With this article I would like to start a series related to a new approach to build Azure landing zones, called Enterprise-Scale. The first article services as a in introduction to the topic.
What is an Azure landing zone?
An Azure landing zone is an Azure subscription that accounts for scale, security, governance, networking, and identity. An Azure landing zone enables application migrations and cloud native application development by consider all platform resources that are required, but does not differentiate between IaaS or PaaS-based applications.
Or in simple words: the purpose of an Azure landing zone is to ensure the required “plumbing” is already in place, providing greater agility and compliance with security and governance requirements when applications and workloads are deployed on Azure.
What is Enterprise-Scale?
Enterprise-Scale is part of the Cloud Adoption Framework (CAF), or more specifically the Ready phase of CAF. The Enterprise-Scale architecture provides prescriptive architecture guidance coupled with Azure best practices, and it follows design principles across the critical design areas for an organization's Azure environment and landing zones. It is an architecture approach and reference implementation that enables an effective operationalization of landing zones on Azure. And, Enterprise-Scale is based on the success of large-scale migration projects. The Enterprise-Scale architecture is based on the following important 5 design principles:
Single control and management plane
Application-centric and archetype neutral
Align Azure-native design and roadmap
Furthermore, Enterprise-Scale within CAF lists many design guidelines, design considerations and recommendations. These 8 design areas can help you address the mismatch between and on-premises data center and cloud-design infrastructure. It is not required that you implement all the design recommendations, as long as the chosen cloud-design infrastructure is aligned with the 5 design principles.
The 8 design areas are as follows:
Enterprise Agreement (EA) enrollment and Azure Active Directory tenants
Identity and access management
Management group and subscription organization
Network topology and connectivity
Management and monitoring
Business continuity and disaster recovery
Security, governance, and compliance
Platform automation and DevOps
In those 8 design areas, topics covered are for example using Azure Active Directory Privileged Identity Management (PIM) for just in time access, Azure Virtual WAN for the global network, Azure Application Gateway and Web Application Firewall (WAF) to protect web applications, etc.
A high-level design of Enterprise-Scale is shown in the figure below: