Azure Verified Modules

ALZ ❤️ AVM. We are moving to a more modular approach to deploying your platform landing zones. In line with consistent feedback from you, we have now released a set of modules that together will deploy your platform landing zone architecture (ALZ).

Azure Verified Modules for Platform Landing Zones (ALZ) is collection of Azure Verified Modules that are composed together to create your Platform Landing Zone. This replaces the existing CAF Enterprise Scale module that you may already be familiar with.

The core Azure Verified Modules that are composed together are:

• Management Groups and Policy Pattern Module: avm-ptn-alz
• Management Resources Pattern Module: avm-ptn-management-alz
• Hub Virtual Networking Pattern Module: avm-ptn-hubnetworking
• Virtual Network Gateway Pattern Module: avm-ptn-vnetgateway
• Virtual WAN Networking Pattern Module: avm-ptn-virtualwan
• Private DNS Zone for Private Link Pattern Module: avm-ptn-network-private-link-private-dns-zones

This means that you can now choose your own adventure by selecting only the modules that you need. It also means we can add new features faster and allows us the opportunity to do more rigorous testing of each module.

To improve deployment reliability, we now use our own Terraform provider. The provider generates data for use by the module and does not directly deploy any resources. The move to a provider allows us to add many more features and checks to improve your deployment reliability.

ALZ IaC Accelerator updates for Terraform

The Azure Landing Zones IaC Accelerator is our recommended approach for deploying the Terraform Azure Verified Modules for Platform Landing Zone (ALZ). 

The Azure Verified Modules for Platform Landing Zone is now our default selection for the Terraform ALZ IaC Accelerator. This module will be the focus of our development and improvement efforts moving forward.

The module implements best practices by default, including multi-region and availability zones for resiliency. The ALZ IaC Accelerator bootstrap continues to implement best practices, such as version control and Workload identity federation security.

Along with supporting the Azure Verified Modules for Platform Landing Zone (ALZ) approach, we have also made many enhancements to the ALZ IaC Accelerator process. A summary of the improvements include:

• We now support HCL (HashiCorp Configuration language) tfvars file as the platform landing zone configuration file format
• We have introduced a Phase 0 to help you plan for your ALZ IaC Accelerator deployment
• We have introduced the concepts of Scenarios and Options to simplify the decisions you need to make

Platform landing zone configuration file

Before the introduction of the Azure Verified Modules for Platform Landing Zone (ALZ) starter module the platform landing zone configuration file was supplied in YAML format. Due to the lack of support for YAML in Terraform, we had to then convert this to JSON. Once converted to JSON the configuration file lost all it's ordering, formatting and comments. This made day 2 updates to the configuration very cumbersome.

With the support for the tfvars file (in HashiCorp Configuration Language format), we are now able to pass the configuration file in its original format to the version control system repository. This makes for a much easier day 2 update process as the file retains it's ordering, comments and formatting as defined by you.

Phase 0

Phase 0 is a new planning phase we have added to the documentation. This phase takes you through 3 sets of decisions you need to make about the ALZ IaC Accelerator deployment:

1. Bootstrap decisions
2. Platform Landing Zone Scenarios
3. Platform Landing Zone Options

In order to assist with this, we also provide a downloadable Excel checklist , which lists all the decisions so you can consider them up front prior to completing any configuration file updates.

Phase 0 guides you through this process and provides explanations of the decisions.

The Bootstrap decisions relate to the resources deployed to Azure and the configuration of your Version Control System required for the Continuous Delivery pipeline. These decisions are not new to the ALZ IaC Accelerator, but we now provide more structured guidance.

