In a no-obligation conversation, we'll figure out together how we can best support you. Concrete next steps, no sales pitch.
Infrastructure as code with Terraform, GitOps-driven deployments, Azure Policy for compliance and FinOps for cost control. That's what a mature Azure platform looks like.
$ terraform plan -out=tfplan
Plan: 4 to add, 1 to change, 0 to destroy
Azure platforms operated for
If any of these symptoms ring a bell, a structured governance audit is worth your time.
Without infrastructure as code, the subscription grows chaotically. Drift from the desired state is invisible, every change is a risk.
Resources without cost-center tag, without owner, without environment label. The monthly cloud bill arrives, nobody can attribute it.
When the auditor shows up, the spreadsheet battle begins. Azure Policy, Defender for Cloud and activity logs sit unused instead of proving compliance continuously.
100 %
Infrastructure as code
Every resource in Terraform, every change via pull request, drift detection runs in CI.
<5 min
Time to production
From merge to main to production environment, stage deployments with automated smoke tests.
0
Manual policy reports
Azure Policy, Defender for Cloud and activity logs deliver compliance evidence continuously.
Seven phases, one continuous methodology. Every phase with clear results and a documented practice analysis.
Strategy, plan and platform prerequisites, before any workload moves.
Cloud vision, outcomes, financial justification. Nobody starts before the why is set.
Workshops
Read articleWorkload inventory, skill gaps, governance requirements. Concrete roadmap draft.
2-4 weeks
Read articleManagement group hierarchy, networking topology, identity model, policy baseline, production-ready.
3-6 weeks
Read articleWorkloads migrate in waves. With test cutover, rollback plan and hyper-care.
Lift-and-shift, re-platforming, cloud-native development. Wave-based with test cutover and hyper-care.
iterative
Read articleGovernance, security and operations run in parallel from the first workload onwards.
Azure Policy as code, FinOps pipeline, tagging strategy, risk register. Compliance continuously provable.
ongoing
Read articleZero Trust, Defender for Cloud, Sentinel, Confidential Computing. Security as default, not as audit reaction.
ongoing
Read articleReady, Administer, Monitor, Protect. Operating model with clear ownership, automation and SLOs.
handover to your team
Read articleClearly defined stages, drift detection, policy validation. Every change is traceable, every apply reversible.
Change as a pull request with an automatically validated Terraform plan. Nobody merges blind.
Your time
30 min
Our work
Pull request review
Azure Policy checks compliance, FinOps bot forecasts cost impact, security scanner runs on the plan file.
Your time
0 min
Our work
automatic in CI
Code review with clear approval rules. Critical modules need 2 approvers, standard changes one.
Your time
30 min
Our work
same-day
Merge on main triggers apply. Stage promotion automatic after smoke test, production apply with manual gate.
Your time
0 min
Our work
<5 min automated
Nightly drift detection, cost reports per resource group, alerts on policy violations, no surprises.
Your time
0 min
Our work
continuous
Change as a pull request with an automatically validated Terraform plan. Nobody merges blind.
Your time
30 min
Our work
Pull request review
Azure Policy checks compliance, FinOps bot forecasts cost impact, security scanner runs on the plan file.
Your time
0 min
Our work
automatic in CI
Code review with clear approval rules. Critical modules need 2 approvers, standard changes one.
Your time
30 min
Our work
same-day
Merge on main triggers apply. Stage promotion automatic after smoke test, production apply with manual gate.
Your time
0 min
Our work
<5 min automated
Nightly drift detection, cost reports per resource group, alerts on policy violations, no surprises.
Your time
0 min
Our work
continuous
Change as a pull request with an automatically validated Terraform plan. Nobody merges blind.
Your time
30 min
Our work
Pull request review
Azure Policy checks compliance, FinOps bot forecasts cost impact, security scanner runs on the plan file.
