Platform EngineeringLanding Zone

An interactive guide to platform engineering

The paved road from commit to a running, governed service.

Platform engineering turns hard-won Azure, Kubernetes and supply-chain decisions into golden paths, so developers ship without carrying the whole cloud in their head. This is a tour of those ideas, built on a real, opinionated Internal Developer Platform that proves each one.

Explore the architectureRead the docs GitHub

Internal Developer Platform · Azure · GitOps · secure by default · WCAG AA

GitHubreusable workflows · OIDC · cosign · SBOMOIDC · no secretsPlatform subscriptionPrivate AKSWorkload IdentityACRsigned imagesKey VaultPrivate LinkPostgresHA · PITRFluxGitOps reconcileVended namespacesAzure Monitor · Defender · Cost Management
One request, one paved road: identity over secrets, GitOps delivery, and governance the whole way down.

What is platform engineering?

Platform engineering builds an Internal Developer Platform: a product, made by a dedicated team, that gives every other team a paved road to production. It treats the cloud's complexity as a problem to be abstracted once, well, instead of solved badly many times.

Without a platform
  • Every team relearns Azure networking, AKS, identity and CI from scratch.
  • Snowflake infrastructure: no two environments built or secured the same way.
  • Security and compliance bolted on late, by hand, and easy to skip.
  • Delivery is slow and unsafe; the cloud's full complexity sits on every developer.
With a paved platform
  • Golden paths package the platform's decisions into a supported default route.
  • Self-service vending turns a reviewed request into identity, RBAC, quota and a namespace.
  • Security, signing, policy and cost tags are wired in from the first commit.
  • Developers reach a running, governed service without carrying the whole cloud.

Reduce cognitive load

The platform absorbs the parts of the cloud a product team shouldn't have to master, so they keep their attention on their service.

The platform is a product

An enabling team runs it with golden paths as features, real users, and a roadmap, not a ticket queue.

Guardrails, not gates

You build it, you run it, on rails. The safe, compliant choice is the default choice; stepping off the path is a deliberate, reviewed exception.

Core concepts, applied

Eight ideas at the heart of platform engineering, each paired with how this project realises it and a link to the exact place in the repository that proves it.

Golden paths

paved roads

A golden path is the supported, well-lit way to build and run a service. It packages the platform's hard decisions into a default route so teams don't reinvent CI, security or delivery for every service.

How this platform does it

Three Backstage templates (AKS microservice, ACA service, AKS workload namespace) scaffold a repo with CI, SBOMs, signing, GitOps, SLOs, dashboards, cost tags, TechDocs and ownership wired in from the first commit.

how-it-works: golden pathstemplates/ADR-0044 template versioning

Self-service

reduce cognitive load

Developers should reach a running, governed service without filing tickets or learning the whole cloud. The platform is a product; paved roads are its features.

How this platform does it

Teams consume golden paths through the Backstage portal and reach a running endpoint without touching the Azure portal. Vending turns a reviewed request into identity, RBAC, quota and a namespace automatically.

how-it-works: developer portalhow-it-works: vending & onboarding

GitOps

Flux is the source of truth

Desired cluster state lives in Git and a controller continuously reconciles the cluster to match. Changes are reviewed pull requests; drift is corrected automatically.

How this platform does it

Flux owns in-cluster state from a separate platform-cluster-state repository, so a bad cluster change can never take down the platform's Terraform state. Vended teams receive manifests there; merge triggers reconciliation.

how-it-works: GitOpsplatform-gitops/ADR-0054 Flux Workload Identity

Policy as code

guardrails, not gates

Governance is expressed as version-controlled, testable policy at three honest layers: the cloud control plane, infrastructure plan-time, and the cluster admission path.

How this platform does it

Azure Policy governs the Azure control plane, OPA/Rego via conftest validates Terraform plans, and Kyverno is the single in-cluster admission and mutation engine. The Gatekeeper add-on is intentionally not used.

how-it-works: security & compliancepolicies/ADR-0036 Kyverno single engine

Secure by default

private, least-privilege

Security is the baseline every environment inherits, not an add-on. The safe choice is the default choice, and relaxing it is a deliberate, reviewed exception.

How this platform does it

Private AKS API server, Workload Identity, Azure CNI Overlay with Cilium, default-deny egress through the hub firewall, Private Link for Key Vault, ACR and Postgres, and Kyverno-verified signed images. Even demo relaxes cost SKUs, never the security model.

how-it-works: connectivity & egressADR-0031 default-deny egressADR-0025 OIDC federation

Supply-chain integrity

signed & scanned

An artifact should be traceable to its source and verified before it runs. Identity replaces stored secrets; signatures and SBOMs make provenance checkable.

