Cloud Landing Zones in Azure: Building a Solid Foundation for Cloud Adoption

^{ABOUT THIS  POST: In this blog post series we're delving into the essential components of Cloud Landing Zones in both Azure and AWS.}

‍

As organisations increasingly embrace the cloud, establishing a robust and standardised environment becomes crucial. Azure Landing Zones provide a structured approach to creating a foundation for deploying workloads in Microsoft Azure.

‍

In this blog, we’ll explore what Azure Landing Zones are, their significance, and how they empower enterprises to achieve their cloud adoption goals with confidence.

‍

‍

^{KEY TAKEAWAYS}

• ^{Azure Landing Zones offer a structured approach for deploying workloads in Microsoft Azure, ensuring scalability and security.}
• ^{They adhere to essential principles across eight key design areas, including billing, identity management, resource organisation, network design, security, management, governance, and automation.}
• ^{Benefits of adopting Azure Landing Zones include standardisation, confidence in cloud adoption, operational efficiency, and enhanced security and compliance.}
• ^{Microsoft provides comprehensive documentation and guidance on each design area, aiding organisations in implementing and evolving Azure Landing Zones.}
• ^{Implementing Azure Landing Zones can be done through three main approaches: do it yourself, pre-built solutions, or bringing in an expert like Appvia for tailored solutions aligned with the Cloud Adoption Framework.}

‍

What Are Azure Landing Zones?

To recap what we covered in our previous blog <link to blog>, a landing zone is a well-architected environment that is highly scalable and secure. A landing zone allows you to accelerate moving workloads to the cloud whilst maintaining control and ensuring appropriate guardrails are in place. It is your cloud foundation, designed according to a set of best practices and guidelines, with a focus on key elements such as account and resource organisation, access management, network architecture, security and compliance, and logging/monitoring/auditing.

‍

Azure Landing Zones adhere to these essential principles, including scalability, modularity, and security. These principles span eight key areas:

‍

• Azure Billing and Microsoft Entra Tenant: Managing costs and subscriptions.
• Identity and Access Management: Ensuring secure access.
• Resource Organisation: Structuring subscriptions for efficiency.
• Network Topology and Connectivity: Designing robust networking.‍
• Security: Enforcing controls and compliance.‍
• Management: Streamlining operations.‍
• Governance: Defining policies.‍
• Platform Automation and DevOps: Accelerating deployment.

‍

Each key design area provides you with a set of guidelines and questions to consider when designing your own Landing Zone.

‍

Why Azure Landing Zones Matter

Whilst Azure makes it very easy to get started in the Cloud, things can quickly get out of hand. Costs can quickly spiral, resources can be deployed in an insecure way and adoption can be difficult to scale and support.

‍

Adopting Azure Landing Zones brings the following benefits to your organisation:

‍

• Standardisation: Azure Landing Zones establish a standardised approach. By following best practices, organisations reduce operational complexities and ensure consistency. ‍
• Confidence in Cloud Adoption: With a well-defined landing zone, organisations gain confidence. They can migrate, modernise, and innovate while adhering to industry standards. ‍
• Operational Efficiency: Consolidating shared services in platform landing zones improves efficiency. Centralised management streamlines tasks like identity management and governance. ‍
• Security and Compliance: Azure Landing Zones enforce security controls. Organisations apply consistent measures across their environment. 

‍

What does it look like in practice?

The following diagram from Microsoft gives an opinionated target architecture for your Azure landing zone architecture and can be used as a starting point to tailor to your organisation’s needs:

‍

There’s a lot going on in this diagram, so let’s break it down into the individual areas:

‍

1. Enterprise enrolment represents the commercial relationship between Microsoft and how your organisation uses Azure. It provides a billing foundation for your subscriptions and how your digital estate is administered. ‍
2. Identity and access management relates to controls and processes used to ensure access is secure and compliant.‍
3. Management group and subscription organisation shows the suggested hierarchy of Management groups and subscriptions. More on this later…‍
4. Management subscription contains shared services for management, for example, Dashboards, Automation Accounts and Log Analytics workspaces.‍
5. Connectivity subscription contains shared services for connectivity e.g. On-premise connectivity, network virtual appliances, inter-region routing, and hybrid DNS.‍
6. Landing zone A2 subscription is an example of an application landing zone and shows the representative resources and policies applied to the application landing zone.‍
7. Azure Compute Galleries offers a way to organise and distribute your images and apps across your landing zones. Standardising your VM images and apps allows you to ensure a secure baseline that is tested and consistent.  It also opens the door to immutable infrastructure.  
   ‍

Tell me more about the Design Areas

Microsoft has developed a very comprehensive library of documentation to explain each of the design areas in detail. Rather than repeat what’s already been written, I’ll give a summary of each of the areas.

‍

Azure billing and Microsoft Entra tenants: This design area focuses on setting up proper enrollment and billing for your organisation’s Azure environment. It’s important to create a Microsoft Entra tenant (previously Azure Active Directory), to manage access to your organisation’s resources. Whilst it’s possible to create multiple tenants, the advice is to use a single tenant across your organisation to avoid unnecessary friction and confusion for your users. This relates to item A in the conceptual diagram.

