What is an Azure Landing Zone?
An Azure Landing Zone is a pre-configured, secure, and scalable environment that follows Microsoft's Cloud Adoption Framework best practices. Think of it as the foundation of a house β get it right, and everything built on top is solid.
ποΈ The 5 Pillars of Azure Landing Zones
1. π’ Management Group Hierarchy
- Design management group structure
- Avoid going deeper than 4 levels
- Plan for future growth
- Document naming conventions
2. π Identity & Access
- Configure Azure AD tenant
- Set up Privileged Identity Management (PIM)
- Define RBAC roles (Owner, Contributor, Reader)
- Implement break-glass emergency accounts
- Enable MFA for all users
3. π Network Topology
- Choose Hub-Spoke or Virtual WAN
- Design IP address scheme (non-overlapping)
- Plan for hybrid connectivity (ExpressRoute/VPN)
- Configure Azure Firewall or NVA
- Set up Private DNS zones
4. π‘οΈ Security & Governance
- Enable Microsoft Defender for Cloud
- Configure Azure Policy for guardrails
- Set up Azure Monitor and Log Analytics
- Implement Key Vault for secrets
5. π° Cost Management
- Set up Cost Management + Billing
- Define tagging strategy
- Create budgets and alerts
π 30-Day Implementation Roadmap
| Week | Focus | Tasks |
|---|---|---|
| Week 1 | Foundation | Management groups, naming, identity setup |
| Week 2 | Network | IP planning, hub VNet, connectivity |
| Week 3 | Security | Policies, Defender, monitoring |
| Week 4 | Operationalize | First workload, documentation, training |
π Hub-Spoke Network Design
π Essential Azure Policies (Day 1)
- β Require tags on resources (CostCenter, Environment, Owner)
- β Allowed locations (EU regions only for GDPR)
- β Allowed VM SKUs (prevent expensive instances)
- β Require HTTPS for storage accounts
- β Deny public IP on VMs
- β Require network security groups
β οΈ Common Mistakes to Avoid
β Don't Do This
- β’ Deploy workloads before landing zone is ready
- β’ Use overlapping IP address ranges
- β’ Skip tagging strategy
- β’ One subscription for everything
- β’ Manual deployments without IaC
β Do This Instead
- β’ Build foundation first, then workloads
- β’ Plan IP addresses for 5+ years
- β’ Enforce tags via policy from day 1
- β’ Subscription per workload/environment
- β’ Use Bicep/Terraform for everything
π» Bicep Quick Start
Hub VNet Example
resource hubVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: 'hub-vnet'
location: location
properties: {
addressSpace: {
addressPrefixes: ['10.0.0.0/16']
}
subnets: [
{
name: 'AzureFirewallSubnet'
properties: { addressPrefix: '10.0.1.0/26' }
}
{
name: 'GatewaySubnet'
properties: { addressPrefix: '10.0.2.0/26' }
}
]
}
}