Pattern D: Enterprise Landing Zone

Board-Ready Backup Governance in One Guided Demo

A compact executive walkthrough that proves recoverability is owned, controlled, cost-visible, and auditable across the enterprise — aligned to the Microsoft Cloud Adoption Framework.

3 tiersResource separation
5 rolesRBAC model
CAFAligned governance
BoardAudit evidence

What Pattern D Shows

Pattern D answers the enterprise sponsor question: across many teams and subscriptions, who owns recoverability, how are controls enforced, what does it cost, and can we prove it to the board or an auditor? It turns backup from a per-team task into a governed business control with three-tier resource separation, zero-trust networking, policy-driven compliance, and FinOps cost visibility.

Executive Governance Click-through

Executive governance room Board-ready decision story

Ownership Model

Leaders see who owns protection, recovery testing, exceptions, and funding.

Risk Guardrails

Recovery controls stay enforced even when teams change or incidents escalate.

Spend Visibility

Cost centers, budgets, and growth signals are visible before spend surprises leaders.

Board Evidence

Readiness, restore tests, exceptions, and audit trail become an exportable pack.

Executive question: who owns recoverability across the enterprise?

Start with accountability. Leaders need one view of protected services, owners, risk exceptions, recovery testing, and funding alignment.

3 ownersBusiness accountability
5 rolesOperating model
1 packBoard evidence

Interactive architecture walkthrough

Step through tiered ownership, Azure Policy guardrails, validated recovery, FinOps spend, and the board evidence pack in a guided click-through.

Launch architecture demo

Proof for the Conversation

Governance Owner

Names who owns protection, recovery testing, exceptions, and funding so recoverability survives reorganizations and incidents.

Compliance Evidence

Exports one board pack: control posture, restore-test results, exceptions, and audit trail — without chasing screenshots.

FinOps Boundary

Shows cost centers, budget drift, and retention choices so finance can optimize without weakening required recovery promises.

Pattern D Artifacts

ArtifactUse It ForLink
Infrastructure GuideDeploy the three resource groups, vaults, RBAC, and policy (40-50 min).INFRASTRUCTURE_DEPLOYMENT_GUIDE.md
SpecReview CAF governance, tagging, runbooks, retention, and cleanup.SPEC.md
KQLShow spend, budget alerts, and the compliance audit trail.cost-by-cost-center / budget-alert / audit-trail
SourceOpen the implementation package in GitHub.GitHub source

Compact Technical Reference

Operational Runbooks
  1. Deployment (Day 1): validate, create RGs, deploy vaults, assign RBAC, configure policy, hand off.
  2. Operational management (weekly/monthly): backup status review, cost analysis, retention optimization, DR documentation.
  3. Incident response (ransomware): detect, respond, investigate, recover, harden, document RCA.
  4. Decommissioning (end-of-life): archive data, move to long-term storage, clean up, certify.
Deploy Command
cd azure-backup-demo-spec az login az account set --subscription "<subscription-name-or-id>" ./scripts/deploy.ps1 ` -Location canadacentral ` -EnvironmentName backup-enterprise ` -Owner <owner-name> ` -GovernanceTier enterprise
Monitoring Query
AzureDiagnostics | where Category has "AzureBackup" | where Resource has "rg-backup-enterprise" | summarize Backups = count(), Failures = countif(ResultType != "Completed") by Resource, bin(TimeGenerated, 1d) | order by TimeGenerated desc