Hybrid Cloud Architecture: 4 Patterns That Actually Work in Enterprise
Four proven hybrid cloud architecture patterns for enterprises using Azure Arc, ExpressRoute, and hybrid identity.
Not every workload belongs in the public cloud. Regulatory constraints, latency requirements, data residency obligations, and legacy system dependencies mean that most enterprises will operate in a hybrid model for years — possibly permanently. The question is not whether to go hybrid, but which hybrid pattern fits your reality.
After years of designing hybrid architectures for enterprise clients across Europe, we have identified four patterns that consistently deliver results. We have also learned when each pattern applies and when it does not.
When Hybrid Makes Sense (and When It Does Not)
Hybrid cloud is not a compromise — it is a deliberate architectural choice. It makes sense when:
- Regulatory requirements mandate that certain data stays on-premises or in a specific jurisdiction
- Latency-sensitive workloads (e.g., manufacturing control systems, high-frequency trading) cannot tolerate public cloud network latency
- Legacy applications that cannot be refactored run on hardware that is not yet end-of-life
- Data gravity makes it impractical to move petabytes of data to the cloud for processing
Hybrid does not make sense as a permanent state for workloads that are simply "not ready yet" — that is a migration backlog, not an architecture pattern. If the only reason a workload is on-premises is that nobody has planned its migration, it does not need a hybrid architecture — it needs a migration wave.
Pattern 1: Hub-and-Spoke with ExpressRoute
This is the foundational hybrid pattern and the one most enterprises should implement first.
Architecture:
- On-premises data centre connected to Azure via ExpressRoute (or site-to-site VPN as a fallback)
- Azure hub VNet with Azure Firewall centralising all traffic inspection and routing
- Spoke VNets peered to the hub, each hosting a workload or environment
- On-premises DNS forwarding to Azure Private DNS Zones for PaaS private endpoint resolution
When to use: Any enterprise that needs reliable, low-latency connectivity between on-premises and Azure.
Key design decisions:
- ExpressRoute circuit sizing: Start with 1 Gbps for most enterprises; monitor utilisation and scale up. Always deploy two circuits in different peering locations for resilience
- Routing: Use BGP to advertise on-premises routes to Azure. Avoid static routes — they do not scale and create maintenance burden
- Firewall placement: All traffic between on-premises and Azure must traverse the Azure Firewall (or NVA). No exceptions. This ensures centralised logging and policy enforcement
- Private endpoint strategy: Every PaaS service accessed from on-premises must use a private endpoint. Public access should be disabled
Practical tip: Deploy ExpressRoute Global Reach if you have multiple on-premises sites that need to communicate through Azure. Without it, inter-site traffic hairpins through your WAN instead of using the Microsoft backbone.
Common mistake: Under-investing in ExpressRoute monitoring. We deploy Azure Monitor alerts for circuit utilisation, BGP peer status, and packet drops. An ExpressRoute outage that goes undetected for 30 minutes can cascade into widespread application failures.
Pattern 2: Azure Arc for Unified Management
Azure Arc extends the Azure control plane to on-premises and multi-cloud resources. It does not move workloads — it brings Azure management, governance, and security to where workloads already are.
Architecture:
- Arc-enabled servers: On-premises Windows and Linux servers registered in Azure, managed through Azure Policy, monitored through Azure Monitor, and protected by Microsoft Defender for Cloud
- Arc-enabled Kubernetes: On-premises Kubernetes clusters managed through Azure, with GitOps (Flux) for configuration and Azure Policy for compliance
- Arc-enabled data services: Azure SQL Managed Instance and PostgreSQL running on-premises, managed through Azure
When to use: Enterprises that need a single management plane across hybrid and multi-cloud environments, especially when full migration is years away.
Key design decisions:
- Connectivity mode: Use directly connected mode when servers have outbound internet access to Azure. Use indirectly connected mode for air-gapped environments (limited functionality)
- Policy scope: Apply Azure Policies to Arc-enabled resources at the same management group level as cloud resources — this ensures consistent governance
- Update management: Use Azure Update Manager for Arc-enabled servers to consolidate patch management across cloud and on-premises
The value proposition in numbers: One of our clients reduced their tooling footprint from five separate management tools (SCCM, Nagios, custom scripts, a CMDB, and a ticketing system) to Azure Arc + Azure Monitor + Azure Policy. Operational overhead dropped by 35 percent.
