Description
Key Focus Areas:
Hybrid Cloud Infrastructure
Identity & Access Integration
Infrastructure Automation & Governance
Disaster Recovery & Operational Resilience
Azure Arc Governance
OpenVPN Layer 2 Connectivity
Executive Summary
Architected a modern hybrid infrastructure platform integrating on-premises Hyper-V virtualisation environments with Microsoft Azure services — establishing unified identity management, secure remote connectivity, centralised governance, Infrastructure as Code automation, and layered backup and disaster recovery capabilities across cloud and on-premises environments.
The architecture combines Hyper-V-hosted core enterprise services, Azure AD Connect hybrid identity synchronisation, OpenVPN Layer 2 remote access, Azure Arc unified governance, Terraform-driven cloud provisioning, DFS with Azure File Sync, multi-layer backup through Veeam and Azure Backup, Azure Site Recovery failover orchestration, and Microsoft Sentinel SIEM integration into a cohesive operational platform.
The design demonstrates how mid-sized enterprises can modernise fragmented legacy infrastructure through a hybrid-first strategy — preserving existing on-premises investments while establishing a scalable foundation for progressive cloud adoption.
Business Drivers
Mid-sized enterprises modernising their infrastructure frequently face operational challenges caused by fragmented systems, inconsistent governance, manual provisioning processes, and limited resilience capabilities — without the budget or operational capacity for disruptive full cloud migration.
This architecture was designed to address the hybrid infrastructure requirements of organisations where existing environments result in:
Fragmented on-premises infrastructure lacking centralised governance, monitoring, and operational consistency
Manual provisioning processes creating configuration inconsistency, operational overhead, and deployment risk
Limited resilience capabilities — backup strategies that cover on-premises workloads but provide no cloud-integrated failover capability
Inconsistent identity management across on-premises and cloud resources creating authentication gaps and governance complexity
Remote access solutions lacking full network integration — preventing legacy application access for remote operational teams
No scalable pathway toward cloud adoption without replacing existing infrastructure investments
Operational Constraints
The architecture was designed to operate within the following constraints typical of mid-sized enterprise hybrid environments:
Existing on-premises Hyper-V systems and Active Directory infrastructure must be preserved and integrated — full replacement is not operationally viable
Legacy applications require full Layer 2 network-level remote connectivity — application-layer VPN solutions are insufficient for LAN-dependent services
Hybrid identity services must provide seamless authentication across both on-premises and cloud resources without dual-credential management
Operational monitoring must provide centralised visibility across both on-premises Hyper-V infrastructure and Azure cloud workloads
Backup and recovery strategies must provide coverage across both on-premises and cloud workloads with defined RTO and RPO targets
Infrastructure provisioning must be repeatable, auditable, and consistent — manual Azure deployments create configuration drift
Security controls must be consistent across heterogeneous on-premises and cloud infrastructure layers
Objectives
Establish unified hybrid identity architecture extending on-premises Active Directory into Azure through AD Connect synchronisation
Enable secure full-network remote access to enterprise resources for operational teams — including legacy LAN-dependent applications
Centralise infrastructure monitoring, governance, and security visibility across both on-premises and Azure environments
Implement layered hybrid backup and disaster recovery with defined RTO and RPO targets
Automate cloud infrastructure deployment through Terraform-based Infrastructure as Code
Extend Azure-native governance capabilities to on-premises Hyper-V infrastructure through Azure Arc
Implement hybrid file services through DFS namespaces with Azure File Sync cloud tiering
Establish a scalable and modular hybrid platform supporting progressive cloud transformation
Recovery Objectives
Workload Tier | Target RTO | Target RPO | Recovery Mechanism |
|---|---|---|---|
Mission-Critical (AD, DNS) | 2 hours | 15 minutes | Veeam replication + ASR |
Business-Important (File Services) | 4 hours | 1 hour | Azure Backup + DFS |
Standard Workloads | 8 hours | 4 hours | Azure Backup |
Cloud Workloads | 2 hours | 1 hour | Azure Site Recovery |
These recovery objectives represent design targets. Production RTO/RPO commitments require validation through DR testing under realistic infrastructure conditions.
