Deploy and configure a Sovereign Landing Zone
You need to complete the various prerequisite steps before deploying and configuring the Sovereign Landing Zone (SLZ).
The SLZ deploys and configures various Azure resources in a manner that aligns with the enterprise-scale landing zone as part of the Cloud Adoption Framework (CAF) best practices and provides appropriate guardrails an organization can configure to achieve their data sovereignty requirements. Select the deployment technology for further deployment information.
You need to complete various prerequisite steps before deploying and configuring the Sovereign Landing Zone (SLZ) using Bicep. For a detailed overview of an SLZ and all its capabilities, see Sovereign Landing Zone (Bicep) documentation on GitHub.
To complete the deployment, you need to perform the prerequisite steps:
Ensure that your local environment has the following versions installed (or newer):
- PowerShell 7.0
- Azure RM 2.51.0
- Azure PowerShell 10.0.0
- Azure Bicep 0.20.0
Ensure that you have access to a Microsoft Entra ID identity with the following permissions in Azure:
- Create (or use existing) subscriptions
- Owner to the subscriptions
- Create service principals
- Create policy set definitions and assignments.
Check out a local copy of the Sovereign Landing Zone.
Validate whether the prerequisites are met for your local runtime environment and Azure permissions by running the Confirm-SovereignLandingZonePrerequisites.ps1 script.
Update the parameter file with the required parameters in your local copy of the SLZ repository. You can create an SLZ deployment with the following minimal parameters:
- Unique and human-readable names for the SLZ
- Location and approved location for the deployment
- Billing information for the newly created or existing subscriptions
(Optional) Add custom policy definitions as needed for compliance.
Run the all steps within the
New-SovereignLandingZone.ps1
deployment script. The initial deployment process can take upwards of an hour.Verify the deployment finished by checking out the compliance dashboard output link displayed at the end of the deployment.
You need to use the following SLZ configuration parameters for configuring the Sovereignty Baseline policy initiatives:
parAllowedLocations: Use this parameter to configure the location restriction policies for all resources deployed by the SLZ outside of the confidential management group scopes.
parAllowedLocationsForConfidentialComputing: Use this parameter to configure the location restriction policies for resources deployed within the confidential management group scopes. This parameter can be the same as the parAllowedLocations parameter but might need to be different if Azure Confidential Computing isn't available in the preferred region.
parPolicyEffect: This parameter toggles between the baseline having a deny effect, which is recommended for production workloads, or an audit effect.
Any preview initiative within the policy portfolio must have its definition deployed before being used in an SLZ deployment. Review the article on policy portfolio for details of deploying these definitions. You can use these steps to deploy the definitions to any existing landing zone.
Use the following configuration parameters for configuring these policy initiatives:
parCustomerPolicySets: This parameter helps you specify a list of policy set definitions to assign at the top-level management group scope for an SLZ deployment.
parDeployAlzDefaultPolicies: This parameter enables the ALZ policies to be deployed at relevant scopes within an SLZ deployment.
After an SLZ has been deployed, you can provision platform or application landing zone through the following steps:
Check out a local copy of the ALZ Landing Zone Vending.
Reference the existing SLZ deployment logs for relevant management groups, locations, resource IDs, etc. needed to configure the vending module.
Update the main.bicep file with the appropriate parameters and run the bicep script.