How this platform does it

GitHub authenticates to Azure with OIDC federation (no static cloud secrets). Images are signed with cosign keyless, SBOMs and vulnerability scans gate releases, and Kyverno refuses unsigned images at admission.

how-it-works: supply chain & CI/CDADR-0007 image signingworkflows/

Ownership boundaries

one owner per layer

Every layer of desired state has exactly one owner. Clear boundaries keep blast radius small and stop two systems fighting over the same resource.

How this platform does it

The enterprise ALZ owns management groups and tenant policy. Terraform owns subscription and platform infrastructure. Flux owns Kubernetes state. Azure Service Operator owns workload Azure dependencies. Backstage only initiates; it is never a source of truth.

architecture: ownership boundariesADR-0005 ASO boundaryADR-0043 ownership matrix

FinOps & showback

cost is a first-class signal

Teams can only manage spend they can see. Cost is allocated to the team and product that incurred it and surfaced where engineers already work.

How this platform does it

Mandatory tags (owner, product, costCenter, env) flow from Cost Management exports through an allocator into a showback pipeline, surfaced per team and product in Backstage Cost Insights.

how-it-works: observability, SRE & FinOpsADR-0057 cost allocator

Architecture explorer

The platform as a real, connected system. Explore the live diagram, or switch to the capability layers. Either way, every component links to what it is, why it's there, who owns it, and the decision record behind it.

click a component for details

GitHubreusable workflowsFirewalldefault-deny egressFluxGitOpsKyvernoadmissionBackstageportalObservabilitydashboards · SLOsACRsigned imagesKey VaultPrivate LinkPostgresHA · PITRVended namespacesquota · NetworkPolicy · identityAzure Service Operatorworkload Azure depsAzure Monitor · Defender · Cost Management
Explore the platform. Select any component to see what it is, why it's there, who owns it, and the decision behind it. Tab through the boxes and press Enter for keyboard access.

One codebase, three profiles

The same Terraform targets demo, nonprod andprod. It stays approachable and cheap to evaluate, yet production-capable at full tier. Switch a profile to see how posture shifts across cost, availability and security.

Monthly cost
Highest(3 of 3)
Resilience
Zone-redundant + DR(3 of 3)
Security baseline constant
Full(3 of 3)
What it provisions prod
  • Egress & network Azure Firewall Premium · default-deny
  • Availability Zone-redundant + DR region
  • Postgres HA + PITR + customer-managed keys
  • Container registry ACR Premium · geo-replicated
  • Defender for Cloud Defender standard
  • Backstage ingress Private · Front Door
  • Relative cost Highest
CostAvailabilitySecurity

Same Terraform, three variable sets. demo relaxes cost-driven SKUs; the security baseline is inherited unchanged on every profile.

The life of a request

Follow one namespace request along a golden path, from a Backstage form to a running, governed namespace. Every hop produces a real, reviewable artifact. Press play, or step through it yourself.

01 / 08

Developer You

Request a paved road

A developer opens the Backstage portal and picks a golden-path template, then describes the service: ownership, product, cost centre, environment and runtime.

Backstage template input 
team: payments
product: checkout
environment: nonprod
namespace: checkout
quotaTier: small
costCenter: cc-12345
dataClassification: confidential
onCall: payments-primary

Cost is a first-class signal

Mandatory tags travel with every resource, so spend is allocated to the team and product that incurred it, then surfaced where engineers already work. Group the showback to see where the money goes.

Monthly showback $28,970 representative
  • payments $9,200
  • data-platform $6,300
  • ml $4,750
  • search $3,800
  • web $2,700
  • identity $2,220

Figures are clearly-labelled representative data, in USD per month. In the platform, mandatory owner, product and costCenter tags drive real showback in Backstage Cost Insights.

Find your path

The same platform serves very different people. Pick the role that fits you to trace a journey through it, and watch the concepts that matter to you light up.

Select a persona to trace their journey through the platform. The concepts that serve them light up above.

Bring the paved road to your tenant

This whole site is the front door. The platform itself, its Terraform, policies, workflows and Backstage templates, lives in the open. Stand it up on a subscription beneath your existing Azure Landing Zone.

View on GitHubRead the overview