‍

Identity and access management: This design area is concerned with managing identities and access to resources in the cloud. It’s important to establish a secure identity foundation to ensure that only authorised users have access to your organisation’s resources. Identity and access management lets the right individuals access the right resources at the right time for the right reasons. Azure offers a comprehensive set of services, tools, and reference architectures to help organisations make highly secure, operationally efficient environments. This relates to item B in the conceptual diagram above.

‍

Resource organisation: This design area is focused on organising your subscriptions and management groups to ensure that your cloud environment is scalable and manageable. It’s important to establish a clear hierarchy of management groups and subscriptions to ensure that your governance and compliance policies are enforced. This allows you to put the appropriate Policy-driven guardrails in place at the right levels to ensure that your subscriptions are manageable. This relates to item C in the conceptual diagram above.

‍

‍

‍

Microsoft recommends keeping the hierarchy reasonably flat, ideally with no more than three to four levels. This separates subscriptions into: 

‍

• Platform: Supports common platform policies and Azure role assignments across Identity, Management and Connectivity subscriptions.
• Landing Zones: Holds subscriptions for application workloads.
• Decommission: A holding place for subscriptions that are being retired.
• Sandbox: An area for short-lived subscriptions to experiment with.

‍

Network topology and connectivity: This area is concerned with designing the network topology and connectivity for your cloud environment. The goal of network design is to align your cloud network design with overall cloud adoption plans, whether these include hybrid or multicloud dependencies or other connectivity. This relates to item E in the conceptual diagram.

‍

Security: This design area creates a foundation for security across your Azure, hybrid, and multicloud environments. Security is a core consideration for all customers, in every environment. When designing and implementing an Azure landing zone, security should be a consideration throughout the process. This relates to item F in the conceptual diagram.

‍

Management: This design area is focused on establishing a management baseline to provide visibility, operations compliance, and protection and recovery capabilities across Azure, hybrid, or multicloud environments. It’s important to establish a monitoring and management framework to ensure that your cloud environment is stable and secure. This relates to items D, G and H in the conceptual diagram.

‍

Governance: This design area is focused on establishing a secure and compliant cloud environment. It’s important to establish a security and governance framework to ensure that your organisation’s resources are secure and compliant with industry standards and regulations. This relates to items C and D in the conceptual diagram.

‍

Platform automation and DevOps: This design area is concerned with automating the deployment and management of your cloud environment. It’s important to establish a DevOps culture to ensure that your organisation can quickly and efficiently deploy new resources and applications. This relates to item I in the conceptual diagram.

‍

Challenges with Landing Zones

Here are some common challenges that organisations face when implementing Azure Landing Zones:

‍

1. Lack of consistency in resource naming, scaling, and role-based access control: This can lead to confusion and errors when managing resources.
2. Spending more time on deploying and managing resources: This can be due to the complexity of the deployment process and the need to manage multiple environments.
3. Non-compliance: Regulatory compliance is a critical concern for many organisations. Ensuring that Azure Landing Zones are compliant with regulatory requirements can be a challenge.
4. Keeping Azure Landing Zones up-to-date: Maintaining Azure Landing Zones can be complex, depending on how they are deployed.
5. Choosing the right solution: In our experience, solutions that are a great way to quickly see a proof of concept, e.g. the Azure portal-based Azure landing zone accelerator, tend to end up causing trouble due to things like configuration drift. 

‍

We would always recommend using the Microsoft Infrastructure As Code (IaC) accelerators, e.g. Terraform, to give your organisation the best chance of success. Additionally, Microsoft provides lots of guidance on how to tailor the Azure landing zone architecture to meet specific requirements.

‍

Implementing your Landing Zone

When it comes to setting up Azure Landing Zones, there are three main approaches:

‍

Do It Yourself: Tailor the architecture to your specific needs. Design your landing zones from scratch, considering your organisation’s unique requirements. 

‍

Pre-Built Solutions: Microsoft offers various Azure Landing Zone Accelerators. It’s like having an expert architect guide you. The accelerators provide opinionated target architectures, templates, and scripts. You can start with these and then customise as needed.

‍

Bring in an expert: At Appvia we’ve helped many organisations implement Cloud Landing Zones. Our solutions are built on Microsoft’s Cloud Adoption Framework, the Azure Landing Zone Accelerator and our experience helping organisations like yours. We work with your organisation to understand your requirements and implement the right solution to accelerate your journey to the Cloud.

‍

Next Steps

• Explore the Azure Landing Zone Accelerator: Kickstart your journey with pre-built guidance.
• Evolve with Your Business: Remember, landing zones aren’t static. They evolve as your cloud strategy matures.
• Speak to Appvia about our Cloud Landing Zones: We can help you build a Cloud Landing Zone that is right for your organisation.

‍
‍