Empty subscription. Tight deadline. A team that had never touched Azure before. That was day zero — and the assignment was to build Azure infrastructure from scratch. Not a demo, not a proof of concept. The kind of foundation that survives a security audit, spans regions, and can be rebuilt entirely from code before your coffee goes cold.
I still remember the first terraform apply against that empty subscription. Resources appearing in real time, each one a decision locked into code. Thrilling and terrifying at the same time. But that moment came later than everyone wanted it to.
Three days of whiteboards before a single line of Terraform
Everybody wanted to start writing code on day one. I said no.
We spent three days on network design. Just network design. Hub-spoke topology, zero-trust segmentation, DNS resolution chains — drawn out on whiteboards, argued over, redrawn. Three days and zero lines of Terraform. People thought I was stalling.
Three weeks later, when every module slotted cleanly into the topology we'd sketched, they stopped thinking that. Those three days of design saved roughly three weeks of rework down the line. It was the best trade I made on the whole project.
The requirements were non-negotiable
This wasn't a move-fast-and-break-things shop. The constraints were fixed before I arrived:
- Multi-region HA across availability zones — no single point of failure.
- Zero trust as an actual network design, not a slide in a deck.
- 100% Terraform — no clicking around in the portal, ever.
- Hub-spoke topology, because a flat network in an enterprise is a security incident patiently waiting to happen.
The foundation: modules, landing zones, guardrails
The base layer was Terraform modules for every resource type — reusable, versioned, tested. On top of that, landing zones with subscription vending, so a new team gets a secure, compliant environment in hours instead of weeks.
Azure Policy sat over all of it as guardrails: not documentation asking people to behave, but rules that refuse to let them misbehave. And the infrastructure itself went through a CI/CD pipeline — plan, review, apply. Nobody runs Terraform from a laptop. Ever. The pipeline is the only door in.
Security was not an afterthought
Security was the foundation, not a coat of paint at the end.
- Private endpoints on everything. No public-facing resources in the backend.
- NSG rules version-controlled and audited — every change reviewable, every change reversible.
- Key Vault for every secret. No exceptions, no "just this once."
- RBAC with least privilege, reviewed monthly, because access sprawl is silent right up until it isn't.
The mistakes that bit hardest
I won't pretend it was clean. Three things hurt.
DNS in hub-spoke is its own special nightmare. I underestimated it, and it's always DNS. Private DNS zones, forwarders, conditional resolution across spokes — design this late and you retrofit it in pain.
Azure defaults are not secure. Not even close. Assuming otherwise is how you end up explaining a public storage account to a security team.
Governance you bolt on later is governance you rip out and rebuild. We learned that one the hard way too. Plan it from day one, or plan to redo it.
Infrastructure as code, not infrastructure as hope
The subscription that started empty ended up with multi-region HA across availability zones, private endpoints on every resource, and a full rebuild-from-code path that runs in under an hour.
That last part is the whole point. If your Azure infrastructure can't be rebuilt from code in under an hour, you don't have infrastructure as code. You have infrastructure as hope.
Cloud is not magic. It's engineering with a credit card. The architecture decisions you make in the first three days — before anyone writes a line of Terraform — decide whether you're building a platform or a liability.
So here's the question I'll leave you with: how much time do you actually spend on design before writing the first line of code?