One thing that has often confused me about Azure training and certification exams is how little mention there is of the Cloud Adoption Framework and Azure Landing Zones, even though they'rea key component of the “Ready” phase of the framework.
As an Azure Solutions Architect, it’s your responsibility to map business requirements to Azure solutions. But it’s also much more than that. You should also make sure your solutions are mapped to both the Cloud Adoption Framework and the Well Architected Framework. Solutions are made up of one or more workloads. You can think of a workload as a group of components that provide a business function.
Before you deploy a production workload, as part of getting ready, you need to prepare both your organization for the change, and your Azure environment. All too often, both of these are overlooked, and it can be costly, time consuming and disruptive to correct courses later. You prepare your organization by determining your operating model. Your operating model defines how your teams will align and work together, in simple terms, how the business will operate cloud workloads.
You deploy your Azure environment by deploying Azure Landing Zones. Let’s dive into what that means and why it is so important.
What are Azure landing zones?
Azure Landing Zones is a reference architecture that you can implement to ensure you will be able to govern, secure, monitor, manage and ultimately deploy your workloads. Azure Landing Zones are the foundation for a successful adoption of Azure.
Notice that it’s Landing Zones, and not a singular ‘zone’. There are two key types of landing zones:
A Platform Landing Zone provides centralized foundational services for all workloads, these include things like monitoring, identity and networking.
An Application Landing Zone is a location for a workload. You can think of an Application Landing Zone as a governed subscription. You’ll typically deploy one or more of these, and you may add and remove them over time.
Five ways using Azure Landing Zones helps you out
Azure Landing Zones take the guesswork out of trying to figure out how you should structure your Azure management hierarchy, what foundational level resources you should deploy and how you should configure those resources.
1. Governance
Azure Landing Zones provide governance that scales as your Azure environment grows and changes. Governance is the policies, procedures, and guidelines your company implements to help your company meet their obligations. Governance in the ALZ reference architecture is provided using the powerful combination of Azure Policy and Management Groups.
2. Scalability
Azure Landing Zones provides scalability by ensuring that you can grow and even shrink your Azure footprint easily. You can add subscriptions to your Application Landing Zones as you deploy new workloads, and you can decommission those workloads as entire subscriptions as the need arises. As you add and remove subscriptions, throw what’s referred to as “Vending” policies are automatically applied from the Management Groups higher in the hierarchy.
3. Identity
Azure Landing Zones secure your identities by providing an optional, more secure Platform Landing Zone subscription that you can use to host Active Directory Domain Services (AD DS) for hybrid identity, when it’s required.
Azure Landing Zones also helps ensure you can delegate ownership of Application Landing Zone subscriptions to teams with recommended custom Azure Roles, and even decentralize the ongoing management of authorization for identities that access workload subscriptions.
4. Monitoring
Azure Landing Zones also provides a central Log Analytics workspace to store all your monitoring and logging data. Monitoring data collection is automatically configured at scale using Azure policy, and with resource-context permissions your workload teams can access the monitoring data they need to without stepping on each other's toes.
5. Networking
Azure Landing Zones provides optional cloud and hybrid networking through a networking Platform Landing Zone. You can implement foundational networking using either a traditional Hub and Spoke topology or through Azure Virtual WAN.
What can happen when you don’t use landing zones?
If you don’t deploy Azure Landing Zones, you may experience problems dealing with the ongoing management, governance and security of your workloads. These can be thought of as “growing pains”. Some of the problems you might encounter are subscription limits, or increased management overhead managing permissions.
If you are reading this and thinking, oh no, I really should have deployed Azure Landing Zones. Fear not! While it is easier to deploy the reference architecture upfront, you can move to the recommended architecture after you’ve already deployed workloads. As the Azure Landing Zones team would say, you can think of Azure Landing Zones as your guiding star, and work towards the best practice architecture.
You can get started with an Assessment, like the Azure Landing Zone Review, and receive personalized guidance on how you can move towards the recommended architecture.
How to set up an Azure Landing Zone
Microsoft provides a number of resources to help you deploy Azure Landing Zones through Accelerators. Sounds fast, right? There are accelerators available for the Azure Portal, Bicep and Terraform.
How to learn more about Azure Landing Zones
If you’d like to learn more about Azure Landing Zones or the larger Cloud Adoption Framework, I’ve created dedicated courses on each topic:
Introduction to the Microsoft Cloud Adoption Framework for Azure
Deploying Azure Landing Zones
Or if you’d like to see how both the Cloud Adoption Framework and the Well Architected Framework fit into your toolkit as an Azure Solutions Architect, you can check out my latest course Azure Solutions Architect Expert (AZ-305): Identity, Governance and Monitoring Solutions.