Architecture Principles
Hybrid-first modernisation — extend cloud capabilities into existing infrastructure rather than replacing it
Identity-centric operational governance — unified authentication across on-premises and cloud through a single identity plane
Centralised observability — operational and security visibility unified across heterogeneous environments
Infrastructure automation and repeatability — all cloud provisioning defined as code, not manual configuration
Segmentation and operational isolation — internal, DMZ, and NAT network separation enforced at the virtualisation layer
Layered resilience — backup and DR capabilities covering both on-premises and cloud workloads through independent mechanisms
Secure-by-design remote access — full network integration without unnecessary public exposure
Unified management across heterogeneous environments through Azure Arc as the governance control plane
Architecture Overview
The solution is structured as a three-layer hybrid enterprise platform integrating on-premises virtualisation, Azure cloud services, and hybrid connectivity.
1. On-Premises Infrastructure Layer — Hyper-V
The on-premises layer leverages Hyper-V on Windows Server as the virtualisation platform hosting core enterprise services, providing the foundational infrastructure layer that Azure cloud services extend and govern.
Core Hosted Workloads:
VM | Role | Purpose |
|---|---|---|
DC01 | Active Directory Domain Services + DNS | Primary identity and name resolution services |
FS01 | File Services + DFS | Centralised file access with namespace management |
BACKUP01 | Veeam Backup & Replication | On-premises backup orchestration |
JUMP01 | Management Jumpbox | Secure administrative access point |
VPN01 | OpenVPN Server | Layer 2 remote access gateway |
Network Segmentation:
Internal network — domain-joined workloads, management traffic, and inter-VM communication
NAT network — controlled outbound internet access for update and cloud connectivity
DMZ segment — externally-accessible services isolated from internal workloads
DFS + Azure File Sync — Hybrid File Services: Distributed File System (DFS) namespaces provide location-transparent file access for on-premises users. Azure File Sync extends this by tiering infrequently accessed files to Azure Files — reducing on-premises storage consumption while maintaining seamless file access through the DFS namespace. This hybrid file architecture directly supports cloud transformation by establishing Azure Files as the long-term file storage platform without disrupting existing UNC path access patterns.
Veeam Backup & Replication:
VM-level backup for all Hyper-V-hosted workloads with application-aware processing for AD DS and file services
Backup copy jobs to Azure Blob Storage for offsite immutable retention
Replication jobs for mission-critical VMs supporting short RTO recovery objectives
2. Azure Cloud Layer
The Azure layer extends cloud-native governance, compute, identity, backup, monitoring, and automation capabilities into the hybrid environment.
Hybrid Identity — Azure AD Connect
Azure AD Connect synchronises on-premises Active Directory identities into Microsoft Entra ID, establishing a unified identity plane across both environments.
Password Hash Synchronisation for cloud authentication resilience independent of on-premises availability
UPN and group synchronisation preserving on-premises identity attributes in the cloud directory
Seamless Single Sign-On (SSO) enabling transparent authentication for domain-joined devices accessing cloud resources
Hybrid Azure AD join support enabling Conditional Access device compliance enforcement across domain-joined devices
Azure Arc — Unified Hybrid Governance
Azure Arc onboards on-premises Hyper-V-hosted VMs into Azure management services — extending cloud-native governance to on-premises infrastructure without migration.
Centralised inventory and operational visibility for both on-premises and Azure-hosted VMs in a single Azure portal view
Azure Monitor Agent deployment through Arc enabling consistent log collection from on-premises VMs
Azure Policy assignment to Arc-managed on-premises resources enforcing governance baselines consistently
Defender for Cloud coverage extension to Arc-managed on-premises workloads
Cloud Compute — Azure Virtual Machines
Azure VMs provisioned through Terraform host application workloads extending beyond on-premises Hyper-V capacity, deployed in alignment with hybrid identity and governance services.
