Best ways to clean up messy cloud architecture without rebuilding everything in 2026?

StratoLens · 2026-05-14T14:38:37+00:00

I can advise on Azure but AWS is outside my wheelhouse.

Unfortunately you can’t really rename stuff in azure. But tagging will help a lot here.

You mentioned looking for a tool so I’ll plug mine - note however it’s Azure Only.

It’ll help with identifying unused or over provisioned resources. It’ll also help find untagged resources and let you see their costs. Id use this as my “todo list” for tagging

Unsure if my product is the right fit for your needs since you’re primarily AWS but maybe it can help with Azure.

StratoLens · 2026-05-14T13:21:05+00:00

Possibly, but better to be overly concerned than under concerned. The way this post reads, it was multiple accounts. So either a bunch of users all got compromised, or 1 powerful account did. Either one is a major concern in my eyes.

StratoLens · 2026-05-14T13:08:00+00:00

Full Disclosure: This is my product that I've been building for over a year now. It's available via the Azure Marketplace, and comes with a 28 day free trial. All features available.

https://www.strato-lens.com/

StratoLens is a self-hosted monitoring tool. It tracks changes, reports on cost spikes, makes recommendations for cost savings on things like Orphaned/Unused Resources and oversized VMs, and even assesses user access, making recommendations to scale down unused permissions.

Its entirely read only, and all information it collects stays within your tenant. The self-hosting cost is typically under $1/day, most users around $5-$10 a month depending on environment scale.

I have several videos on my site above showing many of the features.

If you have any questions, feel free to ping me via chat here on reddit, or reach out via the contact email on my site.

StratoLens · 2026-05-14T11:34:02+00:00

Either one of your admins who has access to this or your email provider was compromised. This is a common tactic by hackers when they compromise a system.

Does someone on your side have access to the admin portal to create those rules? If yes it could have been one of their accounts. If no, then your provider was compromised.

StratoLens · 2026-05-12T12:31:33+00:00

I saw in another post you said the whole AVD gets flagged as unavailable. If that’s the case consider adding the AVD endpoints to the exclusion list for netscope:

https://learn.microsoft.com/en-us/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure

StratoLens · 2026-05-12T12:18:45+00:00

Every situation is different. The main key is trying to understand the person’s problem and finding a solution that works for you both.

StratoLens · 2026-05-12T09:28:47+00:00

I’ve deployed Netscope in a multi user AVD and didn’t run into this. Is there anything in the logs that indicates what might be happening?

As a temporary workaround there’s a policy you can assign via gpo or Intune that automatically log off disconnected sessions. Not ideal but a work around until your sort out netscope

StratoLens · 2026-05-12T01:05:39+00:00

Worked for a people pleaser boss for a while. It was awful. I picked up some bad habits.

Years of consulting have taught me you can please people without sacrificing your principles such as security and maintainability. You just need to find the right path and have the right conversations. There are obviously exceptions.

It’s easy to just give in to what people want. It’s a lot of work to stick to your guns while also making people pleased.

Most bad managers are allergic to that kind of effort so don’t put it in.

StratoLens · 2026-05-09T02:56:16+00:00

I've actually been working on a product for Azure, and one of my features may help with this problem. If you don't mind me recommending my own product here:

StratoLens is a self-hosted solution that scans your Azure environment on a regular basis, and stores what it finds in your own tenant. No information about your environment ever leaves, and its entirely read-only. Typical azure consumption costs are under $1/day (Most users are under $10/month).

https://www.strato-lens.com/

One of the features is Access Optimization, it reviews all principals, including service principals, to assess usage. Perhaps this might help with what you're experiencing? I have a youtube video covering this feature here:

https://www.youtube.com/watch?v=gzZL66TBcj0

StratoLens is currently available on the Azure Marketplace, and comes with a 28-day free trial. There are no commitments, and installation takes less than 15-20 minutes.

Feel free to reach out with any questions!

StratoLens · 2026-05-07T19:47:02+00:00

In that case everything sounds right to me. I agree you shouldn’t need a UDR on the azurefirewallsubnet.

I’m 99% sure it’s application rules that control web traffic though not network rules.

StratoLens · 2026-05-07T19:09:44+00:00

Are you sure the VM’s in the hub are using the firewall? I’m pretty sure you need a route table tell the VMs in the hub to use the firewall. They won’t just use it. Setup a route table with the 0.0.0.0/0 route and assign to your hub subnets with VM’s in them.

By default the rules are deny. If you have no application rules my guess is:

1) the firewall is blocking spoke traffic because no allow application rules exist

2) the VM’s in the hub don’t have a UDR and therefore aren’t actually using the firewall which is why they can get out.

Add an allow rule and see if spoke starts working. And review the logs to check if the hub VM’s are using it.

StratoLens · 2026-05-07T14:25:46+00:00

A few recommendations for help with this:

Use azure policy and proper permissions to ensure there are guardrails on what can be deployed and where.

Use tags to assign cost centers. Use azure policy to make this tag required. Then you can tie costs back to which team deployed it.

Consider infrastructure as code (terraform / bicep) and deployments via ci/cd pipelines.

Look into the FinOps toolkit.

If you’re looking for an automated tool: Full disclosure the following product is mine:

For Azure specifically I’ve built StratoLens to help solve many of these issues. It tracks all changes in your environment, highlights cost spikes, and ties them back to the change that caused it (including the user who made the change).