Your time
0 min
Our work
automatic in CI
Code review with clear approval rules. Critical modules need 2 approvers, standard changes one.
Your time
30 min
Our work
same-day
Merge on main triggers apply. Stage promotion automatic after smoke test, production apply with manual gate.
Your time
0 min
Our work
<5 min automated
Nightly drift detection, cost reports per resource group, alerts on policy violations, no surprises.
Your time
0 min
Our work
continuous
From management group to single resource, tagging, policies and permissions are enforced at every level, not hoped for.
Management Groups
Corp
Root
Production
Workload
Sandbox
Innovation
enforced
Subscriptions
prod-eu-001
EA · Production
stage-eu-001
EA · Staging
dev-eu-001
EA · Development
enforced
Resource Groups
rg-checkout-prod
Web + DB
rg-platform-prod
Shared Services
rg-data-prod
Data Plane
enforced
Resources
App Service
PostgreSQL
Key Vault
enforced
CAF-compliant naming
{prefix}-{project}-{env}-{region}-{seq}
→ rg-henden-prod-weu-001-network
Terraform for infrastructure, Azure DevOps or GitHub Actions for pipelines, Azure Policy and Defender for governance. All pieces interlock cleanly.
Infrastructure as Code
Versionierte Module pro Domain — Networking, Identity, Data, App. State im Azure Storage Backend mit State-Locking.
CI/CD Pipelines
Pull-Request-getriebene Workflows mit Plan-Output im PR. Production-Apply mit manuellem Gate, Stage-Apply automatisch.
Compliance Enforcement
Policies als Code, Initiative-Definitionen für Compliance-Frameworks (ISO 27001, SOC 2). Drift wird beim Apply geblockt.
Security Posture
Continuous Security Assessment, Recommendations, Regulatory Compliance Reports — automatisch in eure Tickets exportiert.
FinOps
Tagging-Strategie via Policy erzwungen. Budget-Alerts pro Resource Group, Reserved-Instance-Empfehlungen aus Advisor.
Observability
Distributed Tracing, Live-Metrics, Smart Detection. SLOs als Code, Alert-Rules versioniert mit der Anwendung.
Mertkan Henden
Cloud specialist · Heilbronn
Over the past five years in enterprise environments across automotive and consulting I've seen how Azure platforms either become a competitive advantage or a compliance nightmare. The difference rarely lies in the technology. Almost always in the discipline of the first 100 days. That's exactly where I step in with you.
— Mertkan Henden
Sample topology for a customer-facing web application, all in Terraform, all documented, all reproducible.
Front Door / CDN
Global routing
Traffic Manager
DNS routing
Azure DNS
DNS zones
API Management
Gateway
Application Gateway
L7 + WAF
Azure Firewall
L4/L7 Firewall
App Service
Web + API
Static Web Apps
JAMstack
AKS
Kubernetes
Container Apps
Workers
Function Apps
Serverless
Spring Apps
Managed Spring
Service Bus
Async messaging
Event Hubs
Event streaming
Event Grid
Pub/Sub
Logic Apps
Orchestration
Azure SQL Database
PaaS · single DB
SQL Managed Instance
Lift-and-shift SQL
PostgreSQL
Flexible Server
MySQL
Flexible Server
Cosmos DB
NoSQL multi-model
Cache for Redis
In-memory
Blob Storage
Object store
Data Lake Gen2
Analytics storage
Entra ID
Identity
Enterprise Apps
SSO / SAML / OIDC
App Registrations
OAuth-Clients
Managed Identities
Workload identity
Key Vault
Secrets
Defender for Cloud
Posture & threats
Sentinel
SIEM / SOAR
Azure Monitor
Platform observability
Application Insights
APM & traces
Log Analytics
Logs & KQL
Metrics
Time-series
Alerts
Action groups
Workbooks
Dashboards
Managed Grafana
Visualisation
One of the most common mistakes in Azure architectures is the wrong layering of ingress components. Here's our decision framework.
