Best Practices for Azure Migration Landing Zone Setup

📌 How to Build Your Azure Landing Zone for Scaling Cloud Environments Securely A well-architected landing zone separates responsibilities across management groups and subscriptions, enforces policy and security controls by default, and supports growth across teams, regions, and lifecycles. ❶ Tenant-Level Architecture ◆ Use Microsoft Entra ID as the central identity plane for users, groups, service principals, and role assignments. ◆ Apply PIM and Conditional Access across all admin roles. ◆ Connect on-prem identities with Active Directory Domain Services when hybrid is needed. ❷ Management Group Hierarchy ◆ Start with a clear tenant root group, structured by platform functions (Security, Management, Connectivity, Identity) and LZ (Corp, Online, Sandbox). ◆ Apply guardrails at the group level using Azure Policy, RBAC, and budget alerts. ◆ Assign subscriptions below groups to enforce separation of concerns. ❸ Subscription Separation of Duties ◆ Security Subscription: Centralize logging, Defender for Cloud, and policy enforcement. ◆ Management Subscription: Central dashboards, cost tracking, log collection, and updates. ◆ Identity Subscription: Host DCs, Microsoft Entra DS, and recovery services. ◆ Connectivity Subscription: ExpressRoute, DNS, Firewalls, and VNet peering. ◆ LZ: Host production workloads (P1, A2) with consistent network, identity, and backup setup. ◆ Sandbox Subscriptions: Isolated for dev/test with limited permissions and spending controls. ❹ Network Topology & Peering ◆ Use hub-and-spoke architecture with VNets per region and peering to a shared connectivity subscription. ◆ Centralize inspection using Azure Firewall, Route Tables, and NSGs/ASGs. ◆ Secure DNS resolution with Private DNS Zones and on-prem forwarding if needed. ❺ Platform Automation & GitOps ◆ Manage all infra as code using a central Git repository. ◆ Store definitions for roles, policies, blueprints, Bicep modules, and templates. ◆ Automate provisioning via pipelines (e.g., GitHub Actions, Azure DevOps) for repeatability and traceability. ❻ Logging, Monitoring & Compliance ◆ Send logs from all subscriptions to Log Analytics in the Security sub. ◆ Use Azure Monitor for platform-wide observability. ◆ Set up Update Manager, Defender for Cloud, and cost alerts centrally. ❼ Cost Management & Policy Enforcement ◆ Apply cost management and Azure Policy consistently across subscriptions. ◆ Use budget alerts and tagging to track usage per environment or team. ◆ Prevent misconfiguration with deny assignments and policy enforcement at the platform layer. ❽ Landing Zone Blueprint Implementation ◆ Define compliant VM SKUs, network configuration, backup strategy, and baseline tags. ◆ Ensure shared services like Key Vault, Backup Vaults, and Azure Automation are pre-integrated. ◆ Enforce diagnostics, identity assignment, and Defender onboarding by default. #cloud #security #azure

While auditing an EU FinTech scale-up, I came across some surprising design choices: • Flat subscription sprawl • No Azure Policy enforcement • No Hub-and-Spoke network model • No Management Group hierarchy Clearly, they had grown fast but without structure. So I led a Landing Zone redesign based on Microsoft’s Cloud Adoption Framework and deployed: 👉🏻A Core Infrastructure Management Group with Policy-as-Code 👉🏻Spoke separation by app and environment 👉🏻Role-based access controls aligned with team structure So The result is 94% policy compliance in just 6 weeks & Clear cost ownership per team & A secure, scalable foundation ready for future growth Without Landing Zones, your Azure setup is just an expensive sandbox. #AzureCAF #EnterpriseLandingZone #ArchitectureReview #InfraGovernance #AzureBestPractices #CloudStrategy

🚀 Azure Landing Zone (ALZ) – Part 3 Using Azure Verified Modules (AVM) + Terraform Repo Structure & Deployment Flow In Part 1, we covered ALZ + IaC foundation. In Part 2, we explored Azure Verified Modules (AVM). Now let’s get practical 👇 👉 How do we structure a real-world enterprise Terraform repository using AVM for Azure Landing Zones? ⸻ 🗂 Recommended Repository Structure (AVM + Terraform) alz-platform/ │ ├── management-groups/ │ └── main.tf │ ├── platform/ │ ├── identity/ │ ├── connectivity/ │ └── management/ │ ├── landing-zones/ │ ├── corp/ │ ├── online/ │ └── sandbox/ │ ├── modules/ │ └── custom-overrides/ │ ├── global-settings/ │ ├── policy/ │ ├── role-assignments/ │ └── diagnostics/ │ ├── environments/ │ ├── dev.tfvars │ ├── test.tfvars │ └── prod.tfvars │ └── pipelines/ └── azure-devops.yml / github-actions.yml 🧩 How AVM Fits Into This Instead of writing everything from scratch: • Use AVM Management Group modules • Use AVM Subscription modules • Use AVM Networking modules • Use AVM Policy modules • Use AVM Monitoring modules You compose your Landing Zone like building blocks: module "management_groups" { source = "Azure/avm-ptn-managementgroup/azurerm" version = "x.x.x" } module "connectivity" { source = "Azure/avm-ptn-connectivity/azurerm" version = "x.x.x" } 👉 Official AVM repo: https://lnkd.in/gfwYyAfi 👉 ALZ Terraform docs: https://lnkd.in/gfzk9ni6 🔄 Enterprise Deployment Flow Here’s how a production-grade ALZ pipeline should work: 1️⃣ Plan Stage • Validate Terraform code • Security scanning (Checkov / tfsec) • Policy validation • Generate terraform plan 2️⃣ Approval Gate • Platform team review • Architecture validation 3️⃣ Apply Stage • Deploy Management Groups • Deploy Platform Subscriptions • Deploy Hub Networking • Deploy Policies & RBAC • Deploy Monitoring stack 4️⃣ Continuous Governance • Drift detection • Policy compliance checks • Cost monitoring ⸻ 🏗️ Recommended Layered Deployment Order 1. Management Groups 2. Policies & Role Assignments 3. Platform Subscriptions 4. Connectivity (Hub) 5. Identity 6. Logging & Monitoring 7. Application Landing Zones This avoids dependency conflicts and ensures governance is enforced first. ⸻ 🔐 Why This Matters Without structure: • Terraform becomes messy • Governance becomes reactive • Scaling becomes painful With AVM + Structured Repo: ✔️ Modular ✔️ Reusable ✔️ Version-controlled ✔️ Enterprise scalable ✔️ Audit-friendly ⸻ 💡 Key Insight Azure Landing Zone is not a project. It is a platform product. Treat it like software: • Version it • Secure it • Automate it • Continuously improve #Azure #AzureLandingZone #AzureVerifiedModules #Terraform #InfrastructureAsCode #CloudArchitecture #PlatformEngineering #DevOps #AzureSecurity #CloudGovernance