Deploy Azure landing zones
This article discusses the options available to you to deploy platform and application landing zones. Platform landing zones provide centralized services used by workloads. Application landing zones are environments deployed for the workloads themselves.
Important
For more information about platform versus application landing zones definitions, see What is an Azure landing zone? in the Cloud Adoption Framework for Azure documentation.
This article covers common roles and responsibilities for differing cloud operating models. It also lists deployment options for platform and application landing zones.
Cloud operating model roles and responsibilities
The Cloud Adoption Framework describes four common cloud operating models. Azure identity and access for landing zones recommends five role definitions (Roles) to consider if your organization's cloud operating model requires customized role-based access control. If your organization has more decentralized operations, the Azure built-in roles might be sufficient.
The following table outlines the key roles for each of the cloud operating models.
| Role | Decentralized operations | Centralized operations | Enterprise operations | Distributed operations |
|---|---|---|---|---|
| Azure platform owner (such as the built-in Owner role) | Workload team | Central cloud strategy | Enterprise architect in Cloud Center of Excellence (CCoE) | Based on portfolio analysis. See Business alignment and Business commitments. |
| Network management (NetOps) | Workload team | Central IT | Central Networking in CCoE | Central Networking for each distributed team + CCoE. |
| Security operations (SecOps) | Workload team | Security operations center (SOC) | CCoE + SOC | Mixed. See Define a security strategy. |
| Subscription owner | Workload team | Central IT | Central IT + Application Owners | CCoE + Application Owners. |
| Application owners (DevOps, AppOps) | Workload team | Workload team | Central IT + Application Owners | CCoE + Application Owners. |
Platform
The following options provide an opinionated approach to deploy and operate the Azure landing zone conceptual architecture as detailed in the Cloud Adoption Framework. Depending upon customizations, the resulting architecture might not be the same for all the options listed here. The differences between the options are how you deploy the architecture. They use differing technologies, take different approaches, and are customized differently.
| Deployment option | Description |
|---|---|
| Azure landing zone Portal accelerator | An Azure portal-based deployment provides a full implementation of the conceptual architecture, along with opinionated configurations for key components, such as management groups and policies. |
| Azure landing zone Terraform accelerator | This accelerator provides an orchestrator module and also allows you to deploy each capability individually or in part. |
| Azure landing zone Bicep accelerator | A modular accelerator where each module encapsulates a core capability of the Azure landing zone conceptual architecture. While the modules can be deployed individually, the design proposes the use of orchestrator modules to encapsulate the complexity of deploying different topologies with the modules. |
Variants
| Deployment option | Description |
|---|---|
| Sovereign landing zone | The sovereign landing zone (SLZ) is a variant of the enterprise scale Azure landing zone intended for organizations that need advanced sovereign controls. |
Operate Azure landing zones
After you deploy the landing zone, you need to operate and maintain it. For more information, see the guidance on how to Keep your Azure landing zone up to date.
Azure Governance Visualizer is intended to help you get a holistic overview on your technical Azure governance implementation by connecting the dots and providing sophisticated reports.
Alternative platform deployment for policies with Enterprise Policy as Code (EPAC)
Enterprise Policy as Code (EPAC) is an alternative method to deploy, manage, and operate Azure Policy in your environment. You can use EPAC instead of the preceding platform options to manage the policies in an Azure landing zones environment. For more information on the integration approach, see Integrate EPAC with Azure landing zones.
EPAC is best suited for more advanced and mature DevOps and infrastructure-as-code customers. However, customers of any size can use EPAC if they want to after they assess it. To ensure that you're aligned, see Who should use EPAC? first.
Note
Evaluate and consider both options carefully. Potentially run through an MVP or proof of concept before you decide on what to use in the long term.
Subscription vending
After the platform landing zone is in place, the next step is to create and operationalize application landing zones for workload owners. Subscription democratization is a design principle of Azure landing zones that uses subscriptions as units of management and scale. This approach accelerates application migrations and new application development.
Subscription vending standardizes the process you use to request, deploy, and govern subscriptions. It enables application teams to deploy their workloads faster. To get started, see Subscription vending implementation guidance. Then review the following infrastructure-as-code modules. They provide flexibility to fit your implementation needs.
| Deployment option | Description |
|---|---|
| Bicep subscription vending | The subscription vending Bicep module is designed to accelerate deployment of the individual landing zones (also known as subscriptions) within a Microsoft Entra tenant on Enterprise Agreement (EA), Microsoft Customer Agreement (MCA), and Microsoft Partner Agreement (MPA) billing accounts. |
| Terraform subscription vending | The subscription vending Terraform module is designed to accelerate deployment of the individual landing zones (also known as subscriptions) within a Microsoft Entra tenant on EA, MCA, and MPA billing accounts |
Application
Application landing zones are one or more subscriptions that are deployed as environments for workloads or applications. These workloads can take advantage of services deployed in platform landing zones. The application landing zones can be centrally managed applications, decentralized workloads, or technology platforms such as Azure Kubernetes Service (AKS) that host applications.
You can use the following options to deploy and manage applications or workloads in an application landing zone.
| Application | Description |
|---|---|
| AKS landing zone accelerator | An open-source collection of Azure Resource Manager (ARM), Bicep, and Terraform templates that represent the strategic design path and target technical state for an AKS deployment. |
| Azure App Service landing zone accelerator | Proven recommendations and considerations across both multitenant and App Service environment use cases with a reference implementation for ASEv3-based deployment. |
| Azure API Management landing zone accelerator | Proven recommendations and considerations for deploying APIM management with a reference implementation showcasing Azure Application Gateway with an internal APIM instance-backed Azure Functions as back end. |
| SAP on Azure landing zone accelerator | Terraform and Ansible templates that accelerate SAP workload deployments by using Azure landing zone best practices, including the creation of infrastructure components like compute, networking, storage, monitoring, and build of SAP systems. |
| HPC landing zone accelerator | An end-to-end HPC cluster solution in Azure that uses tools like Terraform, Ansible, and Packer. It addresses Azure landing zone best practices, including implementing identity, jumpbox access, and autoscale. |
| Azure VMware Solution landing zone accelerator | ARM, Bicep, and Terraform templates that accelerate VMware deployments, including Azure VMware Solution private cloud, jumpbox, networking, monitoring, and add-ons. |
| Azure Virtual Desktop landing zone accelerator | ARM, Bicep, and Terraform templates that accelerate Azure Virtual Desktop deployments, including creation of host pools, networking, storage, monitoring, and add-ons. |
| Azure Red Hat OpenShift landing zone accelerator | An open-source collection of Terraform templates that represent an optimal Azure Red Hat OpenShift deployment that includes Azure and Red Hat resources. |
| Azure Arc landing zone accelerator for hybrid and multicloud | Azure Arc-enabled servers, Kubernetes, and Azure Arc-enabled SQL Managed Instance. See the Jumpstart ArcBox overview. |
| Azure Spring Apps landing zone accelerator | Azure Spring Apps landing zone accelerator is intended for an application team that builds and deploys Spring Boot applications in a typical landing enterprise zone design. As the workload owner, use architectural guidance provided in this accelerator to achieve your target technical state with confidence. |
| Enterprise-scale landing zone for Citrix on Azure | Design guidelines for the Cloud Adoption Framework for Citrix Cloud in an Azure enterprise-scale landing zone cover for many design areas. |
| Azure Container Apps Landing Zone Accelerator | This Azure Container Apps landing zone accelerator outlines the strategic design path and defines the target technical state for deploying Azure Container Apps. It is owned and operated by a dedicated workload team. |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for