top of page


AI Governance Is a Landing Zone Problem, Not a Model Problem
When most organizations start talking about AI governance, the conversation gravitates almost immediately toward the model. Which foundation model are we allowed to use? What prompt filters are in place? How do we stop the thing from hallucinating or leaking training data? These are real questions, and they matter. But they are also the wrong place to start, because they treat governance as something you configure at the point of inference rather than something you architect
peterrivera813
5 days ago6 min read


Where MCP Servers Belong in Your Landing Zone
There is a question that keeps coming up in architecture reviews lately, and it goes something like this: we are building an MCP server, where should we put it? The instinct from most teams is to drop it into the AI Hub subscription, right next to Azure AI Foundry, and move on. That instinct is wrong more often than it is right, and the reasons why are worth unpacking, because the placement decision shapes a lot of what comes after. This post is for the architect who has to m
peterrivera813
Jun 286 min read


Azure API Management as an AI Gateway: What the Unified Model API and A2A Support Actually Mean for Platform Teams
If you have spent the last few years thinking of Azure API Management as the thing that sits in front of your REST APIs, the AI gateway changes that landed at Build 2026 are worth a careful second look. Two of them in particular the Unified Model API and generally available Agent-to-Agent (A2A) support change what a platform team can centralize, and more importantly, they change where the control plane for your AI traffic actually lives. The marketing line is the familiar on
peterrivera813
Jun 257 min read


Sandbox Subscription for AI Workloads Need Different Guardrails
Most Azure Landing Zone sandbox policies are written for a specific kind of user: a developer who wants to spin up a couple of VMs, try a new database service, or test an idea over a long weekend. The guardrails reflect that. Auto-expire after thirty days. Cap the budget. No connection to the corporate network. No production data. Deny anything that looks expensive or risky. Those defaults have served us well for the better part of a decade. Then engineers started spinning up
peterrivera813
Jun 186 min read


Management Group Mistakes You Can't Easily Undo
The management group hierarchy is the load-bearing wall of an Azure landing zone. You design it once, usually in a hurry, with incomplete information and then you live with it for years. Subscriptions move, RBAC re-evaluates, policy assignments rebind, IaC references break, and the audit trail of who had access to what, when, gets muddy fast. Most teams treat the hierarchy as a day-one decision and never revisit it, which is exactly why the early mistakes calcify. This is no
peterrivera813
Jun 146 min read


Understanding Azure SRE Agent and Its Role in Cloud Infrastructure
Cloud infrastructure powers everything from small websites to global enterprise applications, and managing it efficiently and reliably has become a defining challenge for platform teams. Microsoft's Azure SRE Agent is one of the newer tools aimed squarely at that challenge. This post breaks down what the Azure SRE Agent is, how it works, and the role it plays in keeping cloud workloads healthy and performant. What Is the Azure SRE Agent? The Azure SRE Agent is an AI-powered t
peterrivera813
May 318 min read


So what's the deal with Azure VNRA?
OK, what is it really? The simplest way I can put it: VNRA is a managed router that runs on real hardware. Not a VM. Not a software appliance with a friendly UI on top. Actual hardware in Microsoft's datacenter, the same disaggregated SDN appliance platform (formerly called Sirius, built on AMD/Pensando DPUs) that's quietly showing up behind several 2026 networking features. You drop it into a hub VNet, where it sits in its own subnet called VirtualNetworkApplianceSubnet, poi
peterrivera813
May 265 min read


Preparing Your Landing Zone for the New Azure VNet Outbound Access Changes
Azure recently announced a significant change: the default outbound access for Virtual Networks (VNets) is being removed. This update affects how resources within VNets connect to the internet and other Azure services. If you manage Azure environments, especially landing zones, this change requires immediate attention to avoid disruptions. This post explains what the change means, why it matters, and how to prepare your landing zone to handle outbound connectivity without rel
peterrivera813
May 95 min read


Well-Architected for AI Foundry: Applying the Five Pillars Where the Guidance Still Doesn't Exist
Microsoft has published Well-Architected Framework guidance for AI workloads. It's a good start. But if you've actually tried to deploy Azure AI Foundry into a production landing zone with real networking constraints, real cost governance, and real SLA expectations you've probably noticed something: the guidance stops right where the hard questions begin. I've spent the last several months integrating AI Foundry into enterprise Azure Landing Zone architectures, and this post
peterrivera813
Apr 276 min read


Private DNS in Azure Is Deceptively Hard — Here's the Architecture That Actually Holds Up
Every Azure architect I know has a Private DNS war story. The resolution worked fine in dev. It worked in the single-hub staging environment. Then it silently broke the moment the topology got complicated — a second region, an on-prem conditional forwarder, a partner tenant, or a new spoke that someone wired in slightly differently than the others. Private DNS in Azure looks simple on the surface. A zone, a link, a record. But the failure modes are non-obvious, the defaults w
peterrivera813
Apr 199 min read


