence, performance).

Two Finperiti findings show why this matters. Production ran in UK-South for an EU fintech. That is a data-residency problem, and better code cannot fix it. Also, secrets sat in plain config instead of Key Vault. Cloud choices like region, identity, and networking are compliance decisions. Treat them as carefully as the code.

Architect deliberately

AlwaysChoose the deployment region to meet data-residency obligations first. EU customer or regulated data stays in the correct EU region, by design.
DoPrefer managed PaaS services (App Service, Azure SQL, Key Vault, Service Bus) over self-managed VMs, so the platform handles patching, HA, and hardening.
DoUse Key Vault for every secret and certificate, accessed through managed identity (see Managed Identity & Least-Privilege).
DoDesign for the Well-Architected pillars: availability zones and redundancy for reliability, autoscale for performance, and cost-awareness when sizing.
ConsiderUse separate subscriptions or resource groups per environment. Use Azure Policy to enforce region, tagging, and security baselines automatically.
NeverDeploy regulated or personal EU data to a region that breaches residency obligations.

Secure and operate the platform

DoKeep data services off the public internet. Use private endpoints or VNet integration, not public firewall exceptions (see Network & Resource Isolation).
DoProvision everything through infrastructure as code (Pulumi), never by hand in the portal, so the environment is reproducible and reviewed.
DoEnable platform security and observability from the start: Defender for Cloud, diagnostic logs, metrics, and alerts. Make it part of the baseline.
ConsiderUse cost and resource governance (budgets, alerts, right-sizing) so spend stays deliberate and problems show up early.
Do notMake changes directly in the portal on production resources. Out-of-band changes drift from IaC and leave no review trail.
NeverExpose a database, storage account, or admin surface to the public internet, or store secrets in app configuration instead of Key Vault.

Self-review checklist

AskIs this resource deployed in a region that satisfies our data-residency obligations?
AskIs it reachable from the public internet when it shouldn't be?
AskAre secrets in Key Vault and access via managed identity, or sitting in config?
AskWas this provisioned through IaC, or clicked together in the portal?

Why it matters: Cloud misconfigurations such as public data stores, wrong regions, and over-broad access are among the most common causes of large breaches. They are decisions, not bugs. Using Azure's managed, secure, well-architected options on purpose gives us resilience and scale. It also keeps regulated data private, in-region, and identity-protected.