Production-Grade Azure Landing Zone: Architecture, Governance, and Automation

This guide provides a structured approach to building a secure, compliant, and operationally efficient Azure Landing Zone, emphasizing governance, networking, identity, and automation. It covers tools, architecture design, and implementation strategies for enterprise-scale Azure environments.

Overview of Azure Landing Zones

An Azure Landing Zone is a foundational architecture that ensures all cloud workloads are deployed into a secure, compliant, and operationally excellent environment. It addresses challenges like inconsistent security postures, uncontrolled costs, and lack of visibility by establishing governance guardrails, centralized networking, and automated operations.

Key Objectives:

Governance at Scale: Enforce policies and compliance via Azure Policy, Management Groups, and RBAC.
Secure Networking: Implement hub-and-spoke topologies with Azure Firewall for traffic inspection.
Identity & Access Control: Use least-privilege roles, PIM, and managed identities to secure access.
Automation: Deploy Infrastructure as Code (Bicep/Terraform) and CI/CD pipelines for repeatable, auditable changes.

Core Components and Implementation

1. Prerequisites and Setup

Tools Required:
- Azure CLI, Bicep, Terraform, VS Code with extensions.
- Azure CLI login: az login
- Bicep installation: az bicep install
- Terraform installation: terraform -version
Permissions:
- Ensure the user has Owner or Microsoft.Management/managementGroups/write permissions at the tenant root.
- Register Azure providers: az provider register --namespace Microsoft.Management

2. Architecture and Naming Conventions

Hub-and-Spoke Network:
- Central Hub VNet with Azure Firewall and Log Analytics.
- Spoke VNets for workloads, peered to the hub for secure connectivity.
- Example: [ResourceType]-[WorkloadName]-[Environment]-[AzureRegion]-[Instance] (e.g., vnet-hub-prod-eastus-001).
Tagging Strategy:
- Mandatory tags: owner, costCenter, environment, appName.

3. Governance with Management Groups

Hierarchy Design:
- Platform MG: Contains identity, management, and connectivity groups.
- Landing Zones MG: Houses production and non-production management groups.
- Example Bicep snippet:

targetScope = 'tenant'
resource mgPlatform 'Microsoft.Management/managementGroups@2021-04-01' = {
  name: 'lz-platform'
  properties: { displayName: 'Platform' }
}

Use Case: Enforce stricter policies on Prod vs. Non-Prod groups to control costs and security.

4. Identity & Access Management (IAM)

Custom RBAC Roles:
- Example: Spoke VNet Contributor allows resource creation but restricts network modifications.
- Artifact: SpokeVnetContributor.json (see context for full definition).
Privileged Identity Management (PIM):
- Enables temporary, just-in-time access for emergency scenarios.

5. Policy-Driven Governance

Azure Policy Examples:
- Enforce mandatory tags (e.g., costCenter) using deny effect.
- Example policy JSON:

{
  "if": {
    "allOf": [
      { "field": "type", "equals": "Microsoft.Resources/subscriptions/resourceGroups" },
      { "field": "tags['costCenter']", "exists": "false" }
    ]
  },
  "then": { "effect": "deny" }
}

Use Case: Enforce GDPR compliance by restricting deployments to EU regions.

6. Network Foundation (Hub-and-Spoke)

Bicep Deployment for Hub VNet:
- Includes Azure Firewall, peering, and route tables.
- Example: hubNetwork.bicep (see context for full code).
Use Case: Secure PCI-DSS workloads by routing all traffic through the Azure Firewall.

7. Centralized Operations & Shared Services

Log Analytics Workspace:
- Centralize logs from Key Vaults, VMs, and security tools.
- Bicep artifact: logAnalytics.bicep (see context for deployment).
Subscription Vending Machine:
- Automate subscription creation with policies, VNets, and RBAC assignments.

8. IaC, CI/CD, and GitOps

Repository Structure:
- Organize code into modules and pipelines.
- Example: infra/bicep/modules/network.bicep, pipelines/deploy-landingzone.yml.
GitHub Actions Pipeline:
- Validate changes on pull requests (az deployment mg what-if) and deploy on merge.
- Artifact: deploy-landingzone.yml (see context for full YAML).

Working Example: Bicep for Management Groups

targetScope = 'tenant'
resource mgPlatform 'Microsoft.Management/managementGroups@2021-04-01' = {
  name: 'lz-platform'
  properties: { displayName: 'Platform' }
}
resource mgConnectivity 'Microsoft.Management/managementGroups@2021-04-01' = {
  name: 'lz-connectivity'
  properties: {
    displayName: 'Connectivity'
    details: { parent: { id: mgPlatform.id } }
  }
}

Deployment Command:

az deployment tenant create --location eastus --template-file managementGroups.bicep

Recommendations

Governance:
- Use a shallow management group hierarchy to simplify policy inheritance.
- Store Azure Policy definitions in version-controlled repositories.
Networking:
- Always deploy Azure Firewall in the hub for traffic inspection.
- Use route tables to enforce traffic routing through the firewall.
Identity:
- Prefer managed identities over service principals to eliminate secret management.
- Enable PIM for privileged roles to reduce risk.
Automation:
- Use what-if or plan in CI/CD pipelines to validate changes before deployment.
- Protect the main branch with required pull requests and approvals.
Pitfalls to Avoid:
- Failing to register Azure providers before deployment.
- Overly complex management group hierarchies leading to policy conflicts.
- Hardcoding secrets in CI/CD pipelines instead of using managed identities.

Final Checklist for Production Readiness

All policies are assigned and show compliance.
Identity access is managed via PIM with no standing privileges.
Firewall rules are configured for least privilege.
Centralized logging collects data from all critical resources.
Budgets and cost alerts are configured.
CI/CD pipeline is the only deployment mechanism.
Automated health checks validate core functionality.

Reference: Azure Landing Zone Guide

On This Page

Production-Grade Azure Landing Zone: Architecture, Governance, and Automation