I introduced Enterprise-Scale in my first blog, which is part of the Cloud Adoption Framework (CAF). In this second blog I want to answer the question about when Enterprise-Scale should be adopted, compared to alternative solutions; in my own words and from my own view.
“When business requirements necessitate a rich initial implementation of landing zones, with fully integrated governance, security, and operations from the start, Microsoft recommends the enterprise-scale approach.”
However, I think this does not fully address the question about the when, as from my view the following must be take into account as well:
The culture of the organization (centrally IT-controlled vs DevOps empowered)
The cloud and DevOps maturity of application teams
The cloud maturity of the organization’s operating model
Should Enterprise-Scale be used?
If an organization is very much IT-controlled, and there is a mandatory layer to enable a centralized IT team to control the entire cloud adoption, including all networking aspects, identity, security, monitoring for all applications, resource organization including subscriptions and resource groups, etc., Enterprise-Scale might not be the best implementation options for Azure landing zones. This is due to the fact that such an IT-controlled approach would not align with the Enterprise-Scale design principles.
In contrast, if an organization embraces DevOps principles and methodologies, cloud democratization, empowers application teams to implement a DevOps approach (they own an application end-to-end), Enterprise-Scale might be a very good fit. This is due to the fact that Enterprise-Scale considers a cloud-native way to build landing zones, which differs greatly from a traditional on-premises data center setup. One concrete example is the recommended approach to protect web applications and web APIs, which in an on-premises data center would be completely owned by the central IT team. In Enterprise-Scale, though, the service used to protect web applications and APIs is part of the landing zone, therefore setup in a decentralized way. But of course, configured Azure policies (guard-rails) ensure the required configuration of the protection service (Azure Application Gateway and Azure Web Application Firewall, to be precise).
The Enterprise-Scale architecture team recently published additional guidance (considerations) to choose the best landing zone options. Please see the following diagram:
Considerations to choose the best landing zone options.