Lessons Learned: Moving a Mid-Market Fintech to Azure while maintaining SOC2/PCI compliance

We recently completed a modernization project for a financial services firm moving from a legacy on-prem environment to a full Azure stack. Since the mid-market space often lacks the massive DevOps teams of "Big Finance," we had to stay lean.

I wanted to share a few "gotchas" and architecture decisions that made the audit process significantly easier:

• Azure Policy is your best friend: We didn't just use it for monitoring; we used "Deny" policies for non-compliant regions and unencrypted disks. It turns "policing" into "automation."
• The Hub-Spoke pivot: We initially looked at a flat VNet structure, but moving to a Hub-Spoke with Azure Firewall was the only way to satisfy the client’s requirement for centralized traffic inspection without a massive management overhead.
• Key Vault + Managed Identities: We spent a week stripping hardcoded credentials out of legacy code. If you’re modernizing fintech, do this first. It’s the lowest-hanging fruit for security.
• The Power Platform Gap: We found that a lot of fintech modernization actually happens at the UI layer using Power Apps. Integrating these securely with Azure SQL via Private Links was tricky but essential for keeping the data off the public internet.

Question for the group: For those working in highly regulated industries, are you leaning more toward Azure Front Door or Application Gateway for WAF capabilities? We found FD easier for global scale, but App GW felt more granular for localized compliance.