It’s hard to believe, but it’s been a couple of years since I last sat down with Richard Campbell on RunAs Radio. Technology moves fast, but the cloud landscape has matured in ways that were only just beginning during my last visit.
I recently joined Richard for my third appearance on the show (Episode #1025) to talk about a challenge that is becoming the “new normal” for major SaaS providers: Expanding a Cloud-Native stack across multiple clouds.
From Single-Cloud Roots to Multi-Cloud Reality
At Jamf, we’ve built a powerful reputation for managing Apple devices at scale. Historically, our SaaS product was rooted in AWS. However, as our customer base grows, now serving over 70k+ customers worldwide the demand for flexibility grows with it.
In this episode, we discuss the journey of bringing those SaaS workloads to Azure and AKS. It isn’t just about “moving” code; it’s about architecting for consistency without losing the unique benefits of each cloud provider.
Kubernetes: The Common Ground (But Not the Whole Story)
One of the key takeaways from our chat is that while Kubernetes (AKS, EKS, GKE) provides the common operating system for the modern cloud, it isn’t a “magic wand” for multi-cloud.
To achieve true consistency, you have to look past the orchestrator and focus on the surrounding ecosystem. We dove into the complexities of:
IaC & Deployment: Why tools like OpenTofu are becoming essential for maintaining cloud-agnostic deployments.
Observability: Using Prometheus and Grafana to ensure that your SRE teams see the same data regardless of whether the backend is Azure or AWS.
Identity: Navigating the friction between different identity providers to ensure a seamless experience for the end user and how platforms like Okta support this.
The Docker & AI Connection
We couldn’t have a conversation in 2026 without touching on the elephant in the room: AI. As a Microsoft MVP focused on AKS and a Docker Captain, I’ve been watching closely how the Kubernetes and container ecosystem is evolving to support AI/ML workloads. Richard and I spent some time discussing how Docker, Inc. is positioning itself in this space and how developers can leverage these tools to build AI-ready applications without getting locked into a single vendor’s proprietary stack.
Reflections on a Maturing Landscape
Coming back to RunAs Radio for a third time allowed me to reflect on just how much our industry has shifted. We’ve moved past the “is the cloud safe?” phase and into the “how do we optimize for a multi-cloud world?” phase.
Whether you are a platform engineer, a developer, or a technical leader, the lessons I’ve learned at Accenture, Microsoft, helping startups, and now at Jamf while scaling across multple clouds are applicable to almost any modern enterprise.
This is my first blog of the new year (2026)! Since being re-awarded as a Microsoft MVP, Microsoft provided me with a fresh set of Azure credits. One of the first things I wanted to do was rebuild my Azure lab environment. This time, I wanted to do it the right way. I wanted it to mirror how I would design and deploy a real enterprise environment, including running fully on private endpoints and following a proper hub-and-spoke network model.
Just as importantly, I wanted everything defined in Infrastructure as Code (IaC) so I could spin environments up and down whenever I needed. That also aligns perfectly with what my team at Jamf is working on right now. We are making some changes to our underlying Azure architecture, including deeper network isolation, security controls, intergration with Jamf security cloud security products, and a shift from Bicep to OpenTofu. We will also be using AI agents to do a lot of the heavy lifting in that refactor. I will be sharing more about that in future blogs and talks as much as I am able to publicly.
Because OpenTofu is at the center of that work, I decided to build my entire Azure lab using OpenTofu and a full hub-and-spoke architecture. This gives my team a real, working reference base implementation that we can build on for production designs. I also want to share this with the larger tech community.
If you are note familiar with OpenTofu it is an open source infrastructure-as-code engine based on Terraform that lets you define, deploy, and manage cloud infrastructure using declarative configuration files, and you can learn more at https://opentofu.org.
The solution deploys a production-style Azure network and platform foundation that includes:
Hub VNet with Azure Firewall, VPN Gateway, and DNS Private Resolver
Spoke VNet with peering and default routes through the firewall
Key Vault and Azure Container Registry using private endpoints
Optional Jumpbox VM for secure management access
GitHub Actions CI/CD pipeline using OIDC authentication
How the Automation Works
This is a multi-part solution built around a bootstrap Bash script (bootstrap.sh) and a fully generated OpenTofu repository.
The bootstrap script creates everything you need to get started:
It creates an Azure Storage Account to store your OpenTofu remote state.
It generates a complete OpenTofu project, including modules, variables, and environment structure.
It configures the backend so OpenTofu uses Azure Storage for state.
It creates a ready-to-use GitHub Actions pipeline for CI/CD.
Once the repository is generated, you can deploy your Azure environment by running OpenTofu locally or by pushing the repo to GitHub and letting the pipeline handle deployments for you. Within minutes, you can have a fully functional Azure hub-and-spoke environment up and running, and you can customize the generated modules to fit your own requirements.
Deployment Modes
The bootstrap bash script supports two deployment modes depending on how advanced and locked-down you want the environment to be.
FULL Mode (Default) This is the enterprise-grade option.
Hub VNet with Azure Firewall, VPN Gateway, and DNS Private Resolver
Spoke VNet with peering and default route through the firewall
Private endpoints for Key Vault and Azure Container Registry
Optional Jumpbox VM for secure management
GitHub Actions CI/CD pipeline with OIDC authentication
BASIC Mode This is a simpler version for learning or labs.
Hub VNet with Azure Firewall only
Spoke VNet with peering and default route through the firewall
Public access for Key Vault and Azure Container Registry
No Jumpbox, VPN Gateway, or DNS Private Resolver
GitHub Actions CI/CD pipeline with OIDC authentication
What the bootstrap.sh Script Does
When you run the bootstrap script, it will:
Prompt you to select FULL or BASIC deployment mode
Create an Azure Storage Account for OpenTofu remote state in rg-tfstate
Generate the full OpenTofu repository structure based on your choice
Configure the OpenTofu backend to use the storage account
Create GitHub Actions workflow files for CI/CD
Output the storage account details and the GitHub secrets you need to configure
From there, you are ready to deploy and customize the script and OpenTofu based on your Azure hub-and-spoke environment entirely through code.
Here is the Readme from the repo. It goes even more in depth into my “OpenTofu Azure Hub and Spoke” solution. I hope you find it useful!
This repository contains a production-ready, modular OpenTofu configuration that deploys Azure hub-spoke network topology with two deployment modes (private or public) to match your requirements and budget.
Architecture Overview
This solution deploys a hub-and-spoke network architecture (visual shows full-private deployment):
Enterprise-grade Azure network architecture lab environment with Site-to-Site VPN, Azure Firewall, DNS Private Resolver, and core services
This repository contains a production-ready, modular OpenTofu (Terraform) configuration that deploys a complete Azure hub-spoke network topology designed for hybrid cloud scenarios, connecting your on-premises network (e.g., UniFi network) to Azure.
Architecture Overview
This lab deploys a hub-and-spoke network architecture following Azure best practices (visual shows full private deployment):
I was recently a guest on the RunAsRadio podcast. This was the second time being on the show. The last time was 4 years ago. You can catch the old episode here: Terraform vs Bicep/ARM with Steve Buchanan.
This new episode is #924 and is titled: “From SysAdmin to Platform Engineer with Steve Buchanan“. On this new episode we talked about Platform Engineering and a bunch of other stuff.
Here is the description from the episode:
“Aren’t we all platform engineers? Steve Buchanan says yes!
But there’s more to it. Steve talks about the mindset of looking beyond individual products that we might have skills with and owning the entire problem of providing platforms for your organization to get work done.
The conversation dives into the many products that can help our applications function better and the challenge of making them secure and fast. Are containers the solution? Possibly!
It’s your platform; focus on the fundamentals and go further!“
I had a great time chatting with Richard and we didn’t even mention AI until 40 minutes in. haha
Today Pierre Roman (@wiredcanuck) Senior Cloud Advocate of Microsoft & myself (@buchatech) streamed “Introduction to Azure Arc enabled Kubernetes” on Learn Live. Here is what we covered in this session:
In this session, showed you how Azure Arc enabled Kubernetes clusters can help customers like Contoso to optimize and simplify their operations. Here are the Learning objectives we covered:
Describe Kubernetes, Azure Arc, and Azure Arc-enabled Kubernetes.
Connect Kubernetes clusters to Azure Arc.
Manage Azure Arc enabled Kubernetes clusters by using GitOps.
Integrate Azure Arc enabled Kubernetes cluster with Azure services like Azure Monitor and Azure Policy.
If you missed it don’t worry. 🙂 You can watch the playback on the Microsoft Developer YouTube channel here:
You can check out more Learn Live episodes on the:
I am excited to announce my 8th book is complete and is available for pre-order. I am even more excited that long-time friend and fellow Microsoft MVP John Joyner joined me on the journey of writing this book. John is one of the few people I have looked up to when coming into the MVP program. He also was like an OG showing me the ropes of being an MVP. This is John’s latest book since his last 8 years ago! Thanks again John for saying yes to being a part of this!
Microsoft Ignite 2016 with Fellow MVP’s Sam Erskine, and John Joyner.
In this book, we also had the honor of having the forward written by Thomas Maurer a former MVP and now Microsoft Azure Evangelist. This book was reviewed by fellow Microsoft MVP Adnan Hendricks and a chapter contributed by a buddy of mine Fred Limmer.
This book covers an exciting technology from Microsoft exploring Azure Arc-Enabled Kubernetes and Servers. This book is for DevOps professionals, system administrators, security professionals, cloud admins, and IT professionals that are responsible for servers or Kubernetes clusters both on-premises and in the cloud. This book covers:
Introduces the basics of hybrid, multi-cloud, and edge computing and how Azure Arc fits into that IT strategy
Teaches the fundamentals of Azure Resource Manager, setting the reader up with the knowledge needed on the technology that underpins Azure Arc
Offers insights into Azure native management tooling for managing on-premises servers and extending to other clouds
Details an end-to-end hybrid server monitoring scenario leveraging Azure Monitor and/or Azure Sentinel that is seamlessly delivered by Azure Arc
Defines a blueprint to achieve regulatory compliance with industry standards using Azure Arc, delivering Azure Policy from Azure Defender for Servers
Explores how Git and GitHub integrate with Azure Arc; delves into how GitOps is used with Azure Arc
Empowers your DevOps teams to perform tasks that typically fall under IT operations
Dives into how to best use Azure CLI with Azure Arc
You can pre-order the book and watch for its official release here:
Today I will be speaking at the Omaha Azure User Group. I will be speaking on Azure Arc enabled Kubernetes and GitOps.
I am really looking forward to this user group meeting! I will be speaking on & showing real-time the power of using Microsoft Azure Arc enabled Kubernetes and GitOps, deploying a Container app to a Google Kubernetes Engine (GKE) cluster on the Google Cloud Platform (GCP). More info on my session:
Session title: Push Code, Not Containers with Azure Arc enabled Kubernetes and GitOps
Session details: Use Azure Arc enabled Kubernetes to manage Kubernetes clusters across Google Cloud Platform and Azure without running a single Kubectl command! In this session, Steve Buchanan will take you into the world of GitOps. He will show you how to deploy applications and configuration to GKE clusters and AKS clusters from a GitHub repository. Explore how we can use this new operating model for Kubernetes and cloud-native apps to declaratively describe and ensure the state of our applications and Kubernetes environments.
I am happy to announce that my latest Pluralsight course has been published. I am extra proud of this one because it is a first on the Pluralsight platform! The course is “SAP on Azure: The Big Picture“. This is the first SAP on Azure course to land on Pluralsight.
SAP is the #1 business software in the world. SAP is used by so many companies around the world. SAP projects are some of the largest projects in IT. SAP has a huge push for customers to move to its latest version SAP’s ERP solution S/4HANA by 2025. Even though you can buy extended support for current versions there is still a preference for customers to move to the new version. With this push to move most businesses and CIO’s view this as a chance to also move to hosting SAP in the cloud.
There is a shortage of IT professionals that know SAP and know cloud such as Azure. Having SAP skills can be a game changer for anyone’s IT career. Combine SAP and Azure skills and watch your career accelerate even further.
Both Azure and SAP skills can be hard to gain without someone taking a chance placing you on one of these projects. It is not easy to break into the world of SAP and part of that reason is a lack of starter courses.
I have held various roles on several SAP on Azure projects gaining key skills in this area. My goal with this course was to bring forward a starting point for those looking to get some training and break into this area.
This course will teach you a fundamental understanding of SAP, the various cloud hosting options, and core knowledge for hosting SAP on Azure.
This course is packed with 1 hour and 29 minutes of info for those wanting to get started with running SAP on Azure.
If one of these sound familiar:
-You have skills with Azure and want to learn more about SAP
-You have skills with SAP and want to learn more about Azure
In this course, SAP on Azure: The Big Picture, you’ll learn to what it takes to host SAP on Azure. First, you’ll explore the different SAP cloud hosting options.
Next, you’ll discover why Azure is a good fit for SAP and gain an understanding of the Microsoft and SAP partnership.
Finally, you’ll learn how to learn about the different SAP components, get SAP on Azure architectural guidance, and learn the about the differences between SAP on Azure migrations compared to greenfield deployments.
When you’re finished with this course, you’ll have core skills and knowledge of hosting SAP on Azure needed to be an asset on SAP on Azure projects.
I hope you find value in this new SAP on Azure course. This new course brings me to a total of 6 courses now published on the Pluralsight platform. Be sure to follow my profile on Pluralsight so you will be notified as I release new courses! I will be releasing more courses soon!
I recently presented at the Inside Azure management event. This event was packed full of Microsoft MVP’s and community experts from around the world. The focus on the event was around Azure Management based topics with some Kubernetes, AI, and DevOps topics sprinkled in.
My session was “Azure Policy Insights & Multi-Tag demo via Azure Policy” Here is what it covered: “Azure Policy is a great tool when it comes to auditing and ensuring your cloud governance is met. In this session 9 time Microsoft Azure MVP Steve Buchanan is going to take you on a full-speed ride on the ins and outs of Azure Policy and land you with a recipe for handling a multi-tagging strategy with Azure Policy. Some of the key topics you will learn from this session include:
Overview of Azure Policy
Azure Policy Configuration best practices to meet compliance (NIST, PCI, ISO, HIPPA)
Securing Azure services: AKS / Networking / SQL / App Service
Azure Policy vs RBAC
Overview of Azure Policy Guest Configuration
Tagging and more“
The event has passed and if you didn’t make it no worries! All of the sessions have been recorded and uploaded to the Inside Azure management YouTube channel to be watched at your leisure. Here is the link to the YouTube channel where you can watch all the sessions:
The event coordinators have also set up some Youtube playlists to make it easier to find videos on the topics that pertain to you. They broke these out in the following categories: Azure Management, Artificial Intelligence in Azure, Cloud Governance, Cybersecurity, and DevOps.
Towards the end of 2019, I had the opportunity to be the sole Tech Reviewer on an Azure Azure Strategy and Implementation Guide. This is the third edition of this guide so it has really current Azure information. It was authored by former MVP and now Microsoft trainer Peter De Tender (@pdtit) and others.
This guide gives a step by step introduction to using Azure
for your cloud infrastructure. The guide also covers an overview of Azure
benefits and best practices for planning your migration, assistance with cloud
architecture and design choices, and insight on how to manage and optimize your
new cloud environment.
The best part is that this guide is free! Get your copy
here:
