Blog Post

Azure Architecture Blog
2 MIN READ

When to use Enterprise-Scale?

Dominik Zemp's avatar
Dominik Zemp
Icon for Microsoft rankMicrosoft
Aug 18, 2020

I introduced Enterprise-Scale in my first blog, which is part of the Cloud Adoption Framework (CAF). In this second blog I want to answer the question about when Enterprise-Scale should be adopted, compared to alternative solutions; in my own words and from my own view.

 

Azure landing zone and implementation options

On the implementation options we have a few information documented related to the question above, as follows:

When business requirements necessitate a rich initial implementation of landing zones, with fully integrated governance, security, and operations from the start, Microsoft recommends the enterprise-scale approach.

 

However, I think this does not fully address the question about the when, as from my view the following must be take into account as well:

  • The culture of the organization (centrally IT-controlled vs DevOps empowered)
  • The cloud and DevOps maturity of application teams
  • The cloud maturity of the organization’s operating model

 

Should Enterprise-Scale be used?

If an organization is very much IT-controlled, and there is a mandatory layer to enable a centralized IT team to control the entire cloud adoption, including all networking aspects, identity, security, monitoring for all applications, resource organization including subscriptions and resource groups, etc., Enterprise-Scale might not be the best implementation options for Azure landing zones. This is due to the fact that such an IT-controlled approach would not align with the Enterprise-Scale design principles.

In contrast, if an organization embraces DevOps principles and methodologies, cloud democratization, empowers application teams to implement a DevOps approach (they own an application end-to-end), Enterprise-Scale might be a very good fit. This is due to the fact that Enterprise-Scale considers a cloud-native way to build landing zones, which differs greatly from a traditional on-premises data center setup. One concrete example is the recommended approach to protect web applications and web APIs, which in an on-premises data center would be completely owned by the central IT team. In Enterprise-Scale, though, the service used to protect web applications and APIs is part of the landing zone, therefore setup in a decentralized way. But of course, configured Azure policies (guard-rails) ensure the required configuration of the protection service (Azure Application Gateway and Azure Web Application Firewall, to be precise).

 

Update 2020-11-12:

The Enterprise-Scale architecture team recently published additional guidance (considerations) to choose the best landing zone options. Please see the following diagram:

Considerations to choose the best landing zone options.

Updated Nov 12, 2020
Version 4.0