PFA gets ready for the future with Azure hybrid cloud infrastructure

Getting ready to move from an on-premise data center setup to public cloud in Azure is one of the cornerstones in PFA’s 2020 IT strategy.

PFA is aiming to move workloads to Microsoft Azure and have the ability to build new cloud-based solutions quickly and as securely as their existing on-premise installations. All this with a relentless focus on governance, risk and compliance matching their existing on-premise setup.


The goal for PFA was to establish an Azure hybrid cloud architecture that was reliable, cost-effective, and enabled faster time-to-market for new solutions with full scalability and flexibility. In addition, a Cloud Center of Excellence (CCoE) function would be created to support the on-going cloud journey and new cloud solution development and migrations.

All relevant parts of the organization required involvement, including IT security, architecture, operations, development, legal, finance, etc. The CCoE is a central cloud governance function which will make cloud services available to the entire PFA organization in a controlled and secure way.

The platform will support many development teams across all the different business areas. Finding the right balance between control and flexibility for the developer teams was a priority, given the detailed focus on governance, risk and compliance.

"Finding a Cloud partner with competencies ranging from infrastructure to DevOps development is not easy! Especially as Cloud Technology is a moving target".

Morten Bruun Steiner, Director, Data & IT, PFA

Iterative development of an Enterprise Scale Cloud Platform:
  • Standards and Governance Model

  • Security and Automation

  • Operations

  • Pilot projects

Cloud capabilities:
  • Cloud CoE (Cloud Center of Excellence)

  • IaaS / PaaS infrastructure and components

  • Security and Risk mitigation

  • 100% scripted/automated provisioning of build/deploy pipelines

  • Operations setup and monitoring

  • Operating and Service Model


cVation has operated an internal Cloud CoE for many years. Among other things, the CoE is responsible for managing cVation’s acceleration platform CADD, a platform used by many customers both local and internationally. This experience and know-how was a key factor when PFA awarded cVation their Azure cloud project, including the creation of a PFA Cloud CoE. The project was a joint effort between PFA’s architecture team and cVation experts.

The implementation was based on Microsoft's Cloud Adoption Framework (CAF) and the new extension “Enterprise Scale Landing Zones”. An architecture framework with design principles, guidelines, recommended policies, etc.

Deliverables included the entire cloud adoption cycle: Plan, Ready, Adopt, Govern and Manage. The close relationship between Microsoft, PFA and cVation further enabled pre-release access to the latest expansions of CAF, ensuring PFA was on the forefront with the technology and applied international best practices.

An important part of the delivery included tools and a framework which, with the help of governance, risk management and compliance, ensures that PFA complies with the relevant legal legislation governing the pension- and insurance industry. This includes security-by-design, detailed cost management and define use principles for all SaaS, FaaS, PaaS and IaaS components making up Cloud solutions at PFA.

As a validation of the new platform, cVation provides support for "Lighthouse" projects to be developed and operated using the new cloud platform.

"cVation is ahead of the pack with a solid toolbox and dedicated skilled employees. They exceeded expectations and with their help our Cloud platform was established in record time."

Morten Bruun Steiner, Director, Data & IT, PFA


In just 6 months and on time, the platform was delivered and ready to onboard the first large scale strategic cloud project - ‘The Modern Data Platform’. We succeeded in building a very flexible platform, which provides freedom for the individual development teams rather than limiting them. All teams can write and implement the Infrastructure-as-Code needed to run specific workloads in Azure. Individual development teams no longer need to order servers and databases. Now they can provision what they need within minutes, just by clicking in Azure or with Infrastructure-as-Code from a DevOps pipeline.

Furthermore PFA development teams are now also able to create innovative solutions with Databricks, Azure Machine Learning and computing with GPUs. They have access to fully managed services, such as Azure Functions, which automatically and quickly scale down to 0 machines when not in use and potentially grows up to more than 100 machines during peak hours. Since the service is now managed, there is no longer a need for operations to handle security updates, upgrades or patching machines. All now starts with a fully automated process when ordering a so-called ‘Landing Zone’ that will support the relevant workloads.

Landing zones consists of an Azure Subscription, some Blueprints, a virtual network that is connected to a virtual WAN in Azure, which then again is connected on-premise via ExpressRoutes. To ensure compliance with all guidelines, several Azure policies are automatically implemented for each Landing Zone.

A large number of components have been developed for the solution, including:
  • Cloud Center of Excellence (CCoE) organization

  • Guidelines and standards

  • Development of "Landing Zones"

  • Establishment of hybrid connection to existing Datacenter via Microsoft's Express Route

  • IaaS and PaaS platform

  • Service white-listing

  • Azure Compute Options (VMs, Containers, App Service, Serverless)

  • Infrastructure provisioning (VMs, containers, storage, networks, …)

  • Integration with on-prem data sources and external systems

  • Templates and DevOps

  • Environments (i.e.Dev/Test/Prod)

  • Service and Operating Model

  • Cost Management and resource/cost consumption reporting

  • Principles for minimizing supplier lock-in/exit strategy

  • Tenancy administration, resource / network administration and user-roles administration

  • Provisioning and ad-provisioning resources ad-hoc

  • Scaling of Azure resources

  • Monitoring and operational monitoring

  • Full Scripting / Infrastructure Code of components used

  • Scripting of build / deploy

  • Security, identity, risks and measures and application of the already established AD

The project also involved knowledge transfer and Azure training for the PFAs team.

Can we help you with your cloud journey?

We are ready to learn about your unique requirements

Contact us