The importance of Azure Landing Zones

Azure Landing Zones are the foundation of an organisation's Azure environment and are an important aspect of building and deploying well architected solutions on Azure. Azure Landing Zones can come in all different shapes and sizes and establishing a robust architecture is important. It is important for businesses to follow best practices when developing their Landing Zone architecture, to avoid cost blowouts, security vulnerabilities, bad resource organisation and facing issues down the track.

Here at AZ Technology Solutions we help organisations at the start of their journey to develop robust, secure and scalable architectures and for those organisations well on their journey, we help with getting back on track.

Types of Landing Zones

When designing ann Azure Landing Zone architecture it is important to be aware of the 2 types of Landing Zones. Azure Landing Zone architectures should be categorised as either Platform Landing Zones or Application Landing Zones. Platform Landing Zones are used for common platform services and Application Landing zones are those used for application workload services.

• Platform Landing Zones will include common services such as cloud connectivity and core network services, cloud management services, Identity services and common security services. (e.g. Cloud on-ramp connectivity, transit networks, edge firewalls, centralised logging services, identity services, etc.)

• Application Landing Zones are those Landing Zones that contain your application resources. (e.g. Segmented and dedicated application networks/spoke networks, applications, databases, etc.)

Key reasons for separating out these include:

• Control - Platform Landing Zones are designed to be managed by Platform engineering teams. Separating these out from Application Landing Zones which application owners and developers and users often need access to ensures that control of the common services in Platform Landing Zones remains is separated.

• Governance - Application and Platform Landing Zones are often subjected to different governance controls. The controls that must be implemented on the platform are often vastly different to the controls required on Applications.

• Security - Security is a key consideration in cloud environments. Having separate Platform and Application Landing Zones, coupled with well architected governance controls provides enhanced security and security management for your Landing Zone architecture

Prerequisites for designing your Azure Landing Zone architecture

Before developing an Azure Landing Zones architecture, it is important to define and understand your organisation's Cloud Strategy, Plan your Potential Workloads and Plan your Cloud Operating Model. Delving deep into each of these methodologies is a practice that effectively prepares your organisation for a robust Landing Zone Architecture

• Defining Cloud Strategy - Defining your Cloud Strategy will help your Azure Landing Zone architecture by informing your overall desire, motivation and justification for Cloud services. It helps to determine whether you start small and stay small, start small and grow or immediately start with Enterprise scale. Your strategy determines what parts of your business are going to utilise cloud

• Planning Potential Workloads - Understanding your strategy helps in defining your potential workloads for deployment into Azure cloud which in turn assists in the decision making around what your Platform and Application Landing Zones are going to look like. For example, an organisation strategy being driven by a datacentre exit strategy may result in a rapid rehosting or "Lift and Shift" of workloads into cloud IaaS services whereas an organisation's strategy to modernise may result in the adoption of modern PaaS services. This can drive very different Landing Zone designs

• Planning Cloud Operating Model - Since the release of Public Cloud services in the IT industry, the industry has seen a major shift in how IT in an organisation operates. Some areas that have traditionally been managed centrally by IT are no longer managed by IT and are managed by the business with IT's assistance. How you pay for these services has also shifted significantly. Your Cloud Operating Model is also a major influence to your Azure Landing Zone architecture

Landing Zone Design Areas

When designing Landing Zones, Microsoft describes 8 design areas for your Landing Zone Design. The importance of each area

• Billing and Tenant - This area focuses on the billing for your Azure environment and how to distribute your costs. Typically many larger organisations will have an Enterprise Agreement with Microsoft but for smaller organisations it is important to understand the differences between the billing models. Whilst subscriptions can be transferred, it is important to have a plan in place for paying for Azure services

• Identity and Access Management - Identity and Access Management is the primary security boundary for Azure Cloud services. Your Landing Zone design is influenced by who will be accessing and managing your cloud environment. A cloud environment with a distributed cloud operating model will have a different Identity and Access Management design to that of an organisation with a centralised operating model

• Resource Organisation - One of the key areas of designing your Landing Zone is resource organisation. Having a robust resource organisation design is of utmost importance to ensure costs, security and operational excellence. Resource organisation is an area that can be difficult to change

• Network - Network design in Azure drives a number of important factors. These include network security for your workloads, connectivity between your organisation and the cloud, reliability and others. There are various connectivity options when connecting your organisation's network to the cloud and various network topologies that your cloud environment can have. Choosing the right network design at the start is crucial as changes later in your journey are often more difficult and can be costly to implement

• Security - Implementing and enhancing Cybersecurity in the IT industry is a never ending practice. Implementing a security baseline in your Landing Zone is crucial to securing your Azure environment from Day 1. Each of the above design areas should consider security and how that security is going to be managed

• Management - Management in a Landing Zone environment is about designing your Landing Zone environment to be manageable and maintaining operational excellence. Relating back to some of the above design areas, having a robust Landing Zone Management design ensures that