Public cloud platforms and services have huge potential for organisations embracing work-from-anywhere practices. But as much as these platforms provide tools and flexibility to build out a truly modern workplace, they also carry serious caveats. Building in the cloud must rise on stable foundations or risks can be involuntarily created and costs can spiral.
Queenstown Lakes District Council’s (QLDC) modest ratepayer base is eclipsed by its international popularity. Visitors who come to New Zealand because of Queenstown spend over a billion dollars per annum nationally. But with just 38,000 ratepayers, the council needs to squeeze every bit from its technology.
Looking to do more in Microsoft Azure, QLDC engaged CCL to establish a policy-hardened landing zone on which to build its work-from-anywhere future.
“Creating a landing zone to best practice standards gives us the tools to deploy quickly and easily.”Simon Jopson, ICT Manager, Knowledge Management, Queenstown Lakes District Council
QLDC viewed Microsoft Azure as the linchpin for extending the reach of its core business technology and data. This was no big play to shift on-premises infrastructure to the cloud – the council’s core rating system was running in the cloud, and Microsoft productivity apps provided all the cloud-based tools for council workers to do their jobs. Rather, QLDC was looking to establish an Azure landing zone with effective policies and governance, to bring order to ongoing development and integration work to support its evolving mobile workplace platform.
Having previously dabbled in Microsoft Azure, QLDC understood the critical importance of secure, policy-defined foundational infrastructure and application deployment practices in the cloud.
“Putting workloads in Azure is fairly simple,” said Simon Jopson, ICT Manager, Knowledge Management, at QLDC. “But we hadn’t followed correct guidelines – things were getting messy. Ultimately, we wanted a mansion, but we were DIY-ers working without a building plan.”
Keen to develop quickly and try new things, such as moving workloads from servers to app functions (serverless compute), the council was reluctant to tackle the work on its own. The more opportunistic nature of its technology development required guardrails to enforce consistent practices, controls to govern cloud access and costs, and codified delivery and processes for applications and foundation infrastructure in Azure.
Microsoft had opened the council’s eyes to how its future might look in Azure. Keen to proceed, Jopson tapped CCL, who conducted a series of workshops to explore the fundamentals of working in Azure and its approach to architecture design. “If you don’t have the connectivity, security, or authentication in Azure, it won’t work well,” says Jopson.
CCL’s landing zone design methodology combines elements of Microsoft’s Cloud Adoption Framework (CAF) with the company’s own extensive IP gathered over many years and previous deployments. This amalgamation is known as Azure Reference Architecture.
Infrastructure as Code (IaC) is a central feature of the framework. Using an IaC tool developers can define software infrastructure as code, effectively standardising and automating workflow in Azure. The approach allows engineers to compose resources, such as compute instances or private networks, and manage these configurations as modules to deploy new software in a rapid and repeatable manner. CCL’s range of production-ready Terraform modules within the Azure Reference Architecture accelerate development and time to market.
Control over who gets access to application infrastructure and what they can do with those resources, is another defining feature of the council’s operating framework. Azure role-based access control through IaC equips the council with tools to ensure that application resources stay within organisational security or governance boundaries through automation, ensuring teams’ access is always specific to their work needs. Azure Reference Architecture is a platform engineering framework, which gives QLDC greater flexibility and speed to deployment with available modules and DevOps pipeline.
With a policy-hardened and DevSecOps integrated Azure landing zone now in play, QLDC can further develop its work-from-anywhere model securely and at pace.
No surprises: Effective modularisation of software infrastructure as code ensures the council can standardise its workflow in Azure, paving the way for rapid, error-free development.
Better control: Role-based access control ensures application resources don’t violate the council’s security or governance boundaries.
Improved visibility: Governance controls and alerting enforce QLDC policies and standards, providing better visibility to cloud usage and costs across the council’s Azure environment.
Moving beyond the network: QLDC now has the platform to move or refactor its network drives beyond the corporate firewall, better supporting remote workers and collaboration with external consultants – without creating privacy risks.
“There’s an element of black magic working in the cloud. We’re a small IT organisation and don’t have the same exposure to best practices as experts like CCL. They really know their stuff and it takes a load off us,” says Jopson.
More Case Studies
Custom iPhone app and computer vision create a new class of machine for meat exporter ANZCO Foods.