Building a New World in the Cloud

#Azure#SolutionArchitect#Terraform#IAC

Wednesday, March 27, 2024

How I Designed, Automated, and Delivered a Greenfield Azure Platform for a Newly Independent Pharmaceutical Organisation

Some projects are about technology.
Others are about transformation.
This one was about both — and it began with a blank canvas.

When a pharmaceutical organisation separated from its parent company, the split wasn’t just organisational. They needed to rebuild their digital foundation from the ground up — identity, networking, servers, applications, security, monitoring, governance, and connectivity. Everything that once lived inside an inherited IT estate now needed to exist independently.

That challenge landed squarely with me.

As the cloud architect, my mission was to design and deliver a future‑proof Azure platform: automated, scalable, secure, compliant, and ready for the growth of a newly standalone business. And crucially, to build it all through Terraform and a modern landing‑zone approach — so the environment wouldn’t just exist, it would be engineered.

Starting the Journey: From RFP to Architecture

During the initial proposal phase, I mapped out the organisation’s application landscape. Some workloads were headed to SaaS platforms. Others were too critical or specialised and needed to be hosted in Azure. A few lightweight applications could share infrastructure, while the majority needed dedicated resources to maintain performance and reliability.

Connectivity was the backbone of the design. We recommended:

  • A high‑bandwidth private connection to Azure as the primary route
  • A fully redundant IPSEC VPN tunnel for failover
  • A design that allowed seamless, resilient communication between on‑premises systems and the new cloud estate

The core principle: no single point of failure.

For the application tier, each major system received its own server, just as they had on‑premises — but now enhanced by Azure’s availability features. Every VM was placed in an availability set to ensure it wouldn’t be affected by underlying rack or host failures.

Specialist systems required additional architectural thought, such as building a load‑balanced, multi‑node structure for laboratory data management software, and creating dedicated storage areas for research datasets.

Terraforming the Cloud: Infrastructure as Code from Day One

A defining feature of this project was that nothing was manually built.

Every piece of the new environment was created through Terraform, including:

  • Subscriptions
  • Resource groups
  • Networks and subnets
  • Gateways and connectivity
  • Virtual machines
  • Security groups
  • Monitoring and diagnostics
  • Backups
  • Policies and access controls

This brought consistency, traceability, and repeatability. The organisation didn’t just receive an environment — they received code that could recreate that environment precisely, any time, in any region, with complete reliability.

This approach transformed infrastructure into a product: version‑controlled, peer‑reviewed, and engineered to evolve.

Landing Zones: A Platform Built for Governance and Scale

Alongside Terraform, I implemented structured Azure landing zones that served as the foundation for long‑term cloud operations. These landing zones included:

  • Segregated environments
  • Clear naming and tagging patterns
  • Role‑based access controls
  • Network and identity guardrails
  • Policy‑driven governance
  • Built‑in security and compliance alignment

They created order from day one — and provided a blueprint the organisation could use to expand safely and predictably.

Identity: Creating the Organisation’s New Digital Core

One of the most important steps in the project was creating a brand‑new Active Directory domain inside Azure.

Two domain controllers were deployed as part of the landing zones, placed into availability sets, and synced with on‑premises identity during the transition. Security baselines were established from the start: password rules, lockout policies, admin accounts, DNS integration, and more.

This identity layer became the beating heart of the new cloud ecosystem.

Applications, SQL, Storage, and Resilience

Once identity and landing zones were in place, the application estate began to take shape.

Application Servers

Each critical application received its own VM with the right sizing, storage, and availability configuration. Lighter systems were combined to optimise costs without impacting performance.

Database Platform

A single SQL Server VM on Premium SSD storage handled the organisation’s multiple databases, offering a balance of performance, cost‑efficiency, and operational familiarity.

Storage

A central file server handled unstructured data, with scalable disk options and migration paths flexible enough to use direct links or physical transfer appliances depending on volume.

High‑Availability Workloads

Some specialist laboratory applications required multi‑node designs — such as load‑balanced datavaults and dedicated controllers.

Everything was hardened, monitored, backed up, and aligned to industry best practice.

Security, Monitoring, and Compliance: A Multi‑Layered Approach

In life sciences, security isn’t optional — it’s foundational.

As part of the build, we implemented:

  • A full backup strategy for VMs and SQL
  • Centralised threat detection and SIEM capabilities
  • Baseline security policies with continuous compliance scanning
  • Restricted administrative access paths using secure jump services
  • Detailed monitoring and performance metric collection
  • Role‑based access control and change governance
  • Design decisions aligned to GxP expectations

This wasn’t just infrastructure built to run — it was infrastructure built to withstand scrutiny and maintain control.

Disaster Recovery: Preparing for the Worst‑Case Scenario

To ensure operational continuity, I architected and deployed a complete disaster recovery environment in a secondary Azure region.

Critical workloads replicated near‑real‑time, with failover procedures designed to recover the environment quickly if the primary region ever became unavailable. Connectivity was built over secure VPN, and runbooks defined how to bring the DR estate online smoothly.

Resilience was engineered in, not added later.

From Code to Reality: Bringing the Platform to Life

Week by week, Terraform deployments filled the once‑empty cloud environment:

  • Gateways
  • Subnets
  • Identity services
  • Servers
  • Backup vaults
  • Monitoring
  • Security policies
  • DR replication

The transition from nothing to a fully operational, production‑ready cloud platform wasn’t just technical — it was deeply satisfying.

Signing off the environment at the end of the project was the moment the organisation truly became digitally independent.

A Cloud Built for Independence and Growth

The end result wasn’t just a new IT environment.
It was a modern cloud platform engineered for the organisation’s future — secure, scalable, automated, and ready for whatever came next.

For me as the cloud architect, the project was more than a deployment. It was the chance to help an organisation stand up its own digital identity, powered by automation, strong design, and cloud architecture principles that will serve them for years.

And it all began with a blank slate — transformed through code into a new digital world.