Blog

GLM-5.2, open-weight and about a week old, tied Claude Opus 4.8 on my Azure Terraform benchmark, running entirely inside my own tenant on a 4× A100 spot box at about $3.50/hour, on two-generation-old silicon. Small sample, but a model you can self-host kept pace with the best closed model I rent, and nothing left my network to do it.

It makes sense when you create it. Three years later you have 15 App Service plans running at £120/month each. Consolidation is low effort, low risk, and the saving compounds every month.

Single-session AVD host pools run one VM per user, all day, whether or not anyone's logged in. Multisession consolidation with auto-scale changes the economics significantly. Here's what that looks like in practice.

A routine cost review flagged £15 I didn't recognise. Nineteen days of Azure Front Door Standard charges on resources that weren't even in use. Here's what happened.

Azure shows you a spot VM's eviction rate today, but never its history, and the bands move constantly. So I started recording all 26,344 SKU and region combinations every day. Here is what the data shows, and the buried API that made it necessary.

There's a crossover point where physically transporting your data beats uploading it over the internet. Here's the maths to find exactly where that line sits for your situation.

Qwen3.6-27B FP8 on a single H100 scored 90% on a 50-task Terraform corpus. Llama-3.3-70B BF16 TP=2 on two H100s scored 80%. The smaller model wins on score AND on cost, by 3× on the cost side.

I asked a frontier LLM for the best Qwen Coder model. It confidently recommended Qwen2.5-Coder-72B-Instruct. That model doesn't exist. The HuggingFace API is the only reliable check.

Moved 290 GB across 11,000 km of Azure backbone in 35 seconds of active transfer. 67 Gbit/sec sustained, a 25 GB Blu-ray every 3 seconds. The wall isn't QoS, it's the storage account request throttle. Plus the real bill: £112 of cross-region egress, mostly Asia outbound at £0.080 per GB.

Premium Azure File shares for FSLogix profiles are typically provisioned at 2TB per share. Actual usage is usually under 500GB. IOPS utilisation sits at around 10%. The cost of the gap is £5,000 a year. Right-sizing is a two-minute change, with one limit worth knowing.

Every Azure VM has a maximum uncached disk throughput. Most estates have VMs where the disk SKU's capability significantly exceeds that ceiling. The performance is identical. The cost isn't.

A 17-model Foundry benchmark session cost us $74.62. Four distinct billing gotchas hit us along the way, none of them obvious from the pricing page, all of them ones we now check first.

B-series VMs have a hard IO throughput cap that makes Premium SSD pointless. The disk can deliver 150 MB/s. The VM can't receive more than 35. You're paying the premium price for standard performance.

Using the same email for a personal Microsoft account and a work M365 account creates identity conflicts that silently break device management, app sign-ins, and MFA.

Conventional advice says deploy AOAI in Sweden Central for the latest OpenAI models. As of May 2026, that's wrong for UK clients running text workloads. UK South has the full GPT-5 family. Sweden Central doesn't.

Microsoft is retiring Azure CDN Classic and replacing it with Azure Front Door Standard and Premium. Here's what the products actually are, what the pricing difference looks like, and which tier most organisations need.

Claude Code is not just for application developers. Here's how an Azure infrastructure engineer uses it for Terraform, cost analysis, documentation, and architecture reviews.

$0.095 per million output tokens. That's the cost of running Qwen2.5-Coder-32B FP8 on a single H100 spot VM at peak utilisation, 100× cheaper than GPT-4o. The catch is hitting batch=128 sustained, and most workloads can't.

Microsoft set a September 2027 retirement date for Azure CDN Classic, but the billing change hit in April 2026. If you haven't checked your subscription since then, you may already be paying more.

Power Automate cannot connect to network-restricted Service Bus namespaces, even with trusted Microsoft services enabled. Here is what actually works.

Apple M5 Max MacBook Pro running Qwen 3.5-35B on MLX: 118 tok/s. Azure NC40ads_H100_v5 spot running Qwen3.6-35B FP8 on vLLM: 143 tok/s. The cloud VM costs $1.61/hr. The laptop costs £3,000+ up front.

Excluding one outlier (gpt-5-pro at £41), 16 frontier LLMs cost £19 total to benchmark across 50 Terraform tasks each on Azure AI Foundry. The equivalent single-model run on self-hosted H100 spot would have cost £19 by itself.

Decommissioning a data centre is stressful enough without throwing away thousands in recoverable hardware value. Here's how to do IT asset recovery properly.

Most organisations running APIM Premium are paying for it solely to get VNET integration. Standard v2 now supports VNET integration. The Premium features they're not using cost around £1,700 a month.

Savings Plans offer flexibility, Reserved Instances offer deeper discounts. Here's when to use each, the trade-offs involved, and why most organisations need both.

50TB is where internet uploads start to hurt. We compare your options for moving serious data to Azure, AWS, GCP, or between data centres, including the egress costs nobody warns you about.

Remote hands and smart hands get used interchangeably, but they're different services at different price points. Here's what each tier actually means and when you need which.

Standard cost tools catch the obvious waste. The expensive items they miss almost always need architectural context to spot, which is where the AI-plus-experience combination matters.

Synapse Spark's default write parallelism generates hundreds of concurrent file operations against ADLS Gen2, causing storage contention and inflating costs. A configuration-level fix usually beats a tier upgrade.

Two Azure VMs with identical vCPU and RAM can cost nearly double once Windows licensing is applied. Here's why, and how to avoid paying for licensing you already own.

When something goes down at 2am and your nearest engineer is 200 miles away, you need emergency smart hands you can rely on. Here's exactly what happens when you call.

Configure Managed DevOps Pools with zero standby agents so you pay nothing during idle periods. Most teams can cut agent costs by 75-85%.

Every monitoring setup watches VMs working too hard. Nothing watches VMs doing nothing. Here's what an idle Azure VM looks like, and how pattern recognition across an estate finds the ones nobody needs.

Azure Monitor has a third log tier at roughly £0.12/GB. Analytics Logs cost around £2.20/GB. For compliance data and long-term retention, it changes the monitoring bill entirely.

Azure Spot VMs slash CI/CD agent costs by 60-90%. Managed DevOps Pools support them natively, and build pipelines are the perfect workload for spot compute.

Self-hosted DevOps agents come with real operational overhead. We compare VMSS, ACI, AKS, and Managed DevOps Pools to help you pick the right approach.

Paying Premium tier prices for ADLS Gen2 storage that doesn't need it is common. Azure's own metrics can prove whether the real bottleneck is the network or the disk before you upgrade.

Defender for Storage offers three protection layers: threat detection, on-upload scanning, and on-demand scanning. Most environments only need two of them.

Running Premium Service Bus across every environment for a modest messaging workload is a common overspend. Moving non-production to Standard can save tens of thousands a year.

VNet peering looks cheap at a penny per GB, but in hub-spoke architectures with cross-region traffic, peering costs scale fast and quietly inflate your Azure networking bill.

Azure Monitor and Log Analytics are deeply intertwined but billed separately. Here's how to understand what's actually driving your monitoring costs.

Client secrets create operational headaches with rotation and exposure risk. Certificate-based OAuth shifts the burden to the third party and eliminates shared secret management entirely.

Azure Key Vault looks cheap per operation, but at enterprise scale with automated workloads, the operation count explodes and the bill follows.

Logic Apps and Azure Functions both handle integration workloads, but their pricing models create wildly different costs. Here's the real per-transaction breakdown.

Azure Service Bus and Event Grid solve different messaging problems. Picking the wrong one costs more and delivers less. Here's how to choose.

Azure APIM Premium costs ~£2,500/month per unit. Most organisations don't need it - here's how to tell if you're overpaying and what to use instead.

Extracting user and group assignments from Entra ID enterprise apps should be simple. The Graph API makes it surprisingly difficult, especially with on-premises synced groups.

Power Platform costs are quietly growing inside your Microsoft 365 tenant, invisible in Azure Cost Management. Premium licences, AI Builder credits, and Dataverse storage add up fast when nobody is watching.

Comparing the real costs of Azure Synapse and Microsoft Fabric to help data teams decide when migration actually makes financial sense.

Test tenants that become production environments accumulate security debt fast. Excess Global Admins, legacy MFA, and duplicate accounts need systematic cleanup.

Azure SQL has three pricing models, each with hidden gotchas. Choose wrong and you could be paying thousands more than you need to.

Storage account keys give unrestricted access to everything. When a developer requests them, push back with better alternatives.

ExpressRoute is often the biggest fixed cost in an Azure estate, and the least reviewed. Most organisations are paying for bandwidth they never use.

ASR fees, replica disks, bandwidth, vault storage. Many organisations are paying thousands for disaster recovery they've never validated.

Application Gateway and Front Door both handle web traffic, but at different layers and price points. Here's how to choose the right one.

Defender for Cloud is quietly eating 5-8% of your Azure bill. Most organisations enable every plan by default and never look back - that's exactly what Microsoft wants.

A routine SQL Server 2022 upgrade on Azure IaaS can turn into a week-long performance crisis when tempdb shares a Standard SSD with data files. Here's the diagnosis and the fix.

Engineers delete VMs but forget to remove ASR replicas, leaving expensive replica managed disks billing silently in the target region for months.

Azure Firewall is one of the biggest hidden costs in hub-spoke architectures. The hub subscription alone can quietly run to eight thousand pounds a month before a single workload is deployed.

Egress and bandwidth charges are a hidden tax on nearly every Azure service. Data in is free, data out is not — and that asymmetry catches organisations off guard.

Azure Firewall Premium costs double Standard but most organisations never enable its key features. Find out if the upgrade is justified or if you're overspending.

Backup costs quietly grow to consume a significant chunk of Azure spend. Retention policies are the biggest lever most organisations never touch.

Defender for Servers charges per VM, and Plan 1 vs Plan 2 confusion means many organisations are paying double. Here's how to audit and fix it.

Log Analytics data ingestion costs grow silently as you onboard more resources and enable more diagnostic settings. Here's how to find and control the spend.

VMs running around the clock cost far more than most organisations realise. The compute price is just the start.

Block open-sourced Goose, Stripe forked it into Minions, and the workforce implications are now impossible to ignore. This isn't vibe coding — it's agentic engineering.

Cost concentration in a single Azure subscription signals architectural drift and financial risk. It's a pattern we see in almost every assessment.

A single afternoon FinOps audit uncovered over £4,000/month in Azure waste across storage, DR, backups, and security tooling.

FinOps brings financial accountability to cloud spending. If your CFO isn't involved in cloud cost decisions yet, here's why that needs to change - and fast.

Everyone expects VMs to dominate Azure spend, but storage quietly overtakes everything. Here's why it's probably your single biggest cost category.

Think you can just upload 100TB to Azure over your internet connection? Here's the maths on why physical data transfer still matters.

Getting Azure Spot VM prices seems simple until you need eviction rates. Here's what we learned building an AI-powered spot pricing tool.

Start 2026 right with a thorough Azure cost review. Here's the checklist we use with clients to identify quick wins.

The azurerm provider doesn't always support the latest .NET versions. Here's how to use the azapi provider to deploy .NET 8/9/10 Azure Functions.

Compliance requires logging everything for 7 years. Here's how to implement tenant-wide diagnostic settings without breaking the bank.

When Synapse blocks all egress traffic, how do you connect to your own resources? Managed private endpoints are the answer, but they're confusing.

Stop retrofitting security. Build Terraform modules with sensible security defaults so every resource starts secure without extra effort.

Your WAF is blocking attacks, but are you watching? Here's how to build an Azure Monitor workbook that shows what's being blocked and why.

Windows Hello is enabled, devices are enrolled, but users still have passwords. Here's the missing piece most organisations overlook.

AI coding assistants aren't just for developers. Here's how we use Claude and GitHub Copilot for infrastructure and DevOps work.

Flexera's annual cloud report reveals that 27% of cloud spend is wasted and 84% of organisations struggle with cost management. Here's what it means.

Azure Advisor gives you free cost optimisation recommendations. Here's what it catches, what it misses, and how to use it effectively.

Data centres offer their own remote hands services, but they're not always the best choice. Here's when third-party smart hands makes more sense.

AI tools are changing how we manage infrastructure. Here's how to use LLMs and ML for log analysis, cost prediction, and automated optimisation.

Enterprise FinOps strategies don't always apply to smaller organisations. Here are practical cost optimisation approaches that work for SMEs.

Need Synapse Spark pools to reach on-premises resources while DEP is enabled? It's complicated, but here are your options.

Getting Spark pool logs to Log Analytics when your workspace has data exfiltration protection enabled requires careful DNS configuration.

Without proper tagging, you can't allocate costs, identify owners, or enforce governance. Here's how to build a tagging strategy that actually works.

Moving beyond VM-based monitoring to container-native solutions. Here's how to implement scalable monitoring in AKS and Container Apps.

Azure Connection Monitor has a hard limit of 100 endpoints. When you need to monitor more, here are your options.

Users don't need to set a password if you set up onboarding correctly. Here's how to use Temporary Access Pass for truly passwordless day-one access.

Going passwordless with AVD isn't as straightforward as regular M365. Here's what works and what limitations you'll encounter.

Locking down Service Bus with network rules breaks Power Automate. Here's how to maintain security while keeping your flows working.

Connecting Microsoft Fabric to private Azure resources requires careful planning. Here's how to integrate Fabric with your existing network infrastructure.

Most Azure storage is in the Hot tier by default, but up to 80% of it is rarely accessed. Here's how to use storage tiers to cut costs.

