Multi-Cloud Governance & Strategy
Govern multi-cloud environments effectively. Covers governance frameworks, identity federation, policy-as-code, cost management across providers, networking, and compliance orchestration.
Multi-cloud is a reality for most enterprises — not because they planned it, but because different teams chose different providers, acquisitions brought new cloud accounts, and specific services are only available on specific platforms. The challenge isn’t whether to go multi-cloud; it’s how to govern the multi-cloud sprawl you already have without drowning in operational complexity.
This guide covers practical multi-cloud governance: how to maintain security, compliance, and cost visibility across AWS, Azure, GCP, and beyond without building a team of 50 cloud engineers.
Governance Framework
┌──────────────────────────────────────────┐
│ Cloud Governance Board │
│ (Security, Finance, Architecture, Ops) │
└──────────────────────────────────────────┘
↓
┌────────────┬──────────────┬──────────────┐
│ Identity │ Policy │ Cost │
│ Federation │ as Code │ Management │
├────────────┼──────────────┼──────────────┤
│ SSO/SAML │ OPA/Rego │ Unified │
│ across │ Sentinel │ billing │
│ providers │ guardrails │ dashboard │
└────────────┴──────────────┴──────────────┘
↓
┌────────┬──────────┬──────────┬───────────┐
│ AWS │ Azure │ GCP │ Others │
│ Org │ Mgmt │ Org │ (OCI, │
│ Units │ Groups │ Folders │ etc.) │
└────────┴──────────┴──────────┴───────────┘Identity Federation
The #1 rule of multi-cloud: one identity, everywhere.
| Provider | Identity Service | Federation Protocol |
|---|---|---|
| AWS | IAM Identity Center | SAML 2.0, SCIM |
| Azure | Entra ID (Azure AD) | SAML 2.0, OIDC, SCIM |
| GCP | Cloud Identity / Workspace | SAML 2.0, OIDC |
Architecture
┌──────────────────┐
│ Identity Provider│ (Okta, Entra ID, or Google Workspace)
│ (Single Source) │
└──────────────────┘
↓ SAML/OIDC
┌────┬──────┬──────┐
│ AWS│ Azure│ GCP │ Each provider trusts the central IdP
│ IAM│ Entra│ Cloud│
│ IC │ ID │ IAM │
└────┴──────┴──────┘Key principles:
- No local accounts on any cloud provider (except break-glass)
- MFA enforced at the IdP level (applies everywhere)
- SCIM provisioning for automatic user lifecycle management
- Role mapping: IdP groups → cloud roles
Policy as Code
Terraform Sentinel Example
# Sentinel policy: enforce encryption on all storage
import "tfplan/v2" as tfplan
main = rule {
all tfplan.resource_changes as _, rc {
rc.type is "aws_s3_bucket" implies
rc.change.after.server_side_encryption_configuration is not null
} and
all tfplan.resource_changes as _, rc {
rc.type is "azurerm_storage_account" implies
rc.change.after.min_tls_version is "TLS1_2"
} and
all tfplan.resource_changes as _, rc {
rc.type is "google_storage_bucket" implies
rc.change.after.uniform_bucket_level_access is true
}
}OPA/Rego for Cross-Cloud Policy
# Rego policy: no public-facing resources without WAF
package cloud.network
deny[msg] {
input.resource_type == "aws_lb"
input.internal == false
not has_waf_association(input.resource_id)
msg := sprintf("Public ALB %s must have WAF association", [input.resource_id])
}
deny[msg] {
input.resource_type == "azurerm_application_gateway"
input.sku.tier != "WAF_v2"
msg := sprintf("Azure App Gateway %s must use WAF_v2 SKU", [input.resource_name])
}
deny[msg] {
input.resource_type == "google_compute_url_map"
not has_cloud_armor_policy(input.resource_id)
msg := sprintf("GCP URL Map %s must have Cloud Armor policy", [input.resource_id])
}Cross-Cloud Cost Management
Unified Cost Dashboard
| Metric | AWS | Azure | GCP | Total |
|---|---|---|---|---|
| Monthly spend | $85,000 | $42,000 | $18,000 | $145,000 |
| Commitment coverage | 72% | 65% | 45% | 65% |
| Waste identified | $8,500 | $3,200 | $1,400 | $13,100 |
| YoY growth | +15% | +22% | +8% | +16% |
Normalized Cost Comparison
def normalize_costs(aws_costs, azure_costs, gcp_costs):
"""Normalize costs for apples-to-apples comparison."""
