Embedded Cloud DevOps engineering for a Queensland Government department implementing a PROTECTED-grade Azure environment.

The situation

A large Queensland Government agency was standing up a new, more secure Azure environment designed to handle PROTECTED information. The challenge wasn’t ambition or budget. It was capability. The agency had six concurrent projects all needing to use the new platform, and they didn’t have the internal cloud engineering expertise to architect and deliver it to government security standards.

Each project needed Azure infrastructure built to ISM controls, Essential Eight requirements, and the ASD Secure Cloud blueprint. The agency wanted that infrastructure delivered, but they also wanted their internal team to come out of the engagement able to manage and extend it independently.

Our approach

InnovateX embedded a Principal Cloud DevOps Engineer into the agency’s operational team and worked alongside their staff on real infrastructure across multiple concurrent projects.

Discovery and prioritisation

We assessed the current state across the organisation and worked with project teams to understand what was actually needed and where the capability gaps were most critical. That assessment shaped the priority order for the reusable infrastructure modules we built.

Requirements-driven foundation

A separate InnovateX engagement had already established Functional and Non-Functional Requirements for the agency’s security posture and compliance obligations. Those requirements became the foundation for every module, component, and configuration we built, aligned to ISM, Essential Eight, and ASD Secure Cloud expectations from day one.

Enterprise Bicep registry

We established a private Bicep registry for the agency: a centralised library of more than 20 infrastructure-as-code modules covering Azure PaaS services. Each module was compliant by default, reusable across projects, version-controlled, and documented for long-term maintainability. Project teams could deploy secure infrastructure using proven patterns rather than rebuilding from scratch.

Production infrastructure deployment

While building reusable modules, we were simultaneously deploying production infrastructure across the agency’s projects. That included private networking with private endpoints, Microsoft Defender for Cloud, site-to-site VPN connectivity, premium Azure Firewall, multi-region reliability architecture, and tested data and infrastructure recovery practices. All deployments went through infrastructure-as-code, achieving 100% IaC coverage across the organisation.

Embedded knowledge transfer

The embedded model meant knowledge transfer happened through daily collaboration on real work, rather than through formal training disconnected from delivery. Internal staff weren’t being briefed on cloud infrastructure. They were building it alongside an experienced engineer, with both InnovateX and the client controlling for quality.

Technologies used

Azure platform: Virtual Networks with private endpoints, premium Azure Firewall, site-to-site VPN Gateway, Microsoft Defender for Cloud, Azure PaaS services across compute, storage, data, and integration, multi-region architecture for disaster recovery.

Infrastructure-as-code and DevOps: Bicep for all infrastructure, private Azure DevOps Artifacts registry, Azure DevOps Pipelines for automated deployment, Git for version control, 20+ enterprise Bicep modules covering Azure PaaS service types.

Security and compliance: ISM controls for PROTECTED information, Essential Eight implementation, ASD Secure Cloud blueprint alignment, Azure Policy for governance, custom security baselines tailored to the agency.

Reliability and optimisation: Multi-region reliability, cross-region recoverability, infrastructure tuned for availability, resiliency, and cost efficiency.

Outcomes

• Six concurrent projects supported across the organisation through embedded cloud engineering capability the agency didn’t have internally.
• 100% infrastructure-as-code coverage through the enterprise Bicep registry. 20+ reusable modules now available to any project team, ensuring consistent security baselines and faster delivery of new infrastructure.
• Compliance built in by default. Networking, compute, and data services aligned with ISM, Essential Eight, and ASD Secure Cloud. Security automated and enforced through IaC and Azure Policy rather than added manually.
• Multi-region reliability for business continuity, with documented data and infrastructure recovery practices.
• Internal capability development. The agency’s team is building cloud engineering expertise by working alongside senior capability on production infrastructure, not via training that disconnects from real work.
• Engagement is ongoing through at least EOFY 2025/26, demonstrating sustained value to the department.