Choose the landing zone for your organization
Important
The Azure landing zones Implementation options section of the Cloud Adoption Framework is undergoing a freshness update.
As part of this update, we will be revising the table of contents and article content, which will include a combination of refactoring and consolidation of several articles. An update will be posted on this page once the work is completed.
Visit the new "Deployment options" section of the Azure Architecture Center for the latest Azure landing zone implementation content, including platform and application landing zones.
There are different approaches to implementing landing zones in the Cloud Adoption Framework. Starting with an implementation that doesn't meet your needs can waste your time and effort. The right approach for your organization has the necessary services to support your business applications without extra overhead to manage.
Microsoft offers two implementation options for landing zones:
- Start small and expand
- Enterprise-scale
Watch the following 15-minute video to learn more about how to choose the Azure landing zone implementation option that best fits your needs.
You might also consider third-party implementations. Our partners have many implementations available through their services. For more information, see Evaluate a Microsoft partner's Azure landing zone.
Overview of landing zone options
The following table summarizes considerations for each landing zone implementation approach.
Start small and expand
Enterprise-scale
Initial considerations
Centralized operations
Enterprise operations
Baseline reference architecture
Offers a simple starting point to build your own solution with minimal subscriptions, which you scale only as needed.
Offers an entire Azure tenant reference regardless of your scale-point, which includes cloud-native operations.
Adoption plan considerations
Long-term self-sufficiency
Requires Cloud Adoption Framework Govern and Manage methodologies to achieve long-term self-sufficiency.
Enterprise-scale architecture landing zones approach and architecture prepare your organization for long-term self-sufficiency. Provides reserved instances to get you started.
Adoption velocity across the organization
Quickly implement low-risk adoption. Build toward security governance and compliance over time.
Start with security governance and compliance to implement compliant adoption sooner.
Operational excellence
Requires Cloud Adoption Framework Govern and Manage methodologies to achieve operational excellence.
Implement operational excellence with autonomy for platform and application teams that is built on policy-driven governance and management.
Compliance considerations
Path to attain security governance and compliance
An iterative approach. Requires Govern and Manage methodologies to support sensitive data or mission critical workloads.
Enterprise-scale architecture includes designs for governance, security segmentation, and separation of duties. Empowers teams to act within appropriate landing zones.
Risks while building out security governance and compliance
There's a risk of extensive refactoring or even redeployment to attain required needs.
There's a risk of enabling cloud-native operations products that might not align with your operating model.
Deployment considerations
Best practices from cloud provider
Add more best practices by using Cloud Adoption Framework methodologies to apply security governance and compliance.
Enterprise-scale includes Azure best practices and is the target technical state for your Azure environment.
Presence and proper consideration of all critical services, following recommended best practices for identity/access management, governance, security, network, and logging
Partial. Some resources are deployed. Other offerings aligned to Cloud Adoption Framework methodologies are required to apply best practices to support security governance and compliance.
Enterprise-scale architecture is the target technical state recommendation for your Azure environment that aligns with the Azure platform roadmap.
Automation capabilities like infrastructure as code (IaC) and Azure DevOps
Use Azure Resource Manager, Azure Policy, and Azure Blueprints to create your own continuous integration and continuous development (CI/CD) pipeline.
You can use Azure Resource Manager, Azure Policy, and GitHub/Azure DevOps. CI/CD pipeline options are included in the reference implementation guidance.
Timeline considerations
Timeline to adopt or migrate a low-risk workload
3 to 10 days
3 to 10 days
Timeline to achieve security governance and compliance requirements for all workloads
Four to six months
Six to eight weeks
Initial considerations
Which operating model better describes your organization? Be aware of both how your organization is now and what you expect and want it to be in three months to a year and beyond.
Centralized operations: In this small environment, centralized teams for IT operations, security, and other roles manage production and workloads.
Enterprise operations: In this typically larger or industry specialized environment, enterprise operations have a stable, steady state that's managed centrally.
Centralized operations favor a start small and expand approach. Enterprise operations favor an enterprise-scale approach.
Do you need a baseline architecture or environment? The start small and expand approach offers a simple starting point where you can build your own solution. The enterprise-scale approach provides an environment for the entire Azure tenant, which includes cloud-native operations.
For more information about operations types, learn how to Compare common cloud operating models.
Adoption plan considerations
The following considerations are key to your adoption plan for either approach:
- Long-term self-sufficiency
- Adoption velocity across your organization
- Operational excellence
Enterprise-scale immediately provides long-term self-sufficiency and operational excellence. It lays out a foundation with guardrails around security, identity, and network, and helps accelerate compliance adoption across your organization. The enterprise-scale approach also includes CI/CD pipeline options for DevOps and automation.
If you start small and expand, there are ways to achieve self-sufficiency, adoption velocity, and operational excellence. Use the Govern and Manage methodologies of the Cloud Adoption Framework to iteratively build those pieces into the landing zone solution. Use the eight areas of design, Cloud Adoption Framework enterprise-scale design guidelines, to iteratively improve your design.
To better understand operational excellence, learn how to Deliver operational excellence during digital transformation.
Compliance considerations
Consider the following issues around compliance for your organization:
- Path to reach security governance and compliance
- Risks while building out security governance and compliance
Your organization might need a particular workload or application that needs to be compliant in a short amount of time. This requirement can affect your choice.
Start small and expand architecture takes an iterative approach to compliance. Use the Cloud Adoption Framework Govern and Manage methodologies to support sensitive data or critical workloads. For more information, review the Govern methodology for the cloud and IT management and operations in the cloud.
Enterprise-scale architecture includes designs for segmentation and separation to support compliance goals and a service enablement framework. These designs determine how you can achieve appropriate levels of governance, security, and compliance.
If possible, identify low-risk workloads to implement first. This strategy helps you build infrastructure and skills over time. You can add the Govern and Manage methodologies as you gain understanding of how the cloud works.
Deployment considerations
Deploying your landing zone or landing zones raises several considerations for choosing an implementation:
Best practices from cloud provider
Presence and proper consideration of all critical services, following recommended best practices for identity/access management, governance, security, network, and logging
Automation capabilities like IaC and Azure DevOps
Both implementations offer best practices. Start small and expand lets you add best practices using Cloud Adoption Framework methodologies to apply security governance and compliance. It comes with some resources deployed. Enterprise-scale comes with all critical services configured.
For more information about best practices, review the Best practices for Azure readiness.
Both methodologies offer automation capabilities:
- Start small and expand: ARM templates, Azure Policy, and Azure Blueprints are included. You can create your own CI/CD development pipeline.
- Enterprise-scale: ARM templates, Azure Policy, GitHub/Azure DevOps, and CI/CD pipeline options are included.
The start small and expand approach uses ARM templates, Azure Policy, and Azure Blueprints:
The enterprise-scale approach uses ARM templates and Azure Policy, and offers three reference implementations and different deployments:
Whether you implement the start small and expand or enterprise-scale approach, you can use templates and a portal-based experience. You can include IaC later in the process. Explore this IaC overview for more information.
Timeline considerations
Landing zone options take different amounts of time to implement. There are two types of timelines:
- Timeline to adopt or migrate a low-risk workload
- Timeline to reach security governance and compliance requirements for all workloads
With a start-small-and-expand approach, you can get a low-risk workload up and running in 3 to 10 days. For a workload with high security governance and compliance requirements, it can take four to six months.
For an enterprise-scale implementation, you can also adopt a low-risk workload in 3 to 10 days. Adopting a more elaborate workload can take six to eight weeks.
Next steps
Choose a landing zone implementation option:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for