ExpressRoute at Scale: What Happens When One Circuit Isn't Enough
Most ExpressRoute deployments start with a single circuit. It's sufficient for the initial workload, the bandwidth fits, and the redundancy model — primary and secondary connections built into every circuit — feels like it covers the failure scenarios that matter. Then the environment grows. More workloads move to Azure, bandwidth demands increase, a second region comes online, or a peering location maintenance window causes an outage that the "redundant" circuit didn't prote
peterrivera813
Apr 148 min read


RBAC Sprawl: How It Happens and How to Claw It Back
Every Azure environment starts with good intentions. Least privilege, defined roles, clean assignments. Then six months pass. A team needs access urgently, someone gets Owner at the subscription level "just for now," a service principal gets Contributor because no one had time to scope it properly, and a developer who left the company six months ago still has a role assignment nobody noticed. Multiply that by two years and a dozen teams and you have RBAC sprawl — a quiet accu
peterrivera813
Apr 96 min read


Azure Virtual WAN vs. Hub-Spoke: Making the Right Call at Scale
There's a version of this conversation that goes badly. An architecture review board sees "Virtual WAN" in a vendor slide, assumes it's the modern default, and greenlights a migration without asking the questions that actually matter. Six months later, the team is debugging Secured Virtual Hub routing behavior at 2am and wondering how the "simplified" option got this complicated. This post is for those who want the honest version of the trade-off — not the feature comparison
peterrivera813
Apr 55 min read


Azure AI Hub-and-Spoke Architecture: Building Enterprise-Grade AI at Scale
Enterprise AI workloads require a network design that enforces security, enables tenant isolation, and keeps costs transparent at scale. The hub-and-spoke topology is the proven approach in Azure for meeting these demands — centralizing shared AI services in a governed hub while isolating tenant workloads in dedicated spokes. This post covers how to design, deploy, and operate an Azure AI hub-and-spoke architecture aligned to Azure Landing Zone principles, from management gro
peterrivera813
Apr 16 min read


Global vs Regional Traffic Management in Azure: A Deep Dive into Front Door and Application Gateway
When designing cloud-based applications, choosing the right gateway solution is critical for performance, security, and scalability. Two popular options in Microsoft Azure are Front Door and Application Gateway . Both serve as entry points for web traffic but differ significantly in architecture, use cases, and features. Understanding these differences helps architects and developers select the best fit for their needs. This post breaks down the key architectural differences
peterrivera813
Mar 296 min read


Exploring the Benefits of Azure AI Gateway for Enhanced API Management
Unlocking the potential of large language models (LLMs) within API management can transform how applications interact with AI. Azure AI Gateway offers a streamlined way to integrate these powerful models directly into your API workflows, making it easier to build intelligent, responsive services. This post explores why using Azure AI Gateway is a smart choice for developers and businesses looking to harness LLMs effectively and securely What is Azure AI Gateway? Azure AI Gate
peterrivera813
Mar 223 min read


Key Differences Between Azure Kubernetes Service and Azure Container Apps
When building and deploying containerized applications on Microsoft Azure, two popular options often come up: Azure Kubernetes Service (AKS) and Azure Container Apps (ACA). Both services help run containers in the cloud, but they serve different purposes and target different user needs. Choosing the right one can significantly impact your development workflow, operational overhead, and scalability. This post breaks down the key differences between AKS and ACA, helping you und
peterrivera813
Mar 184 min read


Best Practices for Implementing Azure Private Endpoint in Your Cloud Architecture
Azure Private Endpoint offers a secure and reliable way to connect your Azure services privately within your virtual network. It eliminates exposure to the public internet, reducing security risks and improving network performance. However, implementing Azure Private Endpoint requires careful planning and execution to maximize its benefits and avoid common pitfalls. This post explores the best practices for integrating Azure Private Endpoint into your cloud architecture effec
peterrivera813
Mar 154 min read


Community-Driven Knowledge: Enhancing Cloud Architecture Skills
In today's rapidly evolving tech landscape, cloud architecture has emerged as a critical skill for IT professionals. As organizations increasingly migrate to cloud-based solutions, the demand for skilled cloud architects continues to rise. However, acquiring these skills can be daunting, especially for those new to the field. Fortunately, community-driven knowledge offers a powerful way to enhance your cloud architecture skills. This blog post will explore how engaging with c
peterrivera813
Feb 245 min read


Real-World Solutions for Microsoft Cloud Optimization
In today's digital landscape, organizations are increasingly turning to cloud solutions to enhance their operations and drive efficiency. Microsoft Azure stands out as a powerful platform that offers a range of services to help businesses scale and innovate. However, many organizations struggle with optimizing their cloud usage, leading to unnecessary costs and inefficiencies. This blog post will explore practical, real-world solutions for optimizing Microsoft Cloud, ensuring
peterrivera813
Feb 244 min read
bottom of page