Azure Landing Zones¶
Azure Landing Zones are guidelines, tools, and resources for establishing a well-architected and secure environment in Azure. They are part of the Azure Cloud Adoption Framework (CAF) and provide a foundation for deploying workloads, managing resources, and implementing governance and security controls.
- GRINNTEC: Azure Subscriptions
- Microsoft Azure Landing Zones
- Microsoft Azure Environment Design areas
- Deploy Azure Landing Zones
- Policy-driven guardrails
Key Design Principles¶
Subscriptions¶
Subscriptions define boundaries for resource organization, governance, and cost control. In Azure Landing Zone design, they should be:
- Aligned to business units or workloads for ownership clarity
- Isolated by environment (e.g., dev, test, prod) to enforce SDLC separation
- Provisioned via IaC for repeatability and governance integration
- Nested under management groups to inherit policies and enable cost visibility
- Tagged and budgeted from day one to support compliance and optimization
Policy-Driven Governance¶
Governance in Azure Landing Zones is embedded through scalable, automated guardrails—not manual oversight. Key principles include:
- Guardrails, not gatekeeping: Guide teams toward compliant deployments without blocking agility
- Centralized control plane: Use management groups and policy initiatives for consistent enforcement
- Shift-left governance: Apply policies early—during subscription vending and IaC deployment
- Modular and scalable: Adapt governance to new workloads, teams, and compliance needs
- Transparent compliance: Surface posture via dashboards and automated reporting
Use Azure Policy and role assignments via Terraform or Bicep to enforce standards like tagging, naming, security baselines, and cost controls. Delegate responsibly—central IT sets the rules, app teams operate within them.
Application-Centric service model¶
Azure Landing Zones prioritize applications—not infrastructure—as the core unit of cloud design. This approach enables secure, scalable modernization across diverse workloads.
- Application First: Design around app lifecycle needs, not just infrastructure migration
- Service Model Agnostic: Apply consistent standards across IaaS, PaaS, and legacy workloads
- Unified Guardrails: Every application zone inherits baseline governance, security, and compliance
- Accelerated Modernization: Focused app enablement drives faster innovation and platform adoption
- Consistent Ops: Operational standards apply uniformly, regardless of architecture or hosting model
Environment Design¶
These areas define the technical foundation of an Azure setup.
Azure billing and Active Directory Tenant¶
In CAF-aligned landing zones, these two components form the financial and identity backbone of your Azure environment:
Enterprise Agreement + Billing Profile
- Governs licensing, cost management, and consolidated billing across all subscriptions
- Exists at the tenant level—outside any individual subscription
- Enables budget alerts, cost analysis, and centralized financial governance
Microsoft Entra ID (Tenant)
- Acts as the identity control plane for authentication, RBAC, Conditional Access, and policy enforcement
- All subscriptions and resources inherit identity governance from this root
- Supports hybrid identity via Entra Connect, syncing on-prem AD credentials to the cloud
Together, they ensure centralized control, secure access, and financial visibility across all landing zones—supporting scalable, compliant cloud operations.
Resource Organization¶
Effective resource organization is the backbone of scalable, secure Azure environments. In Landing Zone design, it enables clarity, governance, and lifecycle management.
- Management Groups: Structure subscriptions by platform, application, and environment tiers to enforce policy inheritance
- Subscriptions: Segment workloads by business unit, environment (dev/test/prod), or cost center for isolation and accountability
- Resource Groups: Group related resources by lifecycle and ownership—supporting modular deployments and clean teardown
- Naming & Tagging Standards: Apply consistent conventions to support automation, cost tracking, and compliance
- RBAC & Policy Boundaries: Align resource scopes with role assignments and policy enforcement for least privilege and guardrail adherence
This layered model supports modularity, visibility, and governance at scale—enabling teams to operate autonomously within secure boundaries
Identity & Access Management (IAM)¶
IAM is the foundation of secure, scalable operations in Azure Landing Zones—anchored in Microsoft Entra ID and enforced through role-based access and policy.
Microsoft Entra ID (Tenant)
- Central identity authority for all subscriptions and resources
- Supports hybrid identity via Entra Connect for seamless on-prem integration
- Enables Conditional Access, MFA, and identity governance at scale
Role-Based Access Control (RBAC)
- Assigns least-privilege roles at tenant, management group, subscription, and resource group levels
- Aligns access scopes with operational boundaries and team responsibilities
- Delegates app zone control while preserving platform governance
Policy-Integrated Access
- Azure Policy enforces tagging, naming, and security standards alongside RBAC
- Shift-left access controls embedded in IaC and subscription vending flows
IAM in landing zones ensures secure-by-default posture, operational autonomy, and centralized oversight—supporting both agility and compliance
Network Topology & Connectivity¶
Landing Zones establish a secure, scalable network foundation that supports hybrid integration, shared services, and workload isolation.