Terraform — Infrastructure as Code
All Azure infrastructure is provisioned through Terraform, covering:
Resource Category | IaC Scope |
|---|---|
Azure Virtual Machines | VM size, OS image, availability zones |
Virtual Networks & Subnets | VNet CIDR, subnet design, NSG associations |
Network Security Groups | Inbound and outbound rule definitions |
Azure Backup Policies | Backup schedules, retention, vault configuration |
Azure Key Vault | Access policies, secret definitions |
Azure Monitor | Diagnostic settings, alert rules |
Terraform state is stored in Azure Blob Storage with state locking through Azure Storage lease — enabling collaborative IaC management across teams without state conflict risk.
Azure Backup & Azure Site Recovery
Azure Backup for cloud VM workload protection with defined retention policies aligned to RPO targets
Azure Site Recovery replication for mission-critical cloud workloads enabling failover to secondary Azure regions
Backup copy integration receiving Veeam-generated copies of on-premises workloads for cloud-based offsite retention
Cross-environment recovery orchestration enabling coordinated failover across both on-premises and Azure workloads
Monitoring & Security Stack
Azure Monitor and Log Analytics — centralised telemetry ingestion from Arc-managed on-premises VMs and Azure cloud workloads
Microsoft Sentinel — unified SIEM platform correlating on-premises and cloud security events
Defender for Cloud — security posture management across both Arc-managed on-premises and Azure-native workloads
Azure Key Vault — centralised secrets management for Terraform-provisioned infrastructure and application credentials
3. Connectivity Layer — Hybrid Network Integration
Secure hybrid connectivity enables operational access across on-premises infrastructure, Azure cloud workloads, and remote administrative users.
OpenVPN — Layer 2 Bridged Remote Access
OpenVPN in bridged TAP mode provides Layer 2 network connectivity for remote users — placing remote devices directly on the enterprise LAN segment through a virtual bridge interface.
Why OpenVPN TAP over Azure VPN Gateway: Azure VPN Gateway provides Layer 3 routed connectivity — sufficient for most remote access scenarios but unable to support LAN-dependent protocols and legacy applications requiring Layer 2 broadcast domain membership. In hybrid environments with legacy applications that rely on NetBIOS name resolution, Windows network discovery, or broadcast-dependent protocols, Layer 2 bridged connectivity is the only technically viable remote access model. OpenVPN TAP mode was selected specifically to address this legacy application compatibility constraint — not as a general preference over Azure-native connectivity.
For environments without legacy Layer 2 dependencies, Azure VPN Gateway or Azure Bastion would be the architecturally preferred options.
Hybrid Connectivity:
On-premises to Azure connectivity through Azure-native hybrid networking — enabling Arc management, Azure Monitor log forwarding, and Azure Backup data transfer
Identity synchronisation connectivity for Azure AD Connect — secure outbound HTTPS communication from on-premises DC to Entra ID
Architecture Diagram
Technologies Used
Category | Technologies |
|---|---|
Virtualisation Platform | Hyper-V (Windows Server) |
Identity & Access Management | Active Directory Domain Services, Microsoft Entra ID, Azure AD Connect |
Hybrid Governance | Azure Arc |
Networking & Remote Access | OpenVPN (TAP Bridged Mode), Azure Virtual Networks, NSGs |
Hybrid File Services | DFS Namespaces, Azure File Sync, Azure Files |
Backup & Disaster Recovery | Veeam Backup & Replication, Azure Backup, Azure Site Recovery |
Infrastructure Automation | Terraform, PowerShell, Azure CLI |
Monitoring & SIEM | Azure Monitor, Log Analytics, Microsoft Sentinel |
Workload Protection | Microsoft Defender for Cloud |
Secrets Management | Azure Key Vault |
Key Challenges Addressed
Synchronising identities across cloud and on-premises environments — addressed through Azure AD Connect Password Hash Synchronisation establishing a unified identity plane with seamless SSO, enabling consistent authentication governance across both domains without dual-credential management.
Providing secure full-network remote access for legacy systems — addressed through OpenVPN TAP bridged mode, providing Layer 2 network connectivity that places remote users transparently on the enterprise LAN — the only technically viable model for legacy applications with broadcast-domain dependencies.
Managing heterogeneous infrastructure platforms consistently — addressed through Azure Arc extending Azure-native governance, monitoring, and policy enforcement to on-premises Hyper-V VMs — providing a single operational control plane across both environments.
Implementing scalable monitoring and security visibility across hybrid environments — addressed through Azure Monitor Agent deployment via Arc on on-premises VMs, centralising on-premises and cloud telemetry in a single Log Analytics workspace feeding Microsoft Sentinel.
Designing resilient backup and disaster recovery across hybrid workloads — addressed through a three-mechanism strategy — Veeam for on-premises VM protection, Azure Backup for cloud workload protection, and Azure Site Recovery for failover orchestration — with backup copy jobs providing cross-environment offsite retention.
Automating provisioning across hybrid environments — addressed through Terraform IaC covering all Azure resource provisioning with remote state storage, ensuring consistent, auditable, and repeatable cloud infrastructure deployment.
Design Decisions & Rationale
Hybrid Modernisation over Full Cloud Migration : Full cloud migration of a mid-enterprise on-premises environment is operationally disruptive and cost-intensive when existing Hyper-V infrastructure remains within its operational lifecycle. A hybrid-first strategy extends cloud capabilities — identity, governance, monitoring, backup, DR — into the existing environment progressively, preserving operational continuity while establishing the cloud foundation for future workload migration.
Azure AD Connect with Password Hash Synchronisation : Password Hash Synchronisation provides cloud authentication resilience independent of on-premises AD availability — critical for hybrid environments where on-premises infrastructure disruption (power failure, hardware failure, ransomware) should not prevent cloud resource access. Pass-Through Authentication's on-premises dependency was considered inappropriate for an environment where cloud resilience during on-premises incidents is a recovery objective.
OpenVPN TAP Mode for Layer 2 Remote Connectivity : Layer 3 VPN solutions including Azure VPN Gateway cannot support LAN-dependent legacy applications requiring broadcast domain membership, NetBIOS resolution, or Windows network discovery. OpenVPN TAP bridged mode was selected specifically for this legacy compatibility requirement. This is not an architecturally preferred choice over Azure-native connectivity — it is a practical accommodation for an existing legacy application constraint that would be eliminated as applications are modernised.
Azure Arc as the Unified Governance Control Plane : Without Arc, on-premises Hyper-V VMs require separate management tooling creating operational silos between on-premises and cloud governance. Arc eliminates this by extending Azure Policy, Azure Monitor, and Defender for Cloud coverage to on-premises resources — providing consistent governance enforcement and operational visibility through a single Azure portal interface.
DFS + Azure File Sync for Hybrid File Services : DFS namespaces preserve existing UNC path access patterns for on-premises users — no client-side changes required. Azure File Sync extends this by tiering cold data to Azure Files, reducing on-premises storage consumption while maintaining transparent access. This hybrid file architecture establishes Azure Files as the long-term file storage platform without a disruptive migration cutover.
Multi-Layer Backup and DR Strategy : Single-platform backup approaches create recovery risk when the backup platform itself is compromised or unavailable. Combining Veeam (on-premises VM protection), Azure Backup (cloud workload protection), and Azure Site Recovery (failover orchestration) provides independent recovery mechanisms at each infrastructure layer — significantly improving recovery resilience compared to any single-platform approach.
Terraform for Cloud Infrastructure Provisioning : Manual Azure resource provisioning creates configuration inconsistency, audit gaps, and deployment risk that scales poorly as the environment grows. Terraform with remote state storage provides repeatable, version-controlled, auditable infrastructure deployment — ensuring cloud resources are consistently provisioned and changes are tracked through source control history.
Trade-offs & Design Constraints
OpenVPN Operational Overhead and Scalability : OpenVPN is an open-source solution requiring ongoing server management, certificate lifecycle management, and client configuration distribution. At small-to-medium remote user scale this is manageable, but OpenVPN lacks the enterprise management capabilities of Azure VPN Gateway or commercial SD-WAN solutions. As legacy applications are modernised and Layer 2 dependencies eliminated, migration to Azure-native connectivity should be planned to reduce this operational overhead.