Connecting Microsoft Fabric to a Key Vault with public access disabled requires specific configuration. Here's what works.

AMPLS can break all your Log Analytics workspaces if configured incorrectly. Here's how to set it up with selective DNS zone linking.

Enabling data exfiltration protection in Synapse blocks all outbound traffic. Here's how to work with this restriction while maintaining functionality.

Dev and test environments running 24/7 waste up to 70% of their cost. Here's how to automate shutdowns and save thousands.

Microsoft is deprecating legacy per-user MFA. Here's how to migrate to modern Conditional Access and Authentication Methods policies.

Need to find which Entra users have access to your PostgreSQL database? Here's how to query the system catalogs to find Azure AD principals.

Running multiple databases in Azure SQL? Here's how to choose between individual databases, elastic pools, and serverless to minimise costs.

Orphaned disks, NICs, and public IPs silently drain your Azure budget. Here's how to find them and clean them up.

Default pipeline failure notifications lack detail. Here's how to include actual error messages and useful context in your notification emails.

Need to send notifications beyond the built-in DevOps emails? Here's how to send custom emails from your pipelines using SendGrid or Microsoft Graph.

Need to run tasks against a changing list of VMs? Here's how to dynamically discover and iterate over VMs in your pipelines.

Azure Container Apps provides serverless containers without the Kubernetes complexity. Here's how to deploy a Python application with persistent storage.

Azure Policy lets you enforce standards automatically. Here's how to create custom policies for common compliance requirements.

Running a security review on an Azure environment? Here's a practical checklist of common issues and how to fix them.

If you have Windows Server licenses with Software Assurance, you could be saving up to 40% on Azure VMs. Here's how to check and apply.

Storage accounts are a common weak point in Azure deployments. Here's a security checklist and Terraform configuration to get it right.

The managed rule sets catch most attacks, but custom rules let you block specific threats hitting your application.

Route different URL paths to different backends with Application Gateway. Useful for API versioning, microservices, and gradual migrations.

Explaining the value of Application Gateway and Web Application Firewall to executives and finance teams. Here's how to frame the conversation.

Need a folder where users can upload files but can't see what others have uploaded? Here's how to configure a secure drop box in Azure Files.

With 43 data centres and 365MW of capacity, the Slough Trading Estate is Europe's densest data centre cluster. Here's why.

Getting NTFS permissions working on Azure Files requires both RBAC and share-level permissions. Here's the complete setup guide.

CREATE USER FROM EXTERNAL PROVIDER sounds simple, but running it from a pipeline with service principal authentication has some gotchas.

Need to copy an Azure SQL database to a different subscription? The built-in copy feature doesn't work across subscriptions. Here are your options.

Reserved Instances can save you up to 72% on Azure compute, but they're not always the right choice. Here's how to decide.

Getting the best RDP performance for demanding applications requires specific registry settings and network configuration. Here's what actually works.

AVD health checks failing for TURN relay access? Here's how to diagnose and fix the network connectivity issues.

Azure Files with AD authentication requires the storage account to be domain joined. Here's how to automate this in your CI/CD pipeline.

Private endpoints are powerful but DNS resolution can be tricky. Here's how to configure DNS correctly for hybrid environments with on-premises AD.

Assigning Azure AD groups to AVD application groups via Terraform requires specific provider versions and resource types. Here's the working configuration.

How to configure Terraform to store state in Azure Blob Storage with proper locking and security.

Getting FSLogix profiles working with Azure Files requires the right storage account type, tier, and permissions. Here's what actually works.

Need weekly copies of production data for testing? Here's how to automate Azure SQL database copies without the manual work.

One SonarCloud scan per repo is tedious to set up. Here's how to automate scanning across all repositories in your Azure DevOps project.

Most Azure VMs are oversized. Here's how to identify candidates for right-sizing and the potential savings you're missing.

Self-hosted DevOps agents in containers offer faster scaling and better resource utilisation. Here's how to set them up with Docker-in-Docker.

Azure WAF now recommends Microsoft's Default Rule Set over OWASP CRS. Here's how to migrate and what to watch out for.

Need to create a VM from existing disk snapshots? Here's the Terraform configuration for creating managed disks from snapshots and attaching them to new VMs.

App Service VNET integration lets your web apps access private resources. Here's how subnet delegation works and common pitfalls to avoid.

Getting the application stack and startup commands right for Azure Linux Web Apps in Terraform isn't always obvious. Here's the configuration that works.

A step-by-step guide to exporting your Azure cost and usage data for offline analysis and FinOps reporting.