Cloud Operations (Azure-Hybrid) — when cloud should help, but not everything belongs there

Azure has arrived at your company — maybe through a half-finished migration, maybe through a test that “just stayed”, maybe because a service provider promised “everything to the cloud” two years ago. The result usually looks similar: part of the workloads runs in Azure, part on-prem, the monthly bill arrives reliably, and nobody can say off the top of their head why it’s exactly that high. We are building a clean Azure-Hybrid operation for mid-market companies (German Mittelstand) — with the honest principle that not every workload belongs in the cloud.

Does this sound familiar?

• The Azure invoice arrives every month — and nobody can say exactly what the money is spent on. When asked, the answer is “the VMs and the storage”, but which VMs still need to run, nobody is quite sure anymore.
• Two years ago you started “everything to the cloud” — half is over, the other half hangs between local and Azure, and it feels like nothing really runs smoothly. The migration is at 30 percent and hasn’t moved in months.
• Backups run — but nobody has actually tested a restore in the last 12 months. To the question “What would happen if the main server were gone tomorrow morning?”, there is only uncomfortable silence.
• Your engineering team complains about sluggish CAD performance since parts of the project data sit in SharePoint or an Azure Files share. What used to open in two seconds now takes ten.
• The cyber insurer has sent a questionnaire with concrete points on off-site backups, immutability and restore drills — and you aren’t sure how to answer honestly.

Why this happens

Azure and “the cloud” have been sold as the universal answer in recent years. At every conference, in every sales pitch, in every consulting PowerPoint. Mittelstand companies that had to tackle modernization in exactly this phase — because a server got old, because a new site joined, because Covid home office suddenly became reality — often adopted this wholesale. “Lift and shift to the cloud” was the plan, with the assumption that everything would afterwards be cheaper, simpler, safer.

In practice it turns out: not every workload benefits from Azure. An ERP system that has run on a local machine for years, with single-digit-millisecond latency to the database, does not get faster in the cloud — at best slower and more expensive. CAD workstations working with large construction files need local storage at gigabit speed, not an SMB share over VPN. Machine controls and PLC worlds simply have no business in the cloud.

On top of that: Azure is a platform with hundreds of services, and each service is priced differently. A VM running in the wrong size and the wrong reservation model can cost three or four times what it should. A storage account with the wrong redundancy tier burns money for an availability nobody needs. Without consistent cost governance, Azure becomes a subscription you pay without understanding it.

And finally: anyone who breaks off a migration halfway — because the complexity got bigger than expected, because the budget ran out, because the external service provider changed — is left with a hybrid setup nobody designed cleanly. Half-local, half-Azure, identities in two places, backup in three places, and no one has the overall view. That’s exactly where we come in.

What this is concretely about

Azure Landing Zone — clean cloud foundation

Before anything goes productive in Azure, you need a foundation: a subscription structure that fits your company (Prod, Dev, Test, possibly Sandbox), a naming scheme for resources, a tagging concept for cost centres and responsibilities, a clean separation of identities and permissions. We build the Landing Zone as Infrastructure-as-Code (Bicep or Terraform), so that every later step is comprehensible and reproducible. How you notice it’s missing: when resources in the Azure portal are called “vm-test-2”, “vm-test-2-new” and “vm-test-2-final”.

Hybrid connectivity — identities and network

The bridge between your local site and Azure. On the network side, usually a site-to-site VPN over the existing firewall — in most cases that’s completely sufficient. ExpressRoute is the more expensive variant with a dedicated line, which we only recommend when latency, bandwidth or compliance really require it. On the identity side, Entra Connect, so that your employees sign in everywhere with the same account. Optionally Azure Virtual Desktop if you need workplaces that should really be reachable from anywhere — but again only when it fits the use case, not as an end in itself. How you notice it’s missing: when employees have to sign in to a local account and a cloud account separately, with two passwords.

Backup & Disaster Recovery — restore tested, not just “running”

The point where many companies are most vulnerable. We build backups on the principle that they must be off-platform, immutable and tested. Off-platform means: the backup does not sit in the same account and not in the same region as the source data — otherwise a single incident (compromised admin account, ransomware) takes both at once. Immutable means: once the backup is written, even an attacker with admin rights can’t delete or encrypt it. And “tested” means: at least once a year, a realistic restore is played through — not on the production system, but with a real stopwatch protocol. How you notice it’s missing: when the answer to “When did you last test a restore?” takes longer than six seconds.

Monitoring & cost governance — transparency into what Azure does

What did Azure cost yesterday, why, and what changed compared with the previous week? That’s the question that in a clean cloud operation must be answerable at any time. We set up Azure Monitor, Log Analytics and Cost Management so that cost drivers become visible, budgets per subscription or tag trigger an alert when exceeded, and unused resources (VMs that never start, disks that are never attached, public IPs that do nothing) are identified and removed regularly. How you notice it’s missing: when management is similarly surprised by the Azure invoice every month as in the month before.

