The Azure Landing Zone: Enterprise Cloud Governance at Scale, Lavkesh Dwivedi

The Azure Landing Zone concept, formalised in the Cloud Adoption Framework, provides an enterprise-grade starting point for Azure deployments. It is the architectural pattern that serious Azure deployments now follow.

What a landing zone is

An Azure Landing Zone is a pre-configured Azure environment with governance, networking, identity, and management tooling in place before workloads are deployed. It is the foundation: subscriptions structured by environment type and business unit, hub-and-spoke networking with centrally managed egress, Azure Policy assignments enforcing compliance requirements, Microsoft Defender for Cloud monitoring, and Azure Monitor configured for the environment.

Management group hierarchy

The management group hierarchy is how Azure Policy and RBAC assignments are applied consistently across many subscriptions. A typical hierarchy: root management group at the top, then platform and workloads management groups, then environment groups (production, non-production), then individual subscriptions. Policy assigned at the management group level applies to all subscriptions below it, without having to configure each subscription separately.

Policy as code

Azure Policy can be defined and deployed as code using Bicep or Terraform. Policy as code means governance requirements are version-controlled, reviewable, and testable. For enterprises with compliance requirements (PCI, HIPAA, SOC2), defining the corresponding Azure Policy definitions in code and applying them through the management group hierarchy is the scalable path to consistent compliance posture.

The Terraform AzureRM provider

The AzureRM Terraform provider is feature-complete for almost all Azure services. The Azure Landing Zone accelerator provides a Terraform module library for the common landing zone patterns: hub-and-spoke networking, management group hierarchy, Azure Monitor workspace, and Microsoft Defender for Cloud. Using the accelerator as a starting point reduces the time from zero to a compliant Azure environment from months to weeks.