6,000+
Team members
25+
Network countries
200+
Private aviation terminals
A leading private aviation enterprise had been building on Azure for nearly a decade, but cloud infrastructure was laid down by a revolving door of vendors and developers with no central governance, no enforced standards, and no ownership model. The result was uncontrolled subscriptions spanning hundreds of resource groups, all workloads publicly exposed, authentication running on SAS tokens, and no networking controls of any kind. Rather than attempting to remediate the existing sprawl, Inferenz took a greenfield approach and built a new enterprise-grade Azure platform aligned with the Azure Cloud Adoption Framework, delivering zero-trust networking, managed identity authentication, infrastructure as code, and centralized governance across the entire estate.
The client had been on Azure for roughly a decade, but the environment had grown completely beyond control. Four core problems made the existing platform indefensible and unscalable.
70 Azure subscriptions spanning 700+ resource groups, each created independently by different vendors. No one knew who owned what, what was in use, or what could be safely decommissioned.
No virtual networks, no subnets, no firewall. All workloads were publicly exposed. Cloud-to-on-premises traffic ran over the public internet with only a basic on-premises firewall as protection.
Services authenticated using SAS tokens and plain connection strings. Anyone who obtained a token could access that service from anywhere, with no scope restrictions and no expiry enforcement.
Each team provisioned its own copy of shared services including Log Analytics and private DNS, inflating costs. All infrastructure was created manually through clicks, causing inconsistent configurations across environments.
Inferenz took a greenfield approach, rather than remediating the existing sprawl, designing a new enterprise-grade Azure platform aligned with the Azure Cloud Adoption Framework. The existing infrastructure was too fragmented to fix within the client's timeline. Starting fresh was the only viable path.
Built a two-tier hub-and-spoke network with all ingress and egress denied by default, routing traffic through Azure Firewall, Application Gateway, and APIM before reaching spoke workloads, with cloud-to-on-premises communication moving exclusively via a private ExpressRoute circuit, completely off the public internet. Within each spoke, three subnet tiers isolate data, application, and frontend workloads, with all resources communicating exclusively through private endpoints.
Firewall, Application Gateway, APIM, Log Analytics, and Private DNS, were consolidated into centralized hub resources, eliminating cost duplication and giving the organization one consistent control plane across all subscriptions.
Authentication was rebuilt by replacing SAS tokens and connection strings with Azure Managed Identities backed by Azure Active Directory, with credentials scoped to specific GitHub environments and branches, a compromised credential cannot be used outside its defined context.
All infrastructure is now provisioned through enterprise-standard Terraform modules with reusable CI/CD pipeline templates per service type, ensuring consistent deployment across Dev, Test, Stage, and Production with zero configuration drift. All four environments for a new application now provision in 15 minutes via a single automated Terraform run, down from two to three days of manual click-ops across disconnected subscriptions.
environment provisioning
Down from 2 to 3 days per application. All four environments provisioned in a single automated Terraform run.
traffic now private
All workloads moved from public endpoints to private networking. Cloud-to-on-premises traffic secured via ExpressRoute.
attack surface reduced
Zero-trust controls, private endpoints, deny-by-default rules, and managed identities closed the broad public exposure
governance and observability
Unified Log Analytics, standardized naming, and IaC-driven deployments replace years of ungoverned manual provisioning.
Whether you’re starting with data modernization or exploring AI copilots, we’re here to help.
Contact Us
