Searching in

Enter search term to find items
to navigate, to select, and to close

Azure Landing Zones: Enterprise-Scale Architecture

Posted on by Nithin Mohan TK 2 min read

Moving to the cloud is easy; managing it at scale is hard. “Azure Landing Zones” is the Microsoft-recommended architecture for building a scalable, secure, and compliant foundation. It moves away from the “single subscription” model to a “subscription democratization” model managed by Management Groups and Azure Policy. This guide explores the “Enterprise-Scale” reference architecture.

The Logic of Management Groups

Instead of managing RBAC and policy per subscription, we organize them into a hierarchy.

graph TB
    Root["Tenant Root Group"] --> Inter["Intermediate Root (Org)"]
    Inter --> Platform["Platform"]
    Inter --> LandingZones["Landing Zones"]
    Inter --> Sandbox["Sandbox"]
    
    Platform --> Identity["Identity (AD)"]
    Platform --> Management["Management (Monitor)"]
    Platform --> Connectivity["Connectivity (Hub VNET)"]
    
    LandingZones --> Corp["Corp (Internal)"]
    LandingZones --> Online["Online (Public)"]
    
    style Inter fill:#E1F5FE,stroke:#0277BD
    style Platform fill:#FFF3E0,stroke:#E65100
    style LandingZones fill:#C8E6C9,stroke:#2E7D32

Subscription Democratization

Don’t be afraid to create subscriptions. In this model, they are units of management, not just billing.

  • Isolation: Limits blast radius of deployments.
  • Quota: Avoids hitting ARM API limits.
  • Cost: Clear chargeback models.

Policy-Driven Governance

Use “DeployIfNotExists” (DINE) policies to auto-remediate new subscriptions.

{
  "if": {
    "field": "type",
    "equals": "Microsoft.Resources/subscriptions"
  },
  "then": {
    "effect": "deployIfNotExists",
    "details": {
      "type": "Microsoft.Insights/diagnosticSettings",
      "deployment": {
        "properties": {
          "template": {
            "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
            "resources": [
                // Logic to auto-enable Log Analytics export
            ]
          }
        }
      }
    }
  }
}

Key Takeaways

  • Stop using single-subscription models for enterprise.
  • Use Management Groups to assign Policy and RBAC at scale.
  • Centralize networking and identity, decentralize app resources.

Discover more from C4: Container, Code, Cloud & Context

Subscribe to get the latest posts sent to your email.

Posted in Emerging Technologies
Tagged , ,

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.