When I first started working with Microsoft Azure’s landing zones, I was interested in what they could offer. Some of the questions I was looking to answer included -
What do we actually get when we deploy a landing zone?
What does a typical landing zone look like?
How does this impact any existing Azure subscriptions and resources?
I’ll attempt to cover these as part of this article by diving into a hands-on scenario.
There are plenty of great posts elsewhere that explain landing zones in more depth (links at the bottom of this page). So I’ll keep this overview relatively brief to provide just enough of a primer.
One of the challenges with adopting Azure is knowing where to start. This is where landing zones come in.
Landing zones are tightly coupled to Microsoft’s Cloud Adoption Framework, which helps organisations make the proper governance, strategy and security decisions when migrating to Azure.
Essentially, the landing zone itself is a (mostly) empty Azure subscription into which we subsequently deploy our application workloads. But, as we’ll see, it's not just about an application subscription. A landing zone deployment can also include foundational Azure services such as management groups and subscriptions, hybrid network connectivity, logging, and security policies.
When deploying landing zones, there are two adoption paths -
Start small and expand
Enterprise-scale
The first path provides a flexible approach and provides minimal controls. The second, enterprise-scale, puts in place the governance and security controls from the beginning. Regardless of which one is chosen, the adoption plan is iterative, expanding and refining as a customer deploys more workloads to Azure.
Okay, onto the scenario!
Scenario
In our scenario, we have an imaginary organisation, Widgets Inc., looking to leverage Azure for the first time. Initially, they have two applications that they wish to migrate to Azure -
an Internet-facing eCommerce website
a Corporate-facing, custom-built invoicing solution
Widgets Inc. has to adhere to strict regulatory and compliance requirements such as PCI-DSS. Therefore, the enterprise-scale architecture will be chosen as the starting point as it provides many of the required security controls from the start.
Based on our expected target architecture, Microsoft’s Enterprise-Scale hub and spoke reference architecture align closely with our requirements. We’ll use this as the basis for our landing zones deployment and customize it as we go.
Once deployed, we can expect to have the following topology -
Each of the four Azure subscriptions above has a specific purpose -
Connectivity subscription — provides “hub” network capabilities and connectivity to Widget’s on-premise corporate network
Management subscription — centralised monitoring and logging services
Corporate landing zone subscription — on-premise facing application
Internet landing zone subscription — Internet-facing application
Prerequisites
There are a couple of prerequisites we need to address before we can deploy our landing zone topology.
Permissions
First, we need to ensure that the user account deploying the Landing Zone ARM template has Owner privileges on the root tenant management group, i.e. -
Subscriptions
The reference ARM template doesn’t actually create the subscriptions. Instead, it takes existing subscriptions and moves them into the appropriate management groups.
For this walkthrough, I’ve pre-created the required subscriptions and placed them under the default root management group -
There’s documentation here that describes how to create subscriptions programmatically. Depending on your desired approach, it’s possible to customize the reference ARM template and create the subscriptions as part of the landing zone deployment.
Deployment
Okay, now we have the prerequisites in place, let’s start the deployment. This is as simple as clicking Deploy to Azure from the Github page -
This automatically launches the Azure Portal and custom template wizard. Walking through each of the steps in turn.
1. Select the region, i.e. East US 2 -
2. Enter the Management Group prefix, i.e. widgets -
3. In this next step, we assign the management subscription. Conveniently, ours is also called “management”! I’ve also accepted all of the default options to enable all of the various Log Analytics, Monitor and Security Center solutions -
4. In the next step, we can opt to implement a CI/CD pipeline. For simplicity, I won’t deploy this as part of this walkthrough -
5. Within the Connectivity step we -
select our Connectivity subscription
Choose the address space for the virtual hub VNET
Select whether we wish to deploy VPN/ER gateways and Azure Firewall
6. On the Identity step, I’ve disabled the identity subscription. But typically, you would enable this if you needed to deploy Active Directory domain controllers or Azure AD Domain Services -
7. We now configure our actual landing zone subscriptions. I’ve allocated the Corp LZ subscription as a corp landing zone type. I’ve also allocated the Internet LZ subscription as an online landing zone type.
We’re just adding two landing zone subscriptions, but the wizard is flexible enough to add additional subscriptions if we need to.
It’s also at this stage where we can enable several different security policies. I’ve set them all to Yes -
8. On the Review and Create step, we make sure the deployment validates and then hit create! —
The configuration options you’ve selected will determine how long the deployment takes. In our example, it took a reasonably swift 20 minutes to fully deploy — much of that time was spent deploying the VPN gateway.
What Services have been deployed?
Now that the deployment has finished, let’s go and dig around to confirm what’s been deployed.
Management groups
The new management group structure has been created, and our pre-existing subscriptions have been reassigned -
RBAC role permissions have also been assigned to the various management groups.
Resource Groups
In the Management subscription, there is a new widgets-mgmt resource group that contains the centralized logging and monitoring resources -
In the Connectivity subscription, there is a new widgets-connectivity resource group that contains the hub network resources -
In the CorpLZ landing zone subscription, there is a new corp-rg-vnet resource group that contains a single VNET.
This VNET is peered back to the hub VNET and provides connectivity through the deployed Azure Firewall and VPN Gateway to the on-premise corporate network -
The Internet LZ subscription is currently empty as it doesn’t require connectivity to an on-premise network.
Policies
Custom policies and initiatives have been deployed against management groups and individual subscriptions -
The reference architecture has a complete list of services and configuration changes that you can expect to see.
What’s Next?
So, that’s it; the landing zone subscriptions are ready to accept our application workloads!
We now have the basic scaffolding in place, which includes -
Connectivity subscription with a hub network, Azure Firewall and VPN Gateway
Management subscription with logging and monitoring resources
Azure Policies and RBAC configured
Azure Sentinel and Security Center enabled
Corporate landing zone subscription
Internet landing zone subscription
In this walkthrough, we’ve deployed manually via an ARM template. Realistically for enterprise deployments, you will want to do this via a CI/CD pipeline such as GitHub actions or Azure Pipelines (see the AzOps Accelerator). Terraform is also a viable option for deploying landing zones.
We also pre-created the subscriptions. You may wish to automate this as part of the Landing Zone configuration. This could be completed by customizing the example ARM templates to include the subscription creation.
It’s at this point I’d recommend circling back on the Cloud Adoption Framework and reviewing its guidance. Have we got all of the initial components we require? Are the right policies configured etc.? Once we’re confident that we’re in a good place, we can then plan for deploying our applications.
I hope you found this walkthrough helpful! What’s been your experience with deploying landing zones?
Useful Links
Microsoft Cloud Adoption Framework home page
Reference Enterprise-Scale architectures
Permissions required for ARM landing zone deployments
Landing Zone overviews -
John Savill’s Youtube video
Jake Walsh’s Why you need an Azure Landing Zone post
Intercept’s What is an Azure Landing Zone post