Overview of the Sovereign Landing Zone
The Sovereign Landing Zone (SLZ) is a variant of the enterprise scale Azure Landing Zone intended for organizations that need advanced sovereign controls. The SLZ helps these organizations meet their regulatory compliance requirements through Azure-native Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) capabilities. Using a configurable landing zone empowers organizations with tools to address their sovereignty needs by enforcing resources to be compliant with policies created in Azure Policy.
Why use the Sovereign Landing Zone?
Data can only remain sovereign when the owner has exclusive control over it. In Azure, exclusive control means:
Being the only entity that can grant the permissions necessary for users and workloads to access and process the data.
Approving the regions that workloads can be deployed into.
Technical controls to protect against unauthorized data access is necessary at all levels. Therefore granting access to cloud and managed service provider operators should also be explicit.
The SLZ provides an opinionated architecture that enables an organization to meet their sovereignty needs while being configured via a singular configuration file and entirely deployable by a singular script. Your organization can meet the sovereignty needs by performing the following tasks:
Aligning to the Cloud Adoption Framework to simplify adoption.
Incorporating the technical guardrails provided by the policy portfolio, including the Sovereignty Baseline policy initiatives.
Enabling policy configurations by empowering organizations to address their data sovereignty needs.
Streamlining the use of Azure Confidential Computing services.
For more information on how to deploy and configure the SLZ, see the Sovereign Landing Zone documentation on GitHub.
Should I deploy the Sovereign Landing Zone with Bicep or Terraform?
The Bicep-based deployment of Sovereign Landing Zone (SLZ) is generally available and it's a variant of the Azure Landing Zone (ALZ) Bicep repository. The Bicep implementation for the SLZ is available on GitHub.
The Terraform-based deployment of the SLZ is in Public Preview and is based off the Azure Verified Modules. The Terraform implementation for the SLZ is available on GitHub.
The Terraform-based deployment of the SLZ might not be as feature-complete as the Bicep-based version until it becomes generally available. However, organizations can use the deployment language that best suites their skill set.
When to use Sovereign Landing Zone instead of Azure Landing Zone?
The Sovereign Landing Zone is a variant of the Azure Landing Zone (ALZ), meaning it includes additional Landing Zone Management Groups and Policy Assignments. For more information, see the guidance Tailor the Azure landing zone architecture to meet requirements.
The SLZ uses the same code base as ALZ and comes with:
- Additional orchestration and deployment automation capabilities
- An opinionated landing zone design for data sovereignty and confidential computing requirements
- Additional Azure Policy Initiatives and Policy assignments to help meet sovereignty requirements for public sector customers, partners, and independent software variants (ISVs).
A common question related to SLZ is when an organization should use one landing zone over the other. Both the ALZ and SLZ teams recommend the following guidance:
Use ALZ when you prioritize:
- Default option for most customers across various industries that can be built upon
- Detailed configuration and customization options over the entire environment
- Multiple deployment options such as through the Portal
Use SLZ when you prioritize:
- Public sector customers focused on digital sovereignty requirements
- Streamlined data governance capabilities enforced by policy and Azure Confidential Computing
- Simplified deployment experience when using region-specific policy initiatives
- Deployment of workload templates to promote sovereign migration efforts