The cloud is becoming congested: how complexity is gradually stifling your IT

Last week, I was involved in a discussion about how to connect dozens (!) of Virtual Private Clouds (VPCs) to each other. Dozens of VPCs within one and the same organization.

Complexity in the cloud is getting completely out of hand. What was once intended to bring flexibility and scalability is slowly turning into a complexity nightmare that slows down your IT and drives up your costs.

Fortunately, that discussion did not get out of hand, quite the contrary. After some initial hesitation, my conversation partner suddenly saw what was really going on: costs that led to nothing but more complexity. And he wanted to see that changed as soon as possible.

We continued talking. Because he wanted to know, “How does something like this happen?” And whether he was an exception. No, not an exception.

Of course, we both understood the technical puzzle. But the question is: why do you have so many VPCs in the first place? It's like setting up a completely new city council for every house in a neighborhood—with a mayor, civil servants, and infrastructure. No one would do that rationally. Yet it happens every day in the cloud.

You see the same pattern with spokes and landing zones. In Azure, almost every server is placed in a separate spoke. The argument: isolation. The result: a few hundred spokes is no longer an exception. And as soon as you increase the number of spokes tenfold, the number of possible paths between them explodes. Every data packet that has to pass through a firewall counts. What was once conceived to create order actually creates chaos, slowness, and a sky-high bill.

There's more: there are no open standards to manage this spaghetti of cloud architectures. Each supplier chooses its own approach, with its own tools and its own rules. The more of these constructions you put in place, the stronger the chain that ties you to that supplier. Vendor lock-in was already not a theoretical risk, but the daily reality is worse than ever.

In short: the cloud is not becoming complex because it has to be, but because it can be. And because we often accept, without realizing it, that suppliers are pulling us deeper and deeper into their maze. Is there a solution? Yes. It's simpler than you might think, and it only saves money. I'll come back to that.

Why Windows always makes water

When Windows NT was introduced in the early 1990s, server hardware was extremely expensive. You had one or two machines that did everything: authentication, file sharing, DNS, DHCP, network routing. Everything neatly brought together on a few physical servers.

Fast forward to 2025. Servers are virtual and scalable. Each function runs on a separate machine. But the architecture of Windows? It's still largely the same as it was in 1993. Seriously, almost nothing has changed in over 30 years. Every Windows server offers file services. Even if you haven't set up any shares for users, the so-called C$ share remains open by default. This means that the operating system itself is directly accessible from the network. Can you imagine a bigger leak? Neither can I.

And it doesn't stop there. System configurations, log files, and the authentication database are also accessible to anyone who manages to get in. In theory, you need a valid account with rights to do so. In practice, we all know how “secure” that is in a Windows environment. If you break into one server, the rest are usually within reach. It's the well-known domino effect: if one falls, the rest will follow.

And yet we continue to invest in Windows. As if nothing is wrong. Instead of scrapping the sinking ship, organizations continue to pump money into increasingly sophisticated bailers: firewalls, monitoring, detection tools. Anything to scoop out the water that keeps pouring in.

But bailers don't even make your boat pleasant to sail, let alone seaworthy. You stay afloat until you don't. Meanwhile, costs mount and you lose speed. Exactly the wrong direction at a time when your IT needs to be light, fast, and scalable. Not only can it be, but it must be. Because data security is a growing requirement. And rightly so.

Windows is no longer a solution. Windows is a big and growing problem.

The illusion of isolation: how you pay more for less security

The reflex in many organizations is clear: if we see a risk, we build a fence around it. Windows servers get their own spoke, their own landing zone, their own piece of virtual land. The idea is that if one server goes down, at least the rest will still be up and running. Sounds logical. And it is a solution. But it is an expensive one. And in fact, it is not a real solution. Because in practice, this leads to an explosion of complexity, sky-high costs, and an IT landscape that is becoming increasingly sluggish.

The result? You pay more and more for less and less security. Performance declines and manageability disappears. This entangles you even further in the nets of your cloud provider. That's not a security strategy; at best, it's treating the symptoms.

The only sustainable solution is to tackle the causes. Don't build a higher fence; fill in the holes in the wall. As promised, here are the most important steps:

1. Give Windows the boot

What? Say goodbye to Windows? Yes, you can. That was also the – brief – discussion I started with. Saying goodbye to the familiar feels a little slippery, but ... most of the services you need don't require Windows at all. File sharing? Works fine on Linux. SQL databases? You can run them just as well on Linux. The big difference: you can really shut down Linux. Services that aren't there don't pose a threat. So you don't have to use all kinds of tricks like spokes or landing zones to compensate for leaks that are built into Windows. Less complexity, lower costs, greater security.

2. Disable unused services

A Windows server comes standard with a battery of services that you will probably never use. File services, print services, you name it. Every service that is turned on is a potential hole. And a current expense. Is it just there to gather dust? Turn it off. The fewer doors that are open, the less chance someone will get in.

3. Use local firewalls wisely

Complex network segmentation is often seen as the holy grail of isolation. But why make things difficult when they can be simple? With a well-designed local firewall, you can limit communication to what is strictly necessary. Think of an SQL server and its replica: they only need to communicate with each other via the SQL protocol. You can simply block all other protocols. This is just as secure and much cheaper and faster than parking each server in a separate spoke.

4. Apply network isolation at the source

Isolation does not have to be an expensive service. Take WiFi client isolation, for example: a simple setting that prevents users from seeing each other on the same network. You can also apply this principle to wired networks via Level 3 or 4 switching. This allows you to keep servers separate without unnecessary overhead. Yes, that is also a form of isolation. But here, the following applies: minimal complexity, consistent speed and costs, and isolation exactly where it belongs: at the source.

5. Restrict privileges with local accounts

One of the biggest risks in Windows environments lies in administrative rights. A domain administrator often has access to dozens or hundreds of servers. A central identity is convenient for users, but extremely dangerous for administrators. If someone breaks into one server, the privileges automatically roll over to the rest. By setting up management accounts locally per server, you cut off that propagation. Less convenient for the administrator, but also less attractive to the hacker.

The core: less complexity, more impact, lower costs

Every additional spoke, landing zone, or VPC is merely treating the symptoms. It may appear to be more secure, but in reality, you are primarily acquiring complexity. Your environment becomes slower, more expensive, and you become more dependent on your supplier.

By tackling the causes—disabling unnecessary services, using local firewalls, applying network isolation, and limiting privileges—you not only make your IT more secure, but also faster and cheaper. And more importantly, you regain control.

The cloud doesn't have to be a maze. But to achieve this, you need to stop building extra fences and start closing the real gaps.

Do you want to bale or sail?

Do you want to continue investing in treating the symptoms? In spokes, landing zones, and expensive isolation that only make your cloud slower and more expensive? Or would you rather choose an environment that is truly secure, fast, and lean, without being stuck in your supplier's maze?

At Sciante, we have been helping organizations tackle causes rather than symptoms for years. We make your IT simpler, faster, and cheaper. And more importantly, you regain control of your cloud.

Fancy a chat, or even a discussion? ;) Schedule a no-obligation appointment. Then we'll show you where the gaps are in your environment and how to fix them without creating additional complexity.

Book your appointment now

Click Me