Hub-Spoke Architecture
- Centralized platform hub provides shared services (DNS, identity, monitoring)
- Spoke networks host application workloads, segmented by environment or business unit
-
- Enables policy inheritance and traffic control via Network Security Groups (NSGs) and route tables
Hybrid Connectivity
- Integrates on-premises networks via VPN or ExpressRoute
- Supports identity federation, data access, and legacy system interoperability
Centralized Control
- Connectivity managed by the platform team; app teams consume services via delegated access
- Firewall, DDoS protection, and diagnostics centralized for consistency and compliance
Modular & Repeatable
- Defined via Infrastructure as Code (IaC) for consistent deployment and lifecycle management
- Scales with business needs while maintaining governance boundaries
This topology supports secure-by-default operations, simplifies cross-zone communication, and enables autonomous app deployment within governed boundaries
Compliance Design¶
These areas focus on ensuring the environment is managed, secure and governable.
Security¶
The goal is to create a secure-by-default foundation that scales with your organization while enforcing consistent protection.
Key Principles
- Defense-in-Depth: Layered security across identity, network, data, and workloads
- Policy-Driven Guardrails: Use Azure Policy to enforce security baselines (e.g., encryption, MFA, secure SKUs)
- Least Privilege Access: RBAC scoped to management groups, subscriptions, and resource groups
- Secure Connectivity: Centralized firewalling, NSGs, and route control in hub-spoke topology
- Threat Protection: Enable Microsoft Defender for Cloud, DDoS protection, and logging from day one
- Shift-Left Security: Embed security controls in IaC and CI/CD pipelines—automate posture from the start
Management¶
Management is about operational control, visibility, and lifecycle governance across your cloud environment. It ensures that resources are not just deployed—but monitored, maintained, and recoverable.
Microsoft Entra ID (Tenant)
- Central identity authority for authentication, RBAC, and Conditional Access
- Anchors all subscriptions and resources under a unified control plane
Billing & Cost Management
- Enterprise Agreement and billing profiles govern licensing and consolidated cost visibility
- Budget alerts and cost analysis tools support financial accountability across subscriptions
Resource Organization
- Management groups structure subscriptions by platform, application, and environment tiers
- Resource groups segment workloads by lifecycle and ownership
- Naming and tagging standards support automation and cost tracking
Monitoring & Operations
- Azure Monitor, Log Analytics, and Defender for Cloud provide observability and threat detection
- Backup, recovery, and diagnostics are centralized for consistency
Delegated Operations
- Central IT defines guardrails; app teams operate within scoped boundaries
- Role assignments and policy initiatives enforce operational standards
Governance¶
Governance ensures that your cloud environment operates within defined boundaries, using automated guardrails to enforce compliance, security, and operational standards—without slowing down innovation.
Policy-Driven Guardrails
- Use Azure Policy to enforce standards like naming, tagging, encryption, and approved SKUs
- Apply policies at the management group level for consistent inheritance across subscriptions
Shift-Left Governance
- Embed governance early in the lifecycle—during subscription vending and IaC deployment
- Automate policy assignment and role configuration via Terraform or Bicep
Modular & Scalable
- Design governance frameworks that adapt to new teams, workloads, and compliance needs
- Use policy initiatives and blueprints to bundle controls for specific environments or business units
Transparent Compliance
- Surface posture via dashboards, compliance reports, and automated alerts
- Enable auditability and remediation without manual intervention
Delegated Responsibility
- Central IT defines the rules; app teams operate within scoped autonomy
- Governance ensures consistency while enabling flexibility
Platform Automation & DevOps¶
Landing Zones embrace automation as a first-class citizen—ensuring consistency, scalability, and governance across environments.
Infrastructure as Code (IaC)
- Use Terraform or Bicep modules to provision subscriptions, policies, networking, and shared services
- Enables repeatable, version-controlled deployments with embedded guardrails
DevOps Integration
- CI/CD pipelines automate resource provisioning, policy assignment, and app onboarding
- GitHub Actions, Azure DevOps, or other tools enforce standards and accelerate delivery
Shift-Left Operations
- Governance, security, and compliance embedded early in the deployment lifecycle
- Subscription vending, RBAC, and policy enforcement are automated from day one
Modular & Scalable
- Platform automation supports onboarding of new teams, workloads, and environments with minimal friction
- Central IT defines reusable modules; app teams consume them autonomously
This approach ensures secure-by-default deployments, operational agility, and alignment with enterprise governance—all through code.