Deploy a migration landing zone in Azure
Important
The Azure landing zones Implementation options section of the Cloud Adoption Framework is undergoing a freshness update.
As part of this update, we will be revising the table of contents and article content, which will include a combination of refactoring and consolidation of several articles. An update will be posted on this page once the work is completed.
Visit the new "Deployment options" section of the Azure Architecture Center for the latest Azure landing zone implementation content, including platform and application landing zones.
A migration landing zone is an environment that's been provisioned and prepared to host certain workloads. These workloads are being migrated from an on-premises environment into Azure.
Deploy the blueprint
Before you use the Cloud Adoption Framework Migration landing zone blueprint, review the following design principles, assumptions, decisions, and implementation guidance. Make sure that this guidance aligns with the cloud adoption plan you want. If so, you can deploy the Cloud Adoption Framework Migration landing zone blueprint using the deployment steps.
Deployment options
This implementation option deploys a minimum viable product (MVP) to start a migration. As the migration progresses, follow a modular refactoring-based approach to mature the operating model in parallel guidance. Use the Govern methodology and the Manage methodology to address those complex topics in parallel with the initial migration effort.
The specific resources deployed by this MVP approach are outlined in the decisions section below.
Design areas
This implementation option is an opinionated approach to the common design areas shared by all Azure landing zones. For technical details, see the assumptions and decisions.
Azure billing and Active Directory tenant
This implementation option doesn't take an inherent position on enterprise enrollment. This approach is designed to be applicable no matter what contractual agreements you have with Microsoft or Microsoft partners. Before you deploy this implementation option, it's assumed that you've created a target subscription.
Identity and access management
This implementation option assumes that the target subscription is already associated with a Microsoft Entra instance. Using this association follows the identity management best practices.
Network topology and connectivity
This implementation option creates a virtual network with subnets for a gateway, firewall, jump box, and landing zone. As a next step iteration, the team would follow the networking decisions guide to implement the appropriate form of connectivity between the gateway subnet and other networks. This implementation is in alignment with network security best practices.
Resource organization
This implementation option creates a single landing zone, in which resources are organized into workloads defined by specific resource groups. Choosing this minimalist approach to resource organization defers the technical decision of resource organization. You can defer this decision until your team clearly defines the cloud operating model.
This approach is based on an assumption that the cloud adoption effort won't exceed subscription limits. This option also assumes limited architectural complexity and security requirements within this landing zone.
If this complexity changes through the course of the cloud adoption plan, you might need to refactor your resource organization using the guidance in the Govern methodology.
Security
This implementation option doesn't implement controls for the primary purpose of security. In the absence of defined security controls, you shouldn't use this landing zone for mission critical workloads or sensitive data. It's assumed you're using this landing zone for limited production deployment. This deployment starts your learning, iteration, and development of the operating model in parallel with these early migration efforts.
To accelerate parallel development of security disciplines, review the Secure methodology. Consider deploying the Cloud Adoption Framework Foundation blueprint along with the Cloud Adoption Framework Migration landing zone blueprint.
Management
This implementation option doesn't implement management operations that can be used in production. In the absence of a defined operations baseline, you shouldn't use this landing zone for mission critical workloads or sensitive data. It's assumed your using this landing zone for limited production deployment. This deployment starts the learning, iteration, and development of the operating model in parallel with these early migration efforts.
To accelerate parallel development of an operations baseline, review the Manage methodology and consider deploying the Azure server management guide.
Warning
As you develop the operations baseline, you might need to refactor. You might need to move resources to a new subscription or resource group.
This implementation option doesn't have affordances for business continuity and disaster recovery (BCDR). It's assumed that the solution for protection and recovery will be addressed by the development of the operations baseline.
Governance
This implementation option doesn't implement governance tooling that can be used in production. In the absence of defined policy automation, you shouldn't use this landing zone for mission critical workloads or sensitive data. It's assumed you're using this landing zone for limited production deployment. This deployment starts your learning, iteration, and development of the operating model in parallel with these early migration efforts.
To accelerate parallel development of governance disciplines, review the Govern methodology. Consider deploying the Cloud Adoption Framework Foundation blueprint along with the Cloud Adoption Framework Migration landing zone blueprint.
Warning
As the governance disciplines mature, refactoring might be required. You might need to move resources to a new subscription or resource group.
Platform automation and DevOps
This implementation option doesn't implement automated Azure pipelines in DevOps. In the absence of defined automation, you shouldn't use this landing zone for mission critical workloads or sensitive data. It's assumed you're using this landing zone for limited production deployment. This deployment starts your learning, iteration, and development of the operating model in parallel with these early migration efforts.
To accelerate parallel development, review the Ready methodology. Consider deploying the Cloud Adoption Framework Foundation blueprint along with the Cloud Adoption Framework Migration landing zone blueprint.
Assumptions
This initial landing zone includes the following assumptions and constraints. If these assumptions align with your constraints, you can use the blueprint to create your first landing zone. You can also extend the blueprint to create a landing zone blueprint that meets your unique constraints.
- Subscription limits: This adoption effort isn't expected to exceed subscription limits.
- Compliance: No third-party compliance requirements are needed in this landing zone.
- Architectural complexity: Architectural complexity doesn't require more production subscriptions.
- Shared services: No existing shared services in Azure require this subscription to be treated like a spoke in a hub and spoke architecture.
- Limited production scope: This landing zone could potentially host production workloads. It's not a suitable environment for sensitive data or mission-critical workloads.
If these assumptions align with your current adoption needs, then this blueprint might be a starting point to build your landing zone.
Decisions
The following decisions are represented in the landing zone blueprint.
| Component | Decisions | Alternative approaches |
|---|---|---|
| Migration tools | Azure Site Recovery will be deployed and an Azure Migrate project will be created. | Migration tools decision guide |
| Logging and monitoring | Operational insights workspace and diagnostic storage account will be provisioned. | |
| Network | A virtual network will be created with subnets for a gateway, firewall, jump box, and landing zone. | Networking decisions |
| Identity | It's assumed that the subscription is already associated with a Microsoft Entra instance. | Identity management best practices |
| Policy | This blueprint currently assumes that no Azure policies are to be applied. | |
| Subscription design | N/A - designed for a single production subscription. | Create initial subscriptions |
| Resource groups | N/A - designed for a single production subscription. | Scale subscriptions |
| Management groups | N/A - designed for a single production subscription. | Organize and manage subscriptions |
| Data | N/A | Choose the correct SQL Server option in Azure and Azure data store guidance |
| Storage | N/A | Azure Storage guidance |
| Naming and tagging standards | N/A | Naming and tagging best practices |
| Cost management | N/A | Tracking costs |
| Compute | N/A | Compute options |
Customize or deploy a landing zone
Learn more and download a reference sample of the Cloud Adoption Framework Migration landing zone blueprint. Use this blueprint for deployment or customization from the Azure blueprint samples.
For guidance on customizations that should be made to this blueprint or the resulting landing zone, see the landing zone considerations.
Next steps
After deploying your first landing zone, you're ready to expand your landing zone.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for