internship focused on building a secure Azure landing zone “as code,” wiring centralized monitoring & SIEM, and implementing governed analytics in Microsoft Fabric. Ideal for a Master’s student in Networks/Security who wants real DevSecOps experience.
What you’ll do (key responsibilities)
- Design and deploy a secure Azure landing zone using Terraform (modular, reusable, documented).
- Implement hub-and-spoke networking, Private DNS, Azure Firewall, Bastion, and Private Link endpoints.
- Enforce governance with Azure Policy (allowed locations/SKUs, tagging, diagnostic settings, resource locks).
- Configure centralized logging/telemetry with Azure Monitor & Log Analytics; standardize diagnostic profiles.
- Stand up Microsoft Sentinel: connect data sources (Azure Activity, Entra ID, M365), write KQL analytic rules, and create basic SOAR playbooks with Logic Apps.
- Enable Defender for Cloud plans, prioritize & remediate security recommendations, and measure posture.
- Build CI/CD pipelines (GitHub Actions or Azure DevOps) for plan/apply, including tflint, terraform validate, Checkov, and Terratest.
- Implement least-privilege Entra ID/RBAC, service principals, and Key Vault secrets/rotation.
- Track cost, reliability, and compliance (budgets/alerts, backup policies, availability SLAs).
- Contribute high-quality docs: architecture diagram, runbooks, and “how we operate” READMEs.
- (Data track) Create a governed Fabric workspace (OneLake + Lakehouse), medallion layers, RLS, and Purview lineage/labels; publish a Power BI report with RLS.
Tools you’ll use
Azure Portal/CLI, Terraform (azurerm), GitHub or Azure DevOps, Log Analytics/KQL, Defender for Cloud, Sentinel, Policy, Key Vault, Monitor, Microsoft Fabric (OneLake, Lakehouse, Data Factory, Power BI), Purview, Visual Studio Code, draw.io, and basic testing/security scanners (tflint, Checkov, Terratest).