Platform Landing Zone Scenarios

The Scenarios are a new concept introduced for the Azure Verified Modules for Platform Landing Zone (ALZ) starter module. We aim to cover the most common Platform landing zone use cases we hear requested from partners and customers with the ALZ IaC Accelerator. These include:

1. Multi-Region Hub and Spoke Virtual Network with Azure Firewall
2. Multi-Region Virtual WAN with Azure Firewall
3. Multi-Region Hub and Spoke Virtual Network with Network Virtual Appliance (NVA)
4. Multi-Region Virtual WAN with Network Virtual Appliance (NVA)
5. Management Groups, Policy and Management Resources Only
6. Single-Region Hub and Spoke Virtual Network with Azure Firewall
7. Single-Region Virtual WAN with Azure Firewall

For each scenario we provide an example Platform landing zone configuration file that is ready to deploy immediately. We know that customers will want to modify some of the settings and that is where Options come in.

NOTE: At the time this blog post was published, we support the 7 Scenarios listed above. We may update or add to these Scenarios based on feedback we hear from you, so keep an eye on our documentation.

Platform Landing Zone Options

The Options build on the Scenarios. For each Scenario, you can choose to customise it with one or more Options. Each Options includes detailed instructions of how to update the Platform landing zone configuration file or introduce library files to implement to the option.

The Options are:

1. Customise Resource Names
2. Customize Management Group Names and IDs
3. Turn off DDOS protection plan
4. Turn off Bastion host
5. Turn off Private DNS zones and Private DNS resolver
6. Turn off Virtual Network Gateways
7. Additional Regions
8. IP Address Ranges
9. Change a policy assignment enforcement mode
10. Remove a policy assignment
11. Turn off Azure Monitoring Agent
12. Deploy Azure Monitoring Baseline Alerts (AMBA)
13. Turn off Defender Plans
14. Implement Zero Trust Networking

NOTE: At the time this blog post was published, we support the 14 Options listed above. We may update or add to these Options based on feedback we hear from you, so keep an eye on our documentation.

Azure Landing Zones Library

Another new offering is the Azure Landing Zones Library. This is an evolution of the library concept in the caf-enterprise-scale module.

Principally, the Library allows us to decouple the update cycle of the ALZ architecture, from the module and provider. We are separating the data from the deployment logic. This allows you to update the module to take advantage of a bug fix, without having to change the policies that are deployed. Something that wasn't easily possible before. Conversely, you are able to update to the latest policy refresh of Azure Landing Zones without updating the module itself.

The Library has its own documentation site, which introduces the concepts. We plan to make the library the single source of truth for all Azure Landing Zones implementation options (e.g. Portal, Terraform and Bicep) in the future.

Azure Landing Zones Documentation Site

Furthermore, we have a new place to go for all technical documentation for Azure Verified Modules for Platform Landing Zones (ALZ). With the move to multiple modules, and the new accelerator all having multiple GitHub repositories, we felt the need to centralize the documentation to make it the one place to go to get technical details.

We currently have documentation for the Accelerator and Terraform, with Bicep coming soon.

The new vanity URL is: https://aka.ms/alz/tech-docs. Please let us know what you think!

What about ALZ-Bicep?

Finally, some of you may be wondering what the future for our Bicep implementation option (ALZ Bicep) for Azure Verified Modules for Platform Landing Zones (ALZ) may be with this evolution on the Terraform side. And we have good news to share!

Work is underway to also build the next version of ALZ in Bicep, which will be known as “Bicep Azure Verified Modules for Platform Landing Zone (ALZ)”. This will also use the new Azure Landing Zones Library and be built from Azure Verified Modules (where appropriate).

We are currently looking to complete this work before August 2025, if not a lot sooner than this; as we are making good progress as we speak! 

But for now, for Bicep you do not do anything and continue to use ALZ Bicep via the ALZ IaC Accelerator and we will provide more updates on the next version of Bicep ALZ in the coming months!

Staying up-to-date

We highly recommend joining, or watching back, our quarterly Azure Landing Zones Community Calls, to get all the latest and greatest from the ALZ team. 

Our next one is on the 29th January 2025 and you can find the link to sign up to attend or watch back previous ones at: aka.ms/ALZ/Community

We look forward to seeing you all there soon!