Azure
Bicep, ARM, networking, identity — the platform fundamentals.
Air-Gapped Azure OpenAI With Private Endpoints: A Terraform Module That Actually Works
"Air-gapped" is a strong word for something running in a public cloud, but it's the right word for what regulated customers want: an Azure OpenAI deployment whose only network path is through their own VNet, with public access ful…
Azure Policy as Code in Pipelines: Testing, Drift Detection, and Why Audit-Mode Isn't Free
We have 47 Azure Policy assignments across the platform. They were managed by hand for two years, a screen of click-through configuration that only the platform lead understood, mostly auditmode, with one Deny assignment that nobo…
Build the Azure Policy as Code Pipeline: Definitions, Tests, Drift, Exemptions
Two years ago we had 47 Azure Policy assignments across our subscriptions. They were managed by hand, click-through configuration in the portal, mostly audit-mode, with one Deny assignment that nobody trusted enough to actually en…
Migrate a Resource Group Into a Bicep Deployment Stack: Two-Phase, Zero-Downtime
I have, over the past four years of Azure work, deployed a Bicep template against a resource group three separate times and forgotten about resources the *previous* template had created.
Bicep Deployment Stacks: The Cleanup Story I Should Have Shipped Years Ago
I've been deploying Bicep against resource groups for four years. I have, on three separate occasions, deployed a fresh template and then forgotten about the resources the *previous* template created, because Azure's default deplo…
Multi-Region AKS-Only GitOps With Azure Arc: A Drift-Reconciliation War Story
We run AKS in three regions: West Europe, East US, and Australia East. The promise of GitOps with Azure Arc is "one Git repo, three clusters, drift gets reconciled automatically." The reality is more interesting and considerably m…