Azure Landing Zones — Enterprise Cloud Architecture

“Welcome back. Today we cover Azure Landing Zones — Microsoft's prescribed architecture for deploying Azure at enterprise scale. Most organizations that rush to Azure without planning end up with subscription sprawl, inconsistent security policies, ungoverned costs, and networking that prevents workloads from communicating. Landing Zones solve this by establishing the right foundations — governance, networking, identity, and security — before workloads arrive.”

“A Landing Zone is a governed subscription ready for a workload to land in. The platform team — cloud infrastructure and governance team — builds and maintains landing zones. Application teams request a landing zone for their workload and get a subscription pre-configured with: network connectivity to the corporate hub, required security policies enforced, cost governance tags, monitoring enabled, and identity integration. App teams focus on their applications; the platform team ensures governance standards are met everywhere.”

“The Management Group hierarchy is the governance backbone. At the top, the root management group holds policies that apply everywhere — things like requiring Defender for Cloud, enforcing audit logging, restricting to compliant regions. Below that, separate management groups for platform subscriptions — where shared services live — and landing zone subscriptions for workloads. Corporate workloads that need connectivity to on-premises go in one group; public-facing internet workloads go in another. Policies applied to a management group automatically apply to all subscriptions below it.”

“The hub-spoke network topology is the standard for enterprise Azure networking. The hub VNet contains shared network services: Azure Firewall for traffic inspection, VPN Gateway or ExpressRoute for on-premises connectivity, and Azure Bastion for secure VM access without public IPs. Each workload lives in its own spoke VNet, peered to the hub. Traffic between spokes routes through the hub firewall — this east-west traffic inspection is critical for limiting the blast radius of a compromised workload.”

“The Landing Zone model separates platform subscriptions from application subscriptions. Platform subscriptions host shared services that all workloads depend on: a management subscription for centralized monitoring and security, an identity subscription for Active Directory infrastructure, and a connectivity subscription for the hub network. Application landing zones are the workload subscriptions — each team gets their own subscription with pre-wired governance. The subscription boundary provides blast radius containment, cost isolation, and permission boundaries between teams.”

“Policy-driven governance is what makes landing zones self-enforcing. Instead of relying on people following guidelines, policies enforce them automatically. Deploy-IfNotExists policies automatically add monitoring, configure backups, and enable Defender for Cloud on new resources without human intervention. Deny policies prevent the creation of resources that don't meet standards — no public storage accounts, no management ports open to the internet, no VMs without disk encryption. This shifts compliance from a quarterly audit to a continuous automated process.”

“The Cloud Adoption Framework is Microsoft's prescriptive guidance for moving organizations to Azure. It covers the entire journey: defining cloud strategy, planning the migration, building the landing zone foundation, adopting workloads, establishing governance, and managing operations. The Landing Zone Accelerator is the practical implementation — a reference Bicep or Terraform implementation that deploys a complete enterprise-scale landing zone including management groups, policies, hub networking, and monitoring in hours rather than months.”

“Landing Zones are how enterprises avoid the governance debt that accumulates when you scale Azure without proper foundations. Start right, and governance is automatic. Start wrong, and you spend years cleaning up. We continue next with Infrastructure as Code using Azure Bicep, Logic Apps, AI Foundry, and much more.”