Multi-Cloud Governance¶
A cross-cutting reference for architecture and governance patterns that apply when an enterprise runs workloads across two or more public cloud providers -- typically AWS, GCP, Alibaba Cloud, and/or Tencent Cloud, with Azure also common in Western markets.
This topic covers nine governance domains that together form a vendor-neutral operating model for multi-cloud environments.
Governance Domains¶
1. Multi-Cloud Networking¶
Three canonical topologies -- hub-spoke, full-mesh, and transit -- each with distinct trade-offs in latency, blast radius, and operational complexity. Key interconnect services include AWS Transit Gateway + Direct Connect, GCP Cloud Interconnect, Alibaba Cloud Express Connect, and Tencent Cloud Direct Connect. Third-party fabric providers (Equinix Fabric, Megaport, PacketFabric) offer software-defined cross-cloud circuits. See infrastructure/multi-cloud-governance/architecture#networking-patterns.
2. Identity Federation (IAM)¶
A single IdP (Okta, Entra ID, Keycloak) federates to every cloud via SAML 2.0 for human SSO and OIDC for workload identity. Each cloud maps federated assertions to local roles: AWS IAM Identity Center, GCP Workforce/Workload Identity Federation, Alibaba RAM, Tencent CAM. SPIFFE/SPIRE provides a workload-identity overlay independent of any cloud. See infrastructure/multi-cloud-governance/security#identity-federation.
3. DNS and Traffic Management¶
Global DNS services -- AWS Route 53, GCP Cloud DNS, Alibaba Cloud DNS (Alidns), Tencent DNSPod -- serve as the first hop for multi-region, multi-cloud traffic steering. Each supports latency-based routing, geolocation, weighted round-robin, and health-check failover. GSLB (Global Server Load Balancing) layers like NS1, Cloudflare, or the providers' own traffic-management features unify policy across clouds. See infrastructure/multi-cloud-governance/architecture#dns-and-traffic-management.
4. Observability¶
OpenTelemetry is the lingua franca: deploy OTel Collectors per-cloud, centralize into a vendor-neutral backend (Grafana LGTM stack, Datadog, Dynatrace). The three signals -- traces, metrics, logs -- plus the emerging fourth signal (continuous profiling) are all carried over OTLP. Cloud-native services (CloudWatch, Cloud Monitoring, SLS, Tencent CLS) feed into the same collector pipeline via their respective OTel exporters. See infrastructure/multi-cloud-governance/operations#observability.
5. Cost Management (FinOps)¶
FinOps Foundation's Crawl-Walk-Run maturity model governs spend visibility, allocation, and optimization across clouds. Centralized cost aggregation via Apptio Cloudability, Flexera One, or CloudHealth; Kubernetes-granular allocation via Kubecost/OpenCost; AI-driven rightsizing via CAST AI or ProsperOps. Commitment-based savings (RIs, Savings Plans, Reserved Instances) are layered per-provider. See infrastructure/multi-cloud-governance/operations#finops-and-cost-management.
6. Security Baseline¶
CIS Benchmarks exist for every major cloud (AWS Foundations, Azure Foundations, GCP Foundations). Automated scanning via Prowler (AWS), Azure Security Center, GCP Security Command Center, or cross-cloud tools like Prisma Cloud, Wiz, and Checkov. Policy-as-Code enforcement via OPA/Gatekeeper, HashiCorp Sentinel, or cloud-native org policies (AWS SCPs, Azure Policy, GCP Organization Policy). See infrastructure/multi-cloud-governance/security#security-baseline-and-compliance.
7. Infrastructure-as-Code¶
| Tool | Paradigm | Multi-Cloud | State | License |
|---|---|---|---|---|
| Terraform / OpenTofu | Declarative HCL | Broadest provider coverage | Remote backend (S3, GCS, OSS, COS) | BSL / MPL 2.0 |
| Pulumi | Imperative code (TS, Python, Go, C#, Java) | Same-day new-service support | Pulumi Cloud or self-managed | Apache 2.0 |
| Crossplane | K8s-native CRDs | Growing (AWS, GCP, Azure, Alibaba) | Kubernetes etcd | Apache 2.0 |
For detailed configuration examples, see infrastructure/multi-cloud-governance/architecture#infrastructure-as-code.
8. CI/CD and GitOps¶
GitOps (ArgoCD, Flux) provides a pull-based reconciliation loop for Kubernetes workloads across clusters in any cloud. CI pipelines (GitHub Actions, GitLab CI, Jenkins) produce artifacts; GitOps controllers promote them through environments. Multi-cluster patterns use ApplicationSets (ArgoCD) or Kustomize overlays (Flux) with per-cloud value files. Secret management via Sealed Secrets, SOPS, or External Secrets Operator. See infrastructure/multi-cloud-governance/architecture#cicd-and-gitops.
9. Vendor-Neutral Reference Architecture¶
Analyst frameworks (Gartner CIPS Magic Quadrant, Forrester Wave for Multi-Cloud Management) recommend composable, cloud-native stacks: Kubernetes + Istio/Cilium + OpenTelemetry + OTel Collector + Terraform/Crossplane + GitOps + OPA. The reference architecture is a layered diagram in infrastructure/multi-cloud-governance/architecture#reference-architecture.
Sources¶
- FinOps Foundation -- Framework
- CIS Benchmarks -- Downloads
- OpenTelemetry Documentation
- CNCF Cloud Native Landscape
- AWS Multi-Region and Multi-VPC Connectivity Patterns
- GCP Hybrid and Multi-Cloud Architecture Patterns
- Alibaba Cloud Express Connect Product Page
- Tencent Cloud Direct Connect
- HashiCorp Terraform Documentation
- Pulumi Documentation
- Crossplane Documentation
- ArgoCD Documentation
- Flux Documentation
- SPIFFE/SPIRE Project
- OPA / Gatekeeper
- Equinix Fabric
- Megaport
Questions¶
- What is the realistic blast-radius trade-off between hub-spoke and full-mesh topologies for an APAC-centric enterprise running AWS + Alibaba Cloud?
- How do Alibaba RAM role-session-name constraints compare with AWS IAM role trust-policy patterns when federating from a single IdP?
- Can Crossplane compositions for Alibaba Cloud match the maturity of AWS/GCP compositions for production use, or is Terraform the safer choice for China-cloud resources?
- What is the current state of OpenTelemetry log signal stability across Alibaba Cloud SLS and Tencent CLS OTLP ingestion?
- How should an enterprise normalize FinOps unit economics (cost-per-transaction) when the same transaction spans two clouds?