BLOGCloud Landing Zones

What is a Cloud Landing Zone?

A Cloud Landing Zone is a well-architected, scalable and secure cloud adaptation

Cloud Landing Zones
Time to read
March 5, 2024

Key Takeaways

ABOUT THIS  POST: In this blog post series we're delving into the essential components of Cloud Landing Zones in both Azure and AWS.

Cloud landing zones are essential for organisations navigating their cloud journey. This pivotal framework, advocated by leading cloud providers such as AWS, Microsoft Azure, and Google Cloud Platform, serves as a cornerstone for achieving optimal cloud adoption.

This blog covers:

  1. What is a Cloud Landing Zone?
  2. What problems does a Landing Zone address?
  3. Who needs a Cloud Landing Zone?
  4. What are the key components?
  5. How to Implement a Cloud Landing Zone?

  • A foundational architecture ensuring secure and compliant cloud adoption, enabling scalability and efficient resource management.
  • Tackles various pillars including reliability, security, performance efficiency, cost optimisation, and operational excellence, ensuring robustness across all fronts.
  • Suited for large enterprises, regulated industries, startups scaling rapidly, and multi-cloud adopters, providing tailored solutions for complex cloud needs.
  • Components like account and resource organisation, identity and access management, network architecture, and logging and monitoring are crucial for designing an effective cloud setup.
  • Organisations can choose between pre-built solutions offered by cloud providers or custom implementations using tools like CloudFormation, Bicep, or Terraform, depending on their specific needs and preferences.
  • Appvia offers expert custom-tailored solutions aligned with the Cloud Adoption Framework in Azure and AWS.

What is a cloud landing zone?

A Cloud Landing Zone is a well-architected, scalable and secure cloud adaptation. It serves as a set of principles and guidelines, leading through a cloud journey, and ensuring optimal and efficient cloud adoption.  It provides a foundational architecture to set up resources, manage identities, enforce security controls, and ensure compliance requirements. In simple terms, it’s like setting up a secure and compliant foundation that will enable you to build on top of and scale appropriately as your organisation grows.

Without a strong foundation in place, companies often find themselves spending precious time and resources redesigning and rearchitecting their initial setups later down the line, due to changing requirements. 

Major Cloud Providers like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) have introduced their own versions of landing zones to help their customers set up well-architected and standardised cloud environments.

  • AWS has its "AWS Landing Zone" solution.
  • Microsoft offers the "Azure Landing Zone."
  • Google Cloud has its "Google Landing Zone."

What problems does a Cloud Landing Zone address?

Landing zones provide a comprehensive set of standards across several pillars:

  • Reliability
  • Security
  • Performance efficiency
  • Cost optimisation 
  • Operational excellence


This is the system's ability to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.

This covers things such as:

  • Multi-region and Multi-AZ deployments
  • Disaster recovery and backups
  • Resource scaling and load balancing
  • Monitoring and Alerts
  • Failover strategies
  • Good documentation


This encompasses a broad range of best practices, configurations, and tools to ensure that cloud resources and data remain protected. It provides the mechanisms to restrict access, encrypt assets, enforce policies to industry standards such as CIS/NIST as well as provide insights into security vulnerabilities. From a high level it covers:

  • Identity and access management
  • Data protection
  • Network security
  • Threat detection and monitoring 
  • Vulnerability monitoring and alerting
  • Workload isolation and policy enforcement

Performance Efficiency

Focuses on ensuring that cloud resources and workloads are optimised to deliver the best performance for the given requirements, without incurring unnecessary costs. It's all about ensuring the right resources are available for the workload at the right time and in the right configuration. While specifics can vary based on the cloud provider and individual organisational needs, some common elements within the Performance Efficiency pillar of a cloud landing zone include:

  • Right-sizing and Elasticity 
  • Storage optimisation 
  • Database and caching optimisation
  • Compute optimisation such as serverless and container-based services
  • Network optimisation such as content delivery networks 
  • Monitoring and metrics to track utilisation

Cost Optimisation

Ensures that an organisation is gaining maximum value from its cloud investments while minimising unnecessary expenses. The aim is to strike a balance between performance and cost, ensuring that you're not overspending for the resources and services you're using. This often includes:

