how to understand the concepts of landing zones? How to segregate the azure resources into the 3 different levels of landing zones?

Question

So how to segregate the services of azure into the category of foundational, enterprise and advanced landing zones?

Answer 1

It really depends on your approach and adoption plans going forward as a business.

The docs on this are really good on landing zones. You can start small and go with a modular approach building out with scale if you’re unsure or don’t want a big bang approach. if you want all the governance and guard rails straight away then you’ll probably end up with a fairly enterprise level landing zone to accommodate.

To be honest the video listed here is a great way to grasp the approaches here: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/choose-landing-zone-option

As for me personally, usually always go with a hub and spoke, so a connectivity subscription that will be the ‘hub’ housing all edge components for central ingress (your front doors, app gateway, firewall, express route, vpn, private dns) and then a subscription for major workloads that peer back to the hub for central control.

This could either be many subscriptions if there’s tons of workloads/teams. Or… just literally one that peers back to the hub if it’s a small org with a small landing zone that just don’t need the full enterprise level stuff.

As for the management groups I think there’s little harm building out many of these to accommodate growth and slot subscriptions into each relevant area as you grow, wrapped with PIM enabled groups for access.

Hope this helps , if it has please feel free to mark as the answer.