What is an Azure Landing Zone?
An Azure Landing Zone is a pre-configured, secure, and scalable environment that follows Microsoft's Cloud Adoption Framework best practices. Think of it as the foundation of a house – get it right, and everything built on top is solid.
🏗️ The 5 Pillars of Azure Landing Zones
1. 🏢 Management Group Hierarchy
- Design management group structure
- Avoid going deeper than 4 levels
- Plan for future growth
- Document naming conventions
2. 🔐 Identity & Access
- Configure Azure AD tenant
- Set up Privileged Identity Management (PIM)
- Define RBAC roles (Owner, Contributor, Reader)
- Implement break-glass emergency accounts
- Enable MFA for all users
3. 🌐 Network Topology
- Choose Hub-Spoke or Virtual WAN
- Design IP address scheme (non-overlapping)
- Plan for hybrid connectivity (ExpressRoute/VPN)
- Configure Azure Firewall or NVA
- Set up Private DNS zones
4. 🛡️ Security & Governance
- Enable Microsoft Defender for Cloud
- Configure Azure Policy for guardrails
- Set up Azure Monitor and Log Analytics
- Implement Key Vault for secrets
5. 💰 Cost Management
- Set up Cost Management + Billing
- Define tagging strategy
- Create budgets and alerts
📅 30-Day Implementation Roadmap
| Week | Focus | Tasks |
|---|---|---|
| Week 1 | Foundation | Management groups, naming, identity setup |
| Week 2 | Network | IP planning, hub VNet, connectivity |
| Week 3 | Security | Policies, Defender, monitoring |
| Week 4 | Operationalize | First workload, documentation, training |
🌐 Hub-Spoke Network Design
📋 Essential Azure Policies (Day 1)
- ✅ Require tags on resources (CostCenter, Environment, Owner)
- ✅ Allowed locations (EU regions only for GDPR)
- ✅ Allowed VM SKUs (prevent expensive instances)
- ✅ Require HTTPS for storage accounts
- ✅ Deny public IP on VMs
- ✅ Require network security groups
⚠️ Common Mistakes to Avoid
❌ Don't Do This
- • Deploy workloads before landing zone is ready
- • Use overlapping IP address ranges
- • Skip tagging strategy
- • One subscription for everything
- • Manual deployments without IaC
✅ Do This Instead
- • Build foundation first, then workloads
- • Plan IP addresses for 5+ years
- • Enforce tags via policy from day 1
- • Subscription per workload/environment
- • Use Bicep/Terraform for everything
💻 Bicep Quick Start
Hub VNet Example
resource hubVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: 'hub-vnet'
location: location
properties: {
addressSpace: {
addressPrefixes: ['10.0.0.0/16']
}
subnets: [
{
name: 'AzureFirewallSubnet'
properties: { addressPrefix: '10.0.1.0/26' }
}
{
name: 'GatewaySubnet'
properties: { addressPrefix: '10.0.2.0/26' }
}
]
}
}