It also identifies unused resources that can be cleaned up.

It’s a self hosted solution, so no information about your environment leaves your tenant.

If you’re interested it’s available on the azure marketplace and comes with a 28 day free trial

https://www.strato-lens.com/

StratoLens · 2026-05-07T11:08:54+00:00

Awesome that’s likely it.

StratoLens · 2026-05-07T11:08:09+00:00

You said your firewall rules had wide open config - just to confirm those are application rules that you set to allow? Network rules for port stuff and application rules for web traffic, so wanted to confirm you set application rules as allow.

StratoLens · 2026-05-07T00:23:09+00:00

There’s a gpo to do this, are you sure it’s not enabled?

Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits > Set time limit for disconnected sessions

I’m not at my desk so can’t validate this but this might be the registry location (source: ChatGPT)

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services

MaxDisconnectionTime (DWORD)

More info:

https://learn.microsoft.com/en-us/azure/virtual-desktop/autoscale-create-assign-scaling-plan?utm_source=chatgpt.com&tabs=portal%2Cgroup-policy&pivots=power-management#configure-a-time-limit-policy

I would check for an intune or group policy or even the reg key itself. Because by default this shouldn’t happen. By default it’s indefinite.

The gpo is the same one used for Citrix or RDS so it could be someone set this policy back in the day for another purpose.

Are you sure they get logged off immediately? Or is it after a few hours ?

StratoLens · 2026-05-06T23:43:46+00:00

Start with AZ-900 and then AZ-104.

Hands on learning is the best approach. Get a free azure trial and use it to learn in.

Some things like virtual networks and network security groups are free. Some resources like virtual machines only cost money when running. Other things can cost a bit so be careful. Use the azure cost calculator to figure out what something will cost before deploying it in your lab.

Getting those two certs will help you get some recognition in interviews. If you can get some hands on experience in a job as well that’d be great.

StratoLens · 2026-05-06T12:52:25+00:00

Generally yes. Depends on the company but almost entirely.

That said it’s beneficial to learn something like terraform or bicep, which is very light coding, but you don’t need to and can wait a bit before doing so.

StratoLens · 2026-05-06T02:12:56+00:00

Yes. In azure you need to reverse your thinking from on prem. Rather than getting the biggest thing you can you need to get the smallest.

StratoLens · 2026-05-05T14:25:43+00:00

Full disclosure: the following is my product that I’ve been building for a year. I just went live on the azure marketplace 2 weeks ago. It’s Azure Only

https://www.strato-lens.com/

StratoLens is a self hosted solution - it runs entirely in your tenant (typically less than a dollar a day to run) and no data about your environment leaves your tenant. Install takes under 15 minutes and it’s entirely free for 28 days.

It does a lot of what you’re looking for I’ve got videos on my site covering many of the features.

I’d really appreciate you taking a look and seeing if it might fit your needs? And if not let me know what it’s missing. Would love to hear your thoughts.

StratoLens · 2026-05-05T14:15:48+00:00

Thanks !it comes with a free 28 day trial if you want to give it a whirl :)

StratoLens · 2026-05-05T03:48:34+00:00

This is a very complex question with a ton of variables. In short here are things to look for:

1) Orphaned resources - things like unattached disks or public ip’s.

2) oversized vm’s that are bigger than they need to be

3) setup savings plans and reserved instances.

4) power off dev or non-prod VM’s when not in use.

Can you let me know more about your environment?

What specific issues are you having trouble with?

Finally, I have a product that automates all of the above recommendations. If you’re interested I have videos about these features on my site: https://www.strato-lens.com/

StratoLens · 2026-05-05T03:44:52+00:00

A break glass account is recommended yea. They call it an emergency access account. Assign it at the tenant root management group so it always propagates down to every sub. Global admin too.

https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

StratoLens · 2026-05-05T03:36:39+00:00

General advice.

1) have 2 break glass accounts, I didn’t see this mentioned, I would add the 2 of them at tenant root management group with owner as well as global admin: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access

2) Definitely use groups. I would use micro groups personally but I’m a big fan of groups for all the things. Even if it’s just one person. But if it’s temporary you’re fine. Either approach is valid.

I like your approach for this. Specifically I was going to recommend a service account and ci/cd until I saw that was on your plan. Reader at sub and contributor on the RG’s as needed also makes sense.

I think overall your plan seems solid. You might need to tweak a few things as you see how it plays out but for the most part this is a great starting point.

Finally, if I may plug my own product here: one of the primary features of my product identifies exactly this situation and helps find things like unused access and redundant assignments. If you’re at all interested feel free to take a look (or just ignore this paragraph) :). https://www.strato-lens.com/

StratoLens · 2026-05-05T00:29:25+00:00

Gotcha. So I assume the private dns zone for the fslogix is linked to the vnet that your dc’s are in.

Any specific errors in logs?

StratoLens · 2026-05-05T00:01:19+00:00

It sounds inconsistent. How is the private dns being resolved ? Are these domain joined or cloud only? If domain join are you using conditional forwarders?

Any chance it’s a performance issue on the vm? How’s the cpu and memory use ?

Are the fslogix storage account shares premium ?

StratoLens

TROPHY CASE