Pattern 3: Hybrid Identity with Entra ID
Identity is the control plane of hybrid cloud. Getting it wrong creates security gaps and user friction. Getting it right makes hybrid feel seamless.
Architecture:
- On-premises Active Directory Domain Services (AD DS) synchronised to Microsoft Entra ID (formerly Azure AD) via Entra Connect (or Entra Cloud Sync)
- Conditional Access policies applied consistently across cloud and on-premises applications
- Azure AD Application Proxy exposing on-premises web applications to remote users without VPN
- Password Hash Sync + Seamless SSO for authentication resilience (even if on-premises AD is unreachable, cloud auth continues)
When to use: Every hybrid enterprise. There is no viable hybrid architecture without hybrid identity.
Key design decisions:
- Authentication method: We strongly recommend Password Hash Sync (PHS) as the primary method, with Pass-Through Authentication (PTA) or AD FS federation only when regulatory requirements mandate that password hashes must not leave the on-premises boundary
- Staging mode: Always deploy a second Entra Connect server in staging mode for disaster recovery
- Group-based licensing: Use Entra ID groups to manage licence assignment — manual licence management does not scale
- Conditional Access baseline: Block legacy authentication, require MFA for all users, require compliant devices for access to sensitive applications
Critical note for German enterprises: If your data protection officer (DSO) has concerns about Password Hash Sync, note that PHS transmits a derived hash, not the actual password. Microsoft's documentation provides detailed security analysis that typically satisfies GDPR and BaFin requirements. We help clients navigate this conversation.
Common mistake: Running Entra Connect on a domain controller. Entra Connect should run on a dedicated, domain-joined server. Co-locating it on a DC creates upgrade and troubleshooting complexity.
Pattern 4: Data Residency-Aware Hybrid
For enterprises subject to strict data residency requirements — common in financial services, healthcare, and public sector — the hybrid architecture must be designed around where data is allowed to reside and flow.
Architecture:
- Data classification applied to every dataset: public, internal, confidential, restricted
- Restricted data remains on-premises or in a specific Azure region with sovereign controls
- Non-restricted workloads run in Azure, accessing on-premises data via private endpoints and ExpressRoute
- Data processing layer runs where the data resides — if data cannot leave on-premises, compute comes to the data (via Azure Stack HCI or Arc-enabled data services)
When to use: Enterprises in regulated industries or those subject to cross-border data transfer restrictions (e.g., Schrems II implications for EU-US data transfers).
Key design decisions:
- Azure region selection: Use
Germany West CentralandGermany Northfor German data residency. For EU-only, any EU region works but document the rationale - Azure Confidential Computing: For highly sensitive workloads, deploy on DCsv3-series VMs with Intel SGX enclaves — data is encrypted even during processing
- Egress controls: Use Azure Policy to deny resource creation outside approved regions and Azure Firewall to block data exfiltration
- Audit trail: Every cross-boundary data flow must be logged, classified, and auditable
Common mistake: Treating data residency as a binary (on-prem vs. cloud) rather than a spectrum. Many datasets have components with different classifications. A customer record might have publicly available business address data and restricted personal financial data — these can be split across boundaries.
Choosing the Right Pattern
Most enterprises combine multiple patterns:
| Pattern | Primary Driver | Typical Workloads |
|---|---|---|
| Hub-and-Spoke + ExpressRoute | Connectivity and security | All hybrid workloads |
| Azure Arc | Unified management | Legacy servers, on-prem Kubernetes |
| Hybrid Identity | User experience and security | All applications |
| Data Residency-Aware | Regulatory compliance | Financial, healthcare, public sector |
Pattern 1 (networking) and Pattern 3 (identity) are prerequisites — implement them first. Patterns 2 and 4 are layered on top based on your specific requirements.
How We Can Help
CC Conceptualise designs and implements hybrid cloud architectures tailored to European enterprise requirements. We understand the regulatory landscape (GDPR, NIS2, BaFin, DORA) and translate compliance requirements into technical architecture decisions. Let us design your hybrid architecture.