cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Enterprise-Scale for Azure landing zones
By
Dominik Zemp
Published Aug 13 2020 02:36 AM 48.8K Views
Dominik Zemp
Microsoft
‎Aug 13 2020 02:36 AM

Enterprise-Scale for Azure landing zones

‎Aug 13 2020 02:36 AM

With this article I would like to start a series related to a new approach to build Azure landing zones, called Enterprise-Scale. The first article services as a in introduction to the topic.

 

What is an Azure landing zone?

An Azure landing zone is an Azure subscription that accounts for scale, security, governance, networking, and identity. An Azure landing zone enables application migrations and cloud native application development by consider all platform resources that are required, but does not differentiate between IaaS or PaaS-based applications.


Or in simple words: the purpose of an Azure landing zone is to ensure the required “plumbing” is already in place, providing greater agility and compliance with security and governance requirements when applications and workloads are deployed on Azure.

 

What is Enterprise-Scale?

Enterprise-Scale is part of the Cloud Adoption Framework (CAF), or more specifically the Ready phase of CAF. The Enterprise-Scale architecture provides prescriptive architecture guidance coupled with Azure best practices, and it follows design principles across the critical design areas for an organization's Azure environment and landing zones. It is an architecture approach and reference implementation that enables an effective operationalization of landing zones on Azure. And, Enterprise-Scale is based on the success of large-scale migration projects. The Enterprise-Scale architecture is based on the following important 5 design principles:

  • Subscription democratization
  • Policy-driven governance
  • Single control and management plane
  • Application-centric and archetype neutral
  • Align Azure-native design and roadmap

Furthermore, Enterprise-Scale within CAF lists many design guidelines, design considerations and recommendations. These 8 design areas can help you address the mismatch between and on-premises data center and cloud-design infrastructure. It is not required that you implement all the design recommendations, as long as the chosen cloud-design infrastructure is aligned with the 5 design principles.


The 8 design areas are as follows:

  • Enterprise Agreement (EA) enrollment and Azure Active Directory tenants
  • Identity and access management
  • Management group and subscription organization
  • Network topology and connectivity
  • Management and monitoring
  • Business continuity and disaster recovery
  • Security, governance, and compliance
  • Platform automation and DevOps

 

In those 8 design areas, topics covered are for example using Azure Active Directory Privileged Identity Management (PIM) for just in time access, Azure Virtual WAN for the global network, Azure Application Gateway and Web Application Firewall (WAF) to protect web applications, etc.


A high-level design of Enterprise-Scale is shown in the figure below:

Enterprise-Scale high-level architecture.Enterprise-Scale high-level architecture.

 

Learn more about when to use Enterprise-Scale in my 2nd article.

 

Sources

5 Comments
jracabrera
Brass Contributor
‎Aug 24 2020 11:25 PM
‎Aug 24 2020 11:25 PM

Hi @Dominik Zemp ,

 

Thanks for the article. I found the best practices list and the high level architecture very valuable.

 

But I do not agree with the interpretation of "landing zone". From my perspective, a landing zone is a logical concept, not a specific subscription.

 

I know that Microsoft changed the definition this Jun 2020, and now the term is used in plural, which is more confused from my point of view (see references). Probably, because of that, a "physical implementation" for "landing zone" has emerged in the Microsoft architecture references. But we should to have into account that the concept of landing zone is logical and applies to all cloud vendors. If you go to AWS, you will find the same concept, but you will not find a "Landing Zone Account".

 

I prefer the previous "Landing Zone" definition from Microsoft:

 

A landing zone is *the output* of a well-architected, multi-subscription Azure environment that accounts for scale, security, governance, networking and IAM (Identity and Access Management). Landing zones enables application migrations and greenfield development at an enterprise scale in Azure. When the adoption team uses a landing zone, all platform resources that are required to support the customer’s portfolio have already been considered. As a result, the team can safely deploy IaaS, PaaS, or hybrid solutions with greater confidence.

Please, don't use "landing zone" for naming subscriptions. I hope I don't find a lot of "Landing Zone" client subscriptions in the future.

 

Thanks.

 

Juan Ramón Cabrera

Cloud Solutions Architect

 

Reference:

Chakri-Nelluri
Copper Contributor
‎Sep 17 2020 11:32 AM
‎Sep 17 2020 11:32 AM

Hi @Dominik Zemp , Great Article. Can I get a Visio version of it. Thanks

0 Likes
Like
-Akos-
Brass Contributor
‎Sep 18 2020 05:53 AM
‎Sep 18 2020 05:53 AM

@Dominik Zemp In the image underneath On-premises, shouldn't it be "Active Directory" or "Windows Active Directory", instead of "Azure Active Directory"? I take it that there's a replication with ADConnect there.

 

Also, I'm a little confused with the term "Landing zone" now. I always assumed a landing zone was all the plumbing around your business workload. Now it looks like the business workload is the landing zone. 

 

I will be reading the next parts of the series with interest :smile:

Dominik Zemp
Microsoft
‎Aug 26 2021 07:52 AM
‎Aug 26 2021 07:52 AM

Yes @-Akos- , you're right. Good catch. :) 

0 Likes
Like
asitabh
Copper Contributor
‎Aug 01 2022 06:07 AM
‎Aug 01 2022 06:07 AM

why on-prem system is shown connected to management subscription? Shouldn't it be connected to connectivity subscription via express route  or VPN? 

0 Likes
Like
Version history
Last update:
‎Oct 09 2020 03:13 AM
Updated by: