A Landing Zone is the foundational Azure environment upon which workloads are deployed. Getting the landing zone right, subscriptions, management groups, networking, identity, and governance, avoids expensive architectural remediation later.

The management group hierarchy

The Azure management group hierarchy (tenant root > management groups > subscriptions) provides the scope for governance policies and RBAC. The Enterprise-Scale architecture (Microsoft's reference landing zone) defines: a management group for platform subscriptions (connectivity, identity, management), a management group for landing zone subscriptions (corp-connected, online), and a management group for sandbox subscriptions. Policies assigned at management group level cascade to all subscriptions below.

Hub-and-spoke networking

The hub-and-spoke network topology places shared services (ExpressRoute/VPN gateway, Azure Firewall, bastion host, DNS resolver) in a central hub VNet. Spoke VNets (one per application or environment) peer to the hub. All internet egress routes through the hub's Azure Firewall for centralised inspection and logging. All on-premises connectivity routes through the hub's gateway. The topology provides centralised security control without all workloads sharing a single VNet.

Subscription design

Subscriptions are the isolation and billing boundary in Azure. The enterprise pattern: separate subscriptions by environment (production, non-production), by application criticality (platform, business application), and by compliance requirements (data sovereignty, regulatory isolation). Each subscription has its own resource groups, RBAC assignments, and cost reporting. The governance overhead of many subscriptions is managed by the management group hierarchy and Azure Policy at scale.

Identity baseline

The identity baseline for a landing zone: Azure AD tenant configured with Conditional Access policies (MFA for all users, compliant device for privileged access), Privileged Identity Management for just-in-time privileged role activation, Azure AD Identity Protection for risky sign-in detection, and break-glass accounts (emergency access accounts with permanent Global Admin, stored offline, monitored for use). The identity baseline must be in place before workloads are deployed.