  • Right-sizing resources
  • Elasticity and scalability
  • Budgets and alerts
  • Reserved and committed use to receive high discounts on compute
  • Monitoring for underutilised resources
  • Cost allocation tags to get more detailed information inline with your business taxonomy
  • Cost reporting and dashboards
  • Optimised data transfers and storage costs

Operational Excellence

Is focused on procedures, best practices, ways of working and tools to ensure seamless and efficient operations. The operational excellence pillar is about how your teams work in regard to the cloud and often contains:

  • Infrastructure as code (IaC)
  • Change management
  • Monitoring and Logging 
  • Automation of all Cloud infrastructure
  • Continuous integration and deployment
  • Incident management 
  • Performance dashboards

Who Needs a Cloud Landing Zone?

A Cloud Landing Zone is not industry-specific but suited more to those with more complex needs. The types of organisations that would benefit from one would be:

Large Enterprises: These entities often have complex IT requirements, multiple departments, and a plethora of applications. A landing zone helps in setting a standard for every department to follow, ensuring consistency.

Regulated Industries: Financial, healthcare, or government organisations, for instance, require stringent compliance standards. Landing zones tailored for these industries ensure that these requirements are met from day one.

Startups Scaling Rapidly: For startups experiencing rapid growth, a structured cloud environment is essential. Landing zones provide the flexibility to scale while ensuring security and compliance.

Multi-Cloud Adopters: Companies using more than one cloud service provider can benefit from landing zones to maintain a consistent operational model across multiple clouds.

What are the Key components?

There are several key components which should be considered when designing the perfect cloud setup. Some of these are:

Account and resource organisation

For instance, AWS suggests creating a multi-account setup with several accounts for workloads and separate accounts for shared workloads- such as security or network accounts. Azure suggests separate subscriptions for platform components and different products and environments to also allow for data and application isolation. 

Identity and Access Management

Identity and Access Management (IAM) is a core aspect of cloud security and governance that ensures only authenticated and authorised users can access resources within the cloud environment that they should be able to. 

There are several parts of identity and access management: the identity of users themselves, which should be backed into your identity provider be it Active Directory, Gmail or other identity provider solutions and the management of the roles of those users and the policies that those roles are associated with to provide the right level of permissions to perform specific actions against specific cloud resources. 

It is often broken down into:

  • Authentication
  • Authorisation
  • User management
  • Group management
  • Roles and policies
  • Access control
  • Federated access

Network architecture

There are quite a few things to consider, such as global network segmentation, CIDR allocation and how the organisation would like their network to be shared. 

Initial security and compliance baseline. It is essential to consider the nature of policies that the organisation might require, including but not limited to: encryption, network security, access security and other rules which would apply on an organisational level. 

Logging, account monitoring and auditing 

With the best guidelines, organisations are able to analyse the best logging strategy, allowing for the essential analysis of logs and activities. 

These are just some of the main components of Cloud Landing Zones, however, there are more, depending on organisational needs, all designed to help you consider crucial design elements to get the most out of your cloud setup.


How to Implement a Cloud Landing Zone?

Once satisfied with the approaches to setting up a Cloud Landing Zone, the next step is to consider organisationally appropriate implementation.

There are two ways of implementing Cloud Landing Zones either by using pre-packaged solutions, offered by cloud providers, or, opting for a more flexible, custom implementation. 

Pre-built solutions

Ready-to-use solutions provided by cloud providers, such as Azure Landing Zone CAFAWS Landing Zone Accelerator or AWS Control Tower

Custom solutions

Custom implementation of landing zones, depending on your needs can be done via additional tools such as CloudFormation, Bicep or Terraform. What an organisation decides to adopt in terms of cloud management tools can differ from company to company. However, the most widely used tools will provide the most reusable assets for you to consume and learn from via the community that underpins them.


A Cloud Landing Zone is fundamental in the efficient and secure adoption of cloud. It provides a structured framework that guides organisations through their cloud journey, emphasising the importance of strong initial setups to avoid future redesigns due to changing requirements and industry standards. Key elements to consider in a Cloud Landing Zone include account and resource organisation, access management, network architecture, security and compliance baselines, and logging and monitoring. While there are standard components, the specific needs can vary based on the organisation.

Related Posts

Related Resources