normalized = {
"compute": {
"aws": aws_costs["ec2"] + aws_costs["ecs"] + aws_costs["lambda"],
"azure": azure_costs["virtual_machines"] + azure_costs["aks"] + azure_costs["functions"],
"gcp": gcp_costs["compute_engine"] + gcp_costs["gke"] + gcp_costs["cloud_functions"],
},
"storage": {
"aws": aws_costs["s3"] + aws_costs["ebs"],
"azure": azure_costs["storage_accounts"] + azure_costs["managed_disks"],
"gcp": gcp_costs["cloud_storage"] + gcp_costs["persistent_disk"],
},
"database": {
"aws": aws_costs["rds"] + aws_costs["dynamodb"],
"azure": azure_costs["sql_database"] + azure_costs["cosmos_db"],
"gcp": gcp_costs["cloud_sql"] + gcp_costs["firestore"],
},
"networking": {
"aws": aws_costs["vpc"] + aws_costs["cloudfront"] + aws_costs["data_transfer"],
"azure": azure_costs["vnet"] + azure_costs["cdn"] + azure_costs["bandwidth"],
"gcp": gcp_costs["vpc"] + gcp_costs["cdn"] + gcp_costs["egress"],
},
}
return normalizedNetworking
Cross-Cloud Connectivity
| Pattern | When To Use | Latency | Cost |
|---|---|---|---|
| VPN (IPsec) | Dev/staging, < 1Gbps | 10-50ms | Low |
| Dedicated interconnect | Production, > 1Gbps | 1-5ms | High (port + cross-connect) |
| Megaport/Equinix fabric | Multi-cloud interconnect | 1-3ms | Medium |
| SD-WAN overlay | Branch offices + multi-cloud | Variable | Medium |
DNS Strategy
company.internal ← Internal root domain
├── aws.company.internal ← AWS Route 53 Private Hosted Zone
├── azure.company.internal ← Azure Private DNS Zone
├── gcp.company.internal ← GCP Cloud DNS Private Zone
└── shared.company.internal ← Cross-cloud service discoveryCompliance Orchestration
| Framework | AWS Tool | Azure Tool | GCP Tool | Cross-Cloud |
|---|---|---|---|---|
| CIS Benchmarks | AWS Config | Defender for Cloud | SCC | Prowler multi-cloud |
| SOC 2 | Audit Manager | Compliance Manager | Assured Workloads | Vanta, Drata |
| GDPR | Macie + Config | Purview + Compliance | DLP + SCC | OneTrust |
| ISO 27001 | Audit Manager | Compliance Manager | Assured Workloads | Vanta, Drata |
Anti-Patterns
| Anti-Pattern | Problem | Fix |
|---|---|---|
| ”Best of breed” for everything | Operational complexity exceeds value | Pick primary cloud, use others only when truly needed |
| No centralized identity | Separate credentials per provider | Federate identity through single IdP |
| Manual policy enforcement | Inconsistent, error-prone | Policy-as-code enforced in CI/CD |
| Provider-specific tooling only | No cross-cloud visibility | Use cloud-agnostic governance tools |
| Treating all clouds equally | Spreads team thin | Designate primary/secondary/tertiary with different investment levels |
| No networking plan | Ad-hoc VPNs, inconsistent DNS | Design cross-cloud network architecture upfront |
Checklist
- Identity federated: single IdP → all cloud providers
- MFA enforced at IdP level for all users
- Policy-as-code: OPA/Sentinel enforced in CI/CD
- Tagging strategy consistent across all providers
- Cost dashboard: unified view across AWS, Azure, GCP
- Networking: cross-cloud connectivity with consistent DNS
- Compliance: continuous scanning across all providers
- Incident response: playbooks that span cloud boundaries
- Governance board: quarterly review of multi-cloud strategy
- Primary/secondary designation: clear investment hierarchy
:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For multi-cloud consulting, visit garnetgrid.com. :::
