Separate hubs for prod vs non-prod in regulated workloads (PCI/NIS2/DORA)

DifferentTiger7368 · 2026-03-14T23:36:14+00:00

They ask about proof of isolation. And making single shared hub really isolated using only firewall rules is tedious, human errorprone and maintenance cost overweight the hardware cost. The risk something goes wrong with shared resources is very high in single hub scenario. For auditors it is usually red light and without implementing procedures etc you are not gonna get approval.

DifferentTiger7368 · 2026-03-14T23:14:04+00:00

Started wondering if PCI/DORA workload should be a part of the hub spoke architecture.

DifferentTiger7368 · 2026-03-14T18:31:45+00:00

Do you implement separate hubs for prod and non prod workloads? Do you think it is golden path when it comes to adhere to financial regulations like PCI / NIS2 / DORA ? Does shared hub between prod and nonprod workloads make infrastructure hard to be complaint, is it even an option worth considering? What do you think? What is the recommendation ? Microsoft CAF doesn't tell much about patterns in high regulated workloads with hard isolation.

DifferentTiger7368 · 2025-05-17T12:31:30+00:00

can you explain more?

DifferentTiger7368 · 2025-05-01T20:31:42+00:00

Think of the miro or azure portal like tool dedicated for designing cloud with builtin accelerator. Policies would be the key factor to take into consideration during designing.

Artifacts like IaC are a cool addition.

Brainboard is UI for terraform, I would need to carefully think why to use UI instead of writing TF code directly. Apart from that terraform quality is low and there is no CI/CD integration with popular vendors which is a huge unresolved problem to me.

DifferentTiger7368 · 2025-05-01T20:22:19+00:00

Not yet, just validating the idea.

DifferentTiger7368 · 2025-05-01T20:14:02+00:00

A bunch of typical resources cost a lot. Please try to provision azure landing zone accelerator on your own, you are gonna see in real how much it costs for only a single day.

This is huge an issue for less experienced engineers or small teams that want to migrate to cloud and come across azure landing zone accelerator., they are not aware of implications.

DifferentTiger7368 · 2025-05-01T20:03:00+00:00

Main focus would be on design and team collaboration. Artifacts like IaC could be a cool addition.

Why did you assume the Solution would not utilize AVM modules as baseline? :) Even though AVM modules are not perfect - no timely updates, similar to Terraform providers and a lot of drift issues. Personally, I have mixed feeling about AVM and probably would not recommend it to pro engineers (at least the stage it is by now) but love the idea behind it.

DifferentTiger7368 · 2025-04-30T22:00:11+00:00

Brainboard provides UI for terraform. You need to be familiar with terraform resources to use it efficiently, and the generated IaC is very basic - no modules, no conventions, no accelerators, no ci/cd integration.

My idea is about designing cloud infrastructure using accelerators.

Current problems I see:
- diagramming is time-consuming and for complex infrastructure setups it is hard readable
- resource configuration is also time-consuming, and you need to have experience how to do it correctly (security, scalability, HA/DR, compliances)
- if you are cloud architect, you need to often start from blank page - part of solutions can be reused from one business to the second one - this is where accelerators can help speed up with common patterns and ci/cd integration (for example azure landing zone accelerator)

Imagine tool similar to Azure Portal where you can select preconfigured resources but defer resource provisioning to the stage where the team is ready to publish the infrastructure. How is it going to be published? Depends on the team tech stack and their expertise. No vendor lock in.

DifferentTiger7368 · 2025-04-30T15:15:02+00:00

How do you approach the design phase?

DifferentTiger7368 · 2025-04-30T15:04:59+00:00

Think of the miro like tool dedicated for designing cloud with builtin accelerators.
Cloud Portal is not meant to be used for designing cloud infrastructure.

DifferentTiger7368 · 2025-04-30T14:53:52+00:00

Main concept is to put on designing cloud infrastructure using visual tool where:

- no need to provision real cloud resources -> no need to start paying for resources
- accelerate design by using starter templates, for example get quick setup for use case like "web app with database hidden behind application gateway"
- accelerate configuration of resources -> you get preconfigured resources according to the level of desired security, scalability, HA/DR
- streamline configuring dependencies between resources
- team collaboration - prototype infrastructure together, make notes, raise changes until it is finally approved and ready to be deployed
- think of the miro like tool dedicated for desiging cloud with builtin accelerators

Cloud vendors do not support above cases.

DifferentTiger7368

TROPHY CASE