When local is better — the honest answer

This is the part you don’t hear in most sales pitches. Cloud is not automatically better, not automatically cheaper, and not sensible for every workload. We explicitly advise against the cloud when:

• Your ERP runs stably on-prem. ProAlpha, Microsoft Dynamics NAV/BC on-prem, ams.erp, Sage — if the application has run for years on a local machine, the database is in the next room and the latency is under one millisecond, then a cloud migration is not progress, it’s a risk operation. Leave it local.
• CAD workstations and license servers. Engineering departments work with large files, frequent saves and applications that depend on local performance. License servers for CAD software (FlexLM, Sentinel) belong next to the workstations, not in the cloud.
• PLC, MES, machine control. The production world has its own real-time requirements, its own networks, often its own maintenance cycles. What runs there stays on-site. A cloud connection can make sense for analytics and reporting — the control itself does not belong there.
• File servers for engineering. If your engineering team works with large 3D models, assemblies and drawing management, a local file server with a solid backup strategy is often the better answer than SharePoint or an Azure Files share. More than once we have seen a SharePoint migration slow engineering down.
• Backup recovery must also be possible without internet. If your provider has an hour-long outage — and that happens — restoring a critical server must not depend on it. A local copy on a separate medium is part of an honest backup strategy.

A clear statement: if your ProAlpha has been running stably on the local machine for five years, leave it there. A cloud migration is not an end in itself — and not every workload belongs in Azure. We recommend what fits your business, not what generates the highest consulting revenue.

What you should look out for — even if you don’t go with us

• Ask for a Landing Zone template before the project starts, not after. Whoever doesn’t have a standardized base builds a custom solution at your company that only they themselves understand — and in two years you will be exactly where you no longer want to be today.
• Ask about the restore drill, not about the backup. Every service provider will assure you that “backup is running”. The only relevant question is: “When did you last do a restore, and how long did it take?” Whoever has no concrete answer to that has no proven backup.
• Flat-rate cloud contracts along the lines of “Azure Managed Service for x € per month” usually only cover monitoring and patching. No cost optimization, no architecture adjustment, no advice against the cloud. That isn’t bad — it’s just something different from what most companies actually need.
• If someone recommends ExpressRoute without having measured your workload latency and bandwidth needs — caution. ExpressRoute is expensive and only required for very specific demands. For most mid-market companies a well-configured site-to-site VPN is enough.
• Ask whether the service provider would also advise against a migration. Whoever knows Azure as the only answer sells you Azure. Whoever knows more than one answer can advise.
• Clarify who holds the global admin rights on your Azure tenancy. If they only sit with the service provider, you have a concentration risk. They must sit with you in-house, with MFA, with a separate emergency identity.
• Ask for Infrastructure-as-Code. If someone clicks together your Azure environment in the portal, it is not reproducible. Bicep or Terraform are not engineering vanity — they are the prerequisite for comprehensible operations.

When this is now due

• A cloud migration started months ago and has been stuck — sometime between 2023 and 2024 it began, 30 to 50 percent is across, and the rest is stuck. Nobody dares plan the next step because no one has the overview anymore.
• The cyber insurer asks about off-site backups, immutability, restore tests — and you need solid answers in the next weeks or months.
• NIS-2 preparation is up, either directly affected or as a supplier, and backup as well as recovery processes must be demonstrable.
• The monthly Azure bill rises without a clear cause. Last year it was within the expected range, this year considerably above, and nobody can name the drivers.
• A generational change in the IT team — the person who has held the hybrid setup in their head over the years is retiring or changing employers, and none of it is documented.
• ERP renewal is up, and the question “operate locally further or go to the cloud?” must be answered — preferably with an honest evaluation of both options, not with a reflex.
• The machine park is being expanded, new sites or new plants are added, and the question of connectivity, latency and data flow between production and cloud becomes a topic.
• A security incident or a “near-miss” has shown that the backup strategy doesn’t deliver what it promises.

How we work

Phase 1 — Initial conversation & assessment

We start with a 30-minute initial call, then with a structured look at your current cloud and hybrid landscape. Which subscriptions, which resources, which identities, which network connectivity, which backup status. Delivery: an honest assessment as a compact document that management can also read — what’s good, what’s off, what’s urgent, what can wait, and above all: which workloads in our view are well placed in Azure and which should stay local.

Phase 2 — Target picture & architecture plan

Based on the assessment, we draft the target picture with you. Which workloads go (or stay) where, what the Landing Zone looks like, the network connectivity, the identity sync, the backup concept. Delivery: an architecture plan with comprehensible justification per decision, a clear implementation order and a realistic cost indication (qualitatively — cost figures for Azure resources from the Microsoft pricing calculator, not flat prices from us).

Phase 3 — Implementation in controlled steps

We roll out the changes step by step. First the Landing Zone as Infrastructure-as-Code, then the network connectivity, then per workload individually: test, validate, switch over, keep a rollback path ready. No big-bang migration. Backups are built up in parallel to the existing system and accepted with a real restore drill before we decommission the old backup state. Delivery: step by step a hybrid operation that helps you work instead of keeping you busy.

Phase 4 — Handover & ongoing operations

At the end there is documentation that not only describes what runs, but also why it runs that way. Architecture decisions, naming conventions, restore procedures, cost reports — all in one place, readable for the next person who will own the setup. Optionally, we accompany ongoing operations: monthly cost review, quarterly architecture and backup check, annual restore drill, response to Azure changes, shared roadmap. Delivery: a hybrid environment that runs stably in daily work, is cost-transparent and can still be justified in three years.

What you can expect from us — and what not

What you get:

• Direct contact to the founder as your fixed point of contact — no ticket carousel, no rotating account managers.
• Remote response immediately during service hours, with honest communication when something takes longer.
• On-site appointments planned by distance: in Viersen within 24 hours, in neighbouring cities 1–2 working days, further away 3–5 working days.
• Infrastructure-as-Code as standard, not as a paid extra. Your Azure environment is reproducible and versioned.
• Documentation with which, theoretically, someone else could replace us. That’s a design goal, not an oversight.
• Recommendations that may also work against our own revenue, when it fits for you.

What we deliberately don’t do:

• On-site shuttle support in 30-minute mode for cloud operations itself. Cloud operations is remote work — we plan on-site appointments when they really make sense, for example with network connectivity or the physical backup concept.
• “Lift and shift to the cloud” as a blanket promise. We migrate what belongs there and leave what should stay.
• Promises that a 30-person team would have to deliver — which we are not.

Where we also say no:

• If you want “everything to the cloud” because that’s the trend — then we first sort which workloads really gain and which are better off staying local.
• If you want ExpressRoute because a salesperson recommended it without having measured the bandwidth and latency of your real workloads — then we measure first.
• If the need doesn’t actually fit a Cloud Operations engagement but rather a one-off migration consulting or a pure backup consolidation.

How it starts

• 30 minutes initial conversation, free of charge, non-binding, by video or phone.
• What we clarify: current state of your Azure and on-prem setup, most urgent pain points, what’s coming up in the next 6–12 months.
• Optionally useful in advance, but not required: rough headcount, Azure services in use (a subscription list or cost report is enough), existing ERP and industry software, current backup state.
• Engagement models are possible as a one-time build-up or cleanup project, as ongoing support in a quarterly rhythm, or as a hybrid — what suits you, we clarify in conversation.

Book an initial conversation

Frequently asked questions

Do we have to move everything to the cloud? No. Cloud is an option, not a goal. We explicitly recommend leaving ERP systems, CAD workstations, machine controls and often also engineering file servers on-prem if they run stably there. What belongs in the cloud is typically workloads that benefit from scaling, cross-region resilience, or worldwide access — not everything that could technically be migrated.

What does Azure-Hybrid bring versus pure cloud? A hybrid setup takes the best of both worlds: workloads that really benefit from cloud characteristics — scaling, geographic distribution, integrated services like Entra ID or Defender — move there. Workloads that need local performance, local control or special hardware stay on-site. Identities and backup strategies span both sides, so that for employees everything feels like one coherent system. Pure cloud is the best answer for very few mid-market companies — hybrid is it for most.

How high are typical Azure costs for a company with 80 employees? That depends very much on what you really run in Azure. A company that only has identities and backup replicas there moves in a substantially different range than a company that runs its ERP database, its file service and virtual desktops there. The cost drivers are: VM count and size, storage volume and redundancy tier, outbound network traffic, reservations yes or no, plus premium services used (Azure SQL, Application Gateway, AVD). In the initial conversation we give a qualitative orientation — concrete numbers emerge once we know which workloads are planned.

Can we move away from Azure later? Yes, and that’s an important design goal. We build the environment so that a switch to another hyperscaler, back on-prem or to another service provider remains possible. Concretely that means: Infrastructure-as-Code, so the configuration exists independently of the portal. Backups in open formats, not only in Azure-specific special containers. Documentation that is readable without us. Global admin rights with you in-house, with MFA and emergency identity. Dependency on us or on Azure is a choice, not a trap.

What happens to our machine network and our production? Normally the production world stays untouched. Machine controls, PLCs, MES systems run in their own network segment, often with their own firewall and their own maintenance cycles. What we can do if it fits: controlled data flows from the machine network towards analytics and reporting, with clear rules about what may leave and what may not. What we don’t do: move the control itself to the cloud or dictate its update regime from outside.

Do we need ExpressRoute? Usually no. ExpressRoute is a dedicated line to Microsoft and is priced accordingly. For the vast majority of mid-market companies, a well-configured site-to-site VPN over the existing firewall is enough — the bandwidth is enough, the latency is enough, the encryption fits. ExpressRoute becomes sensible when you continuously move very large data volumes between local and Azure, when you have compliance requirements that exclude the public internet as transport, or when AVD with many simultaneous users really hits limits over VPN. We recommend that honestly based on your measurements — not as a reflex.

Related topics

• Use Case: Building an Azure Landing Zone — clean foundation for hybrid cloud
• Use Case: Backup drill — actually playing through the restore once
• Knowledge (German): Azure hybrid cloud in mechanical engineering on the Lower Rhine
• Knowledge (German): GDPR-compliant cloud migration in 6 steps

Looking more for a clean Microsoft 365 operation? Services overview