Azure Arc Agent Management at Scale : Azure Arc agent deployment and maintenance across on-premises VMs introduces ongoing agent lifecycle management — updates, connectivity monitoring, and troubleshooting. In environments with frequent VM provisioning and decommissioning, Arc agent lifecycle management requires automation to remain consistent. Hyper-V environments without automated VM provisioning workflows may accumulate Arc management debt over time.
Terraform State Management Security : Terraform state files contain sensitive infrastructure details including resource IDs, configuration parameters, and potentially secrets if not properly managed. Azure Blob Storage with appropriate access controls and encryption provides adequate state security, but state access must be restricted to authorised IaC operators only. State file compromise can expose infrastructure configuration details that assist attackers in planning targeted attacks.
Veeam and Azure Backup Overlap : Running both Veeam and Azure Backup for overlapping workload categories creates cost redundancy and operational complexity around backup policy management. The architecture justifies this overlap through the independent trust boundary benefit — Veeam and Azure Backup operate through separate control planes, meaning compromise of one backup system does not affect the other. In environments where this independence is not required, consolidating to Azure Backup alone would reduce operational overhead.
DFS + Azure File Sync Synchronisation Latency : Azure File Sync synchronises file changes between on-premises DFS and Azure Files on a scheduled basis — changes made on-premises are not immediately available in Azure and vice versa. For workloads requiring real-time multi-site file consistency, this synchronisation latency may be unacceptable. Azure File Sync is appropriate for tiering and backup scenarios but should not be relied upon for real-time collaborative file access across hybrid boundaries.
Projected Outcomes
The architecture is designed to deliver the following operational and infrastructure outcomes in a production mid-enterprise environment:
Unified hybrid infrastructure platform integrating on-premises Hyper-V and Azure services through consistent governance, identity, and monitoring
Seamless hybrid identity management through AD Connect with transparent SSO across cloud and on-premises resources
Secure full-network remote access enabling legacy application connectivity for remote operational teams
Centralised infrastructure governance across heterogeneous environments through Azure Arc unified management
Layered backup and disaster recovery coverage meeting defined RTO and RPO targets across all workload tiers
Automated cloud infrastructure provisioning through Terraform IaC eliminating manual deployment inconsistency
Unified security monitoring across on-premises and cloud domains through Sentinel SIEM integration
Scalable hybrid platform foundation supporting progressive workload migration toward full cloud adoption
Future Evolution
Zero Trust network segmentation expansion — replacing OpenVPN Layer 2 access with Azure Bastion and identity-driven Conditional Access as legacy applications are modernised
SD-WAN integration for enterprise-grade hybrid site-to-site connectivity replacing OpenVPN as the primary hybrid network model
Kubernetes and container platform integration extending the hybrid platform to support cloud-native application delivery
Advanced IaC governance through Terraform Cloud or Azure DevOps pipelines for collaborative, pipeline-driven infrastructure deployment
Automated compliance validation through Azure Policy continuous assessment and Defender for Cloud regulatory compliance views
Cross-region Azure Site Recovery orchestration for geographic DR resilience beyond single-region failover
FinOps integration providing cost visibility and optimisation across hybrid infrastructure spend
Progressive workload migration from Hyper-V to Azure — leveraging Azure Migrate for lift-and-shift or modernisation of on-premises VMs
Key Takeaways
Hybrid-first modernisation enables mid-enterprises to adopt cloud capabilities progressively without disruptive full migration — preserving existing infrastructure investments while establishing cloud-native governance
Azure Arc is the most impactful single addition to hybrid infrastructure governance — extending Azure Policy, monitoring, and security coverage to on-premises resources eliminates the operational silo between cloud and on-premises management
Layer 2 remote access through OpenVPN TAP is a legitimate architectural choice for legacy application compatibility — but should be treated as a transitional solution to be replaced as applications are modernised toward Layer 3-compatible connectivity
Multi-layer backup and DR strategies provide recovery resilience through independent trust boundaries — a single backup platform creates a single point of failure for the recovery capability itself
Terraform IaC for cloud provisioning is essential for operational consistency at any scale — manual provisioning creates configuration drift that compounds into governance and security risk over time
DFS + Azure File Sync provides a practical hybrid file services model that preserves existing access patterns while establishing Azure Files as the long-term storage platform without a disruptive cutover migration