You Can’t Govern What You Can’t Explain on a Napkin
Source: Dev.to
The Problem
Every platform team eventually gets asked the same question:
“Why does cloud cost this much?”
If your answer starts with “let me pull a dashboard”, you’ve already lost.
The CFO walks into your office with a printout:
“Why did Azure cost $2.3M this quarter?”
You have Azure Policy enforcing compliance, a landing zone with perfect architecture, tags on every resource, workbooks showing metrics, and dashboards with pretty graphs… but you can’t answer the question in 30 seconds, on a whiteboard, or on a napkin. This is the governance failure no one talks about.
Typical Azure Governance Stack
| Layer | Components |
|---|---|
| 1 – Azure Policy | SKU restrictions, required tags, security baselines, audit findings |
| 2 – Landing Zones | Management groups, subscription design, network topology, identity hierarchy |
| 3 – Tagging Standards | CostCenter, Owner, Environment, Application |
| 4 – Reporting Tools | Azure Monitor workbooks, Power BI dashboards, Cost Management exports, custom queries |
What This Stack Gives You
- ✅ Compliance
- ✅ Security controls
- ✅ Resource inventory
- ✅ Cost visibility
What It Doesn’t Give You
- ❌ Defensibility
Compliance vs. Defensibility
Compliance means: “Our resources follow the rules we wrote.”
Defensibility means: “I can explain why this costs what it costs — and justify it to someone who doesn’t trust me.”
Example
Compliant Azure bill
All resources are tagged correctly. Policy enforced. Landing zone followed. Here’s the report.
Defensible Azure bill
Application X costs $180 K/month because it serves 2,400 users across 12 regions with a 99.95 % SLA. Storage is $40 K due to 7‑year retention for SOX compliance. Network is $25 K for dual ExpressRoute. Compute scales between $95 K–$140 K based on usage.
Most Azure environments can only produce the first answer.
Can You Explain Your Azure Costs on a Napkin?
Not “here’s a dashboard.”
Not “let me pull a report.”
Right now. On a napkin. In 60 seconds.
A Simple Exercise
- Draw three boxes: Production, Staging, Development.
- Write the monthly cost in each box.
- Break Production into: Apps, Data, Network, Security.
- For the largest app: What does it do? How many users? What’s the SLA?
If you can’t do this without looking anything up, your governance isn’t working. It doesn’t matter how good your policies are, how clean your landing zone is, or how consistent your tags are. If the person responsible can’t explain it simply, it’s not governed — it’s just compliant.
Why Tags, Landing Zones, and Policies Aren’t Enough
- Tags tell you what a resource is (CostCenter, Environment, Owner, Application) but not why it costs $340 K/month, whether that amount is reasonable, or what would break if you cut 30 %.
- Landing Zones give beautiful structure but don’t explain why one subscription costs three times another, which decisions drove a cost increase, or what the ROI actually is.
- Azure Policy shows what’s non‑compliant but not whether the resource should exist, what business problem it solves, or whether the rule still makes sense.
Structure without narrative is just organized chaos.
What Defensible Cloud Costs Look Like
- Business context per dollar – linking cost to users, regions, SLAs, and compliance requirements.
- Decision history – records of why resources were provisioned and how they have changed.
- Trade‑off awareness – understanding the impact of cost reductions on capabilities.
- Clear owner accountability – who can justify each spend.
It’s not more dashboards, more tags, or more policies. It’s clear narratives that survive CFO scrutiny.
Conclusion
You can’t govern what you can’t explain. If you can’t explain your Azure costs on a napkin—in 60 seconds, in business terms, to someone who doesn’t trust you—you don’t understand them well enough to govern them. Until you can, governance is just expensive infrastructure with extra steps.