About
CloudRunbook is a working log for secure Azure architecture.
It’s the set of runbooks, notes, and weekly change call-outs I wish someone had handed me when I started looking after UK Azure estates. No fluff — just the baselines, trade-offs, and checks that keep platforms steady.
What you’ll find here
- Azure landing zone foundations: MGs, policy, RBAC, cost guardrails.
- Identity-first architecture: Entra, PIM, workload identity, secrets.
- Secure networking: hub/spoke, Private Link + DNS, egress control.
- Security operations: Defender, Sentinel, detection basics that stick.
- Weekly Azure changes: what changed and whether you should care.
How posts are written
- Runbook format: prerequisites → steps → checks → rollback.
- Opinionated defaults with trade-offs spelled out.
- Written for automation and repeatability.
- No fluff — just the engineering decisions you need.
Why I built CloudRunbook
Most Azure guidance sits at the extremes: glossy diagrams with no operational detail, or one-off tutorials that don’t scale past a single subscription. CloudRunbook lives in the middle. It focuses on the decisions that keep platforms resilient and secure when you’ve got multiple teams, legacy kit, and auditors asking awkward questions.
If you’ve ever asked “what’s the smallest baseline that prevents 80% of incidents?” — that’s the lens for every post here.