Ajax Municipality sought to address rising costs and security concerns stemming from rapidly growing data volumes by implementing the modern data protection standard: the 3-2-1 Backup Rule.Deop collaborated with the Municipality to design a cutting-edge solution that seamlessly integrated their existing Veeam infrastructure with Microsoft Azure. But this project extended far beyond backup—it involved the full deployment of an enterprise-grade Azure Landing Zone across multiple subscriptions, with automation, security, and compliance built-in from the ground up.The project leveraged the Azure Landing Zone Accelerator, Azure Verified Modules, Terraform Infrastructure as Code, and Azure DevOps Pipelines. To align with government standards, we also implemented the Canada Federal PBMM (Protected B, Medium Integrity, Medium Availability) policy initiative and ensured the environment achieved strong alignment with federal cloud compliance expectations.
Ajax Municipality was already leveraging Veeam Backup & Replication. However, to meet full disaster recovery and data protection objectives under modern standards, the following challenges had to be addressed:
3-2-1 Compliance: Off-site, air-gapped copy of data required in the cloud.
Security & Data Integrity: Backup data needed to be encrypted in transit and at rest, and isolated from public endpoints.
Cost Control: With rapidly growing volumes, intelligent tiering and lifecycle management were necessary.
Cloud Governance: Needed a structured, scalable Azure architecture with clear separation of duties.
Public Sector Compliance: The Azure environment had to comply with Canada Federal PBMM standards, applicable to public sector workloads.
Deop implemented a secure, cost-optimized, and future-ready backup solution that also delivered a complete Azure Landing Zone, fully aligned with Canadian public sector compliance standards.
Full Multi-Subscription Landing ZoneFollowing Microsoft’s enterprise-scale architecture, we provisioned:
Management Subscription – Logging, monitoring, baseline controls
Connectivity Subscription – Networking, DNS, VPN
Identity Subscription – IAM, role separation
Veeam Backup Subscription – Dedicated for backup-related infrastructure
Each was governed by a central management group structure with enforced policies and naming conventions.
Terraform + Azure DevOps PipelinesAll infrastructure was deployed via Terraform and fully automated through Azure DevOps CI/CD pipelines. This enabled:
End-to-end automation
Staged environments (dev → prod)
Secure key and state management
Approvals and change tracking
Veeam SOBR + Blob TieringVeeam’s Scale-Out Backup Repository (SOBR) was configured with:
Performance Tier for short-term retention
Azure Blob as Capacity Tier
Cool and Archive policies to reduce storage cost automatically
Canada Federal PBMM Compliance AlignmentWe implemented and evaluated Microsoft’s Canada Federal PBMM (Protected B, Medium Integrity, Medium Availability) policy initiative. The environment:
Inherits all PBMM built-in policy definitions
Restricts non-compliant services and configurations
Is configured to be mostly compliant out of the box, with governance alerts in place for future drift
Governance: Management groups and policy inheritance across 4 subscriptions
IaC: Terraform + Azure DevOps for version-controlled, auditable deployments
Connectivity: VPN tunnel connecting on-prem and Azure backup tiers
Cost Management: SOBR + blob tiering policies
Compliance: Canada PBMM initiative integrated into the landing zone; compliance posture monitored via Azure Policy and Defender for Cloud
Data is securely backed up in a cloud environment that is geographically off-site and logically isolated.
Private network, encryption, and built-in policies ensure the platform is secure from day one.
Intelligent storage tiering ensures long-term scalability while controlling monthly cloud costs.
With Canada PBMM alignment, Ajax’s environment is well-positioned to meet federal audit and compliance standards—reducing overhead and risk in future assessments.
"The challenge of scaling our backups while maintaining 3-2-1 compliance was significant. Deop didn't just meet the requirement for an off-site copy; they delivered a future-proof platform. Their use of Terraform and Azure Verified Modules modernized our entire infrastructure, making it auditable and highly resilient. Crucially, their team provided seamless, supportive guidance, ensuring we achieved sustainable cost optimization with Veeam's integration into Azure Blob storage. Our data is secure, and our operational risk is minimized."
CTO ,Ajax Municipality
