ATCPublic CloudMicrosoft AzureMicrosoftCloud Strategy and AdoptionCloud
Article4 minute read

From Foundation to Framework: Making Sense of Azure Landing Zones

Explore the transformative power of Azure Landing Zones, the foundation of scalable cloud environments. Discover how strategic policy, role-based access control, and resource hierarchy prevent architectural pitfalls, ensuring seamless growth. Build a robust cloud "house" today, and effortlessly adapt to future business needs.

I've seen and helped many customers accelerate their cloud adoption journeys, from their first steps into Azure, all the way to re-envisioning an existing, well-established cloud footprint. The common aspect between all customers, from mom-and-pop shops to global enterprises, is a Landing Zone. 

In this article, we'll explore what landing zones are, the different types of landing zones available, and some best practices, and common pitfalls I've learned over the years when designing and deploying landing zones for customers.

So, what is an Azure Landing Zone? The purpose of a Landing Zone is to support new and existing workloads in Azure, in a way that scales as the company grows. A common concern customers have is they are afraid they will architect themselves into a corner and then must rebuild their Azure environment after only a few months or years. A Landing Zone addresses this concern, making sure the supporting platform can scale over time and continue to support workloads and business objectives.

Microsoft publishes an entire site on learn.microsoft.com that goes into excruciating detail explaining Landing Zones and their role within the Cloud Adoption Framework, but at a high level, what it boils down to is:

  • Policy: Guardrails to enforce standards and security.
  • Role-Based Access Control (RBAC): Ensures the right people have the right access.
  • Hierarchy: Organizes resources for scalability and governance.

If you can implement a solid hierarchy, with proper (least permission) roles defined and assigned, and policy to create guardrails for the environment, you're in pretty good shape to support the next step of your cloud journey.

Now, what a Landing Zone isn't. Landing Zones are a deployment strategy. They do not contain your specific workloads. The only Virtual Machines that are recommended from Microsoft as part of the landing zone are domain controllers and network virtual appliances. The concept to grasp here is that the Landing Zone is the house, your workloads are the furniture.  You can move furniture around (lift and shift), replace it (modernize), redesign the room (re-architect), but the house stays the same.

There are several different spins on landing zones. They can be tailored to specific workloads, like the AI Landing Zone, or the Azure Virtual Desktop Landing Zone. They can match the business, following an Enterprise-Scale, or smaller, more modular deployments for smaller businesses. One thing that is consistent is the concept of Platform Landing Zones and Application Landing Zones. 

The Platform Landing Zone consists of the core infrastructure, the foundation of your house if you will, Connectivity, Management, Security and Identity. This is where shared services live, things like Domain Controllers (Identity), Firewalls (Connectivity), Tools servers (Management).

The Application Landing Zone consists of subscriptions hosting customer specific services. App Servers, Web Servers, Databases, Container instances, Databricks, any Azure services you use to host your applications. Typically, a subscription is dedicated to a specific workload. This allows you to make environment permissions easier, and if you're concerned about divestitures, it's pretty slick, you can just transfer the whole subscription to the new owner, and they can hook it up to their hub network. In my house analogy, the application landing zone subscriptions are the walls of a room, and the services are the furniture. Subscriptions here are grouped into one of two management groups, Corp and Online. While the names aren't super obvious, Corp is for internal based applications with no internet facing ingress, Online is for applications that accept traffic from the internet.

Where do most people falter? Neglecting proper governance is by far the most common pitfall I come across. The Landing Zone policies exist to keep deployments in line with best practices, ensuring the platform maintains proper security. Role Based Access Control exists to ensure people have the correct permissions to resources and combined with Privileged Identity Management makes for a secure and seamless administration experience. As the saying goes, the best time to plant a tree was 20 years ago, the next best time is now. The best time to tag resources is when they get created, ideally using some Infrastructure as Code or policy. 

I compare Landing Zone to the foundation and framing of your cloud house, get it right, and everything else fits into place. Even if your workloads change, modernize, or move, a strong platform means you won't have to tear down the walls to make room for growth. Build smart now, and your cloud environment will be ready to support the business objectives you need to succeed.

Technologies