Solution Atlas
EverydayUser storyConsultative playbook

Plant floor workloads need cloud connectivity that does not blink

A manufacturer is moving MES analytics to Azure but production lines cannot tolerate the variability of public-internet VPN. The team wants predictable latency, redundant paths, and a unified hub for sites without a per-site fabric build.

Trigger
OT/IT convergence project; production uptime SLA cannot drop.
Good outcome
ExpressRoute primary with VPN backup, Virtual WAN hub, Azure Arc for plant-floor governance.
Diagnostic discovery

Signals this story fits

Observable cues that confirm the conversation belongs here.

  • ·OT/IT convergence programme; MES analytics moving to cloud
  • ·Existing VPN unreliable for production traffic
  • ·Multi-plant footprint with no unified network hub
  • ·Plant servers on legacy Windows with no central governance
  • ·Production uptime SLA non-negotiable

Questions to ask

Open-ended, SPIN-style — each one has a reason it matters.

  1. 1.How do plant-floor systems connect to cloud today?

    WhySets the baseline. VPN over public internet is the most common entry point.

    Listen for: “site-to-site VPN” · “no cloud connectivity” · “consumer ISP”

  2. 2.What latency / bandwidth SLA does production tolerate?

    WhyDrives ExpressRoute SKU choice.

  3. 3.How are plant-floor servers governed today — patching, compliance, EDR?

    WhySurfaces Arc opportunity.

  4. 4.Who is the carrier for your existing WAN?

    WhyExpressRoute requires a circuit relationship; existing carrier often the path of least resistance.

  5. 5.What workloads moved to cloud last year and what stayed on-prem — why did each decision land that way?

    WhyPattern-matches the hybrid principle: cloud where it makes sense, on-prem where it must stay.

  6. 6.What does a plant-line outage cost per hour?

    WhyAnchors the resilience investment case.

Baseline → target architecture

TOGAF-style gap framing — what we typically see today, and what the proposed end state looks like. The gap between them is the engagement.

Baseline architecture

Site-to-site VPN over public internet between plants and Azure. Plant servers on legacy Windows with no central governance plane. MES analytics partially cloud-resident. Defender for Cloud Azure-only; not extended to on-prem. No unified hub.

Typical concerns

  • ·VPN latency jitter affecting OT analytics
  • ·Plant-floor servers outside the central security perimeter
  • ·No single inventory across cloud + on-prem + edge
  • ·Patching plant Windows servers ad-hoc
  • ·Resilience story relies on a single circuit path

Capability gaps

  • ·Predictable site-to-cloud connectivity
  • ·Unified governance across cloud + on-prem
  • ·Multi-site hub-and-spoke
  • ·Hybrid security posture
  • ·OT-segmented network architecture
Target architecture

Azure ExpressRoute as primary site-to-cloud with VPN as warm backup. Azure Virtual WAN as the multi-site managed hub. Azure Arc onboarding all plant-floor servers for governance, patching, and policy. Defender for Cloud extended via Arc to the hybrid estate.

Key capabilities

  • Predictable site-to-cloud latency
  • Multi-site managed hub
  • Cross-fleet governance via Arc
  • Hybrid security posture
  • Resilience with redundant network paths

Enabling SKUs

Resolved in the ‘Recommended cards’ section below.

Architecture decisions

Each decision is offered as explicit options with trade-offs — Hohpe's “selling options” principle. A safe default is noted where one exists.

  1. Decision 1.ExpressRoute Premium add-on for Microsoft 365 connectivity — yes or no

    Premium add-on

    When it fitsHeavy M365 usage from connected plants; latency SLA on Teams or SharePoint matters.

    Trade-offsSignificant additional cost.

    Standard (default)

    When it fitsM365 routed via public internet break-out; latency tolerated.

    Trade-offsNo accelerated path for M365.

    Default recommendationStandard. Premium is the exception, not the default.

  2. Decision 2.Arc scope — all plant servers vs critical workloads only

    All plant servers

    When it fitsCentralised governance is the goal; operational team prepared.

    Trade-offsInitial onboarding workload; agent management at scale.

    Critical workloads only

    When it fitsPilot phase or limited platform team capacity.

    Trade-offsTwo governance planes during transition.

    Default recommendationStart with critical workloads in pilot; expand to all plant servers within 6 months.

  3. Decision 3.Carrier circuit — existing telco or new procurement

    Existing telco

    When it fitsExisting WAN contract has good terms; existing relationship.

    Trade-offsTied to existing terms; less competitive pricing.

    New procurement

    When it fitsWAN contract due for renewal; better terms achievable.

    Trade-offsProcurement timeline often dominates project schedule.

    Default recommendationExisting telco if relationship is functional; new only at natural renewal point.

Low-risk trial — proof of value

8-week single-plant hybrid pilot

8 weeks

Provision ExpressRoute for one production plant with VPN failover. Onboard 50 plant servers to Azure Arc with policy + Defender. Deploy Virtual WAN hub. Measure latency, resilience, and governance signal vs baseline.

Success criteria

  • ExpressRoute latency P95 within SLA target
  • Arc onboarding 50/50 plant servers
  • Defender CSPM secure-score generated for the hybrid scope
  • Failover test from ExpressRoute to VPN executed without production impact

InvestmentExpressRoute port + carrier circuit (~€3–4.5k/month depending on SKU) + Arc consumption. Other plants unchanged during trial.

Proof metrics

  • ·P95 site-to-cloud latency within OT SLA
  • ·Plant-server compliance score above 80% after onboarding
  • ·Failover test passed without production impact
  • ·Hybrid secure-score baseline established

Recommended cards

The SKUs and capabilities most likely to be part of the solution, with the editorial rationale for each in the context of this story. Add the ones that fit your situation.

Why for this story

Predictable, private site-to-cloud connectivity — the production-grade alternative to public-internet VPN. Three commercial lines (port, carrier, data plan) procured separately.

Why for this story

Managed multi-site hub — saves engineering vs hand-built hubs once you have more than two or three plants connecting to Azure.

Why for this story

The governance plane for plant-floor servers and edge fleets. Brings legacy Windows servers under Azure Policy, Defender, and Update Management.

Why for this story

Hybrid security posture across cloud + on-prem + Arc-managed estate. The single secure-score covers all three.

Back to Hybrid connectivity