Internet
Anyone, anywhere
Azure Front Door
Global · CDN · WAF · DDoS
Application Gateway
Regional · L7 · Path-Routing · WAF v2
API Management
Quotas · Subscription Keys · Transformation
Backend (App Service · AKS · Functions)
Private Endpoints · Managed Identity
Global · Edge · CDN
Global anycast platform with CDN, WAF and DDoS protection. The first line of defence for any publicly reachable workload.
Regional · Layer 7 · WAF
Regional reverse proxy with path-based routing, SSL termination and WAF v2. Ideal for workloads in a single region with fine-grained routing.
API gateway · Throttling · Versioning
Real API gateway with quotas, subscription keys, transformations and a developer portal. For external or internal service-to-service APIs.
Six layers that together produce audit-secure infrastructure. Private endpoints, key vault per service and diagnostics are defaults in our modules, not options.
Identity & Access
Entra ID · Managed Identities · App Registrations · Conditional Access
Network Security
NSGs · Private Endpoints · Application Gateway WAF · Azure Firewall
Workload Security
Defender for Cloud · Trivy in the pipeline · Confidential Computing
Data Protection
Key Vault · Encryption at-rest, in-transit, in-use · Customer-managed keys
Audit & SIEM
Activity Log · Microsoft Sentinel · Log Analytics · Diagnostic Settings
Compliance Evidence
Azure Policy · Compliance Center · Initiative Reports · ISO 27001 · SOC 2
SIEM · SOAR · Threat Hunting
Cloud-native SIEM with data connectors for every Azure service and third-party sources. Playbooks for automated response, KQL for threat hunting.
CSPM · CWPP
Continuous posture assessment, Secure Score, regulatory compliance reports for ISO 27001, NIST, BSI baseline. Findings land directly in your backlog.
Encryption in-use
Data encrypted even during processing. Trusted Execution Environments for highly sensitive workloads, financial data, identity processing, regulated industries.
We compose like a tech stack: foundations into building blocks into stacks. Versioned, tested, usable in your repository.
Standalone solution stacks for complete workloads. Composable per landing zone.
Composed wrappers with safe defaults. Reusable across stacks.
Atomic primitives, used in every block and stack.
Our modules ship with a Python CLI that automates project scaffolding, app onboarding and status reporting. Standalone for your team, locally or in CI.
azure-starter setup
One-time Azure tenant configuration: service principal, subscriptions, backend storage.
azure-starter onboard
Create a new project, pick an architecture pattern, generate complete Terraform scaffolding.
azure-starter add-app
Add a new application to an existing landing zone, App Service, Container App or AKS.
azure-starter status
Project status, deployed resources and drift overview in the console.
$ azure-starter onboard
Want to go deeper? Our blog articles document the decisions behind the sections above.
The practical guide to the Govern phase of the Microsoft Cloud Adoption Framework: team, risks, policies, Azure Policy & automation, FinOps, data and AI governance with best practices and examples.
Read article
In this post of the Azure Governance Starter blog series, you will learn how the Secure Phase of the Microsoft Cloud Adoption Framework establishes security as a continuous process.
Read article
In this post, you will learn how to holistically protect data, applications, and infrastructure in Microsoft Azure with Zero Trust, network segmentation, identity management, encryption (at-rest, in-transit, in-use), and Confidential Computing.
Read article
The implementation, configuration, and optimization of the Azure Web Application Firewall can be complex. For this reason, in this blog post we cover the specific steps and recommendations to correctly configure a Web Application Firewall.
Read article
A technically grounded architectural classification of Azure Front Door, Application Gateway, and API Management with clear decision criteria, network implications, and real integration patterns.
Read article
Many Terraform projects start lean and end up as monoliths. This guide explains how to migrate Azure infrastructure to modular states, clear module boundaries, and resilient CI/CD governance without downtime.
Read article