ABCS26: Subscription Vending at Scale by Guillaume Lacaille, Sylvain Riquen, Julien Duvanel, Guillaume Beaud

Transcript

1. 1 0 / 0 6 / 2 0 2 6

   Subscription Vending at Scale G O V E R N E D S E L F - S E R V I C E O N A Z U R E

2. INTRODUCTION...

3. 1 0 / 0 6 / 2 0 2 6

   3 Legacy (2022-2024) Centralized Operating Model • Each project needed a resource group with subnet and NSG, coordinated across multiple teams via JIRA tickets • Up to 3 weeks of back-and-forth, inconsistent results, no standard baseline • Later centralized requests into a single team, which reduced friction but did not scale — the platform team became the bottleneck, still slowing down projects Our cloud journey Azure Landing Zones (2024-present) Shared Management Operating Model • Aligned with Microsoft’s guidelines • Built CCoE and Cloud Platform team • Implemented policy-driven governance • Automated landing zone vending • Reduced environment provisioning time from 3 weeks with manual steps to 30 minutes • Now used as reference for other MS clients • April 2026: Joint publication with Microsoft 2024 — Management Decision: Shift-left toward App Teams, move from the Central Operating Model to the ALZ Shared Management Operating Model. We now deliver full subscriptions + CI/CD pipelines + Terraform starter kit + a service catalogue in a fast and fully automated manner.

4. From Zero to Production Self-Service Your Way Into an Enterprise

   Azure Landing Zone

5. 1 0 / 0 6 / 2 0 2 6

   5 As an application team, I need to create and deploy a 3-tier web application within an enterprise Azure Landing Zone. Today, we'll walk through the self-service platform that makes this happen — from requesting a subscription, deploying infrastructure with code to expose this application to our end-users. The Scenario

6. 1 0 / 0 6 / 2 0 2 6

   6 What you get • Dedicated Azure subscription • Pre-configured governance • Network connectivity • RBAC & Identity setup • Cost alerting What is our Subscription Vending? A self-service process for application teams to request a fully configured Azure subscription (Application Landing Zone). Why it matters • No more waiting weeks for infra • Consistent, repeatable setup • Guardrails built-in from day one • Full autonomy for the app team

7. 1 0 / 0 6 / 2 0 2 6

   7 From where we started The Cloud Adoption Framework Subscription Vending concept. Establishing the business logic and approval process • Automate the process • Integrate into the existing IT Service Management tool • Connect to deployment pipeline for automation • Gather requirements at intake

8. 1 0 / 0 6 / 2 0 2 6

   8 To where we landed App Team Automation script Jira Service Management IPAM DigiCert Azure App Configuration Azure DevOps pipeline Azure Subscription 1 3 4 2 5 6 7 8 Terraform scripts 7

9. 1 0 / 0 6 / 2 0 2 6

   9 Subscription plumbing

10. 1 0 / 0 6 / 2 0 2 6

    10 Demo Time LIVE DEMO Submitting a Subscription Vending Request — from the portal to the pipeline —
11. None

12. From Zero to Production Develop the infrastructure using IaC

13. 1 0 / 0 6 / 2 0 2 6

    13 The Challenge • How to structure the code? • Which modules to use? • Where to store state? • How to handle environments? Our Subscription is ready. Now what? We've got our shiny new subscription. Time to build! Our Answer: Accelerators • Terragrunt / Terraform scaffold • Starter packs for common architectures • COPIER for instant bootstrapping • Pre-configured CI/CD pipelines

14. 14 Our Azure Design

15. From Zero to Production Expose application to end-users

16. 1 0 / 0 6 / 2 0 2 6

    16 Why this model matters It replaces bespoke platform implementations and ticket-driven handoffs with a consistent, governed operating model. What are Technology Platforms? A Technology Platform is a centrally governed, reusable Azure capability: the Platform Team owns the shared backend, while App Teams publish their application-specific intent through code. What it unlocks • It enables reusable services, faster onboarding, and greater app-team autonomy within clear platform guardrails. Current Technology Platforms: ACR, AKS, Application Gateway and WAF Policies, Public Certificates Planned: DNS Zones, Firewall rules

17. 1 0 / 0 6 / 2 0 2 6

    17 Application Gateway App Team platform-services Validate Schema Azure App Configuration Azure DevOps pipeline 7 8 Azure CLI scripts --- apiVersion: agw.v1alpha2 kind: ApplicationGateway metadata: app_name: bootcampdemo environment: dev frontend: fqdn: bootcampdemo.az.vaudoise.ch exposure: private certificate: secret_id: https://kv.../secrets/bootcampdemo backend: fqdns: - ca-content-web……azurecontainerapps.io 2 1 Evaluate Yaml 4 App Team's Key vault 5 6 Secondary AppGW Primary AppGW Power Off Traffic Manager (public) Public or Private DNS record 9 10 User Managed ID 3

18. Thank you to our sponsors 1 0 / 0 6

    / 2 0 2 6 18
19. None

20. Your questions? 1 0 / 0 6 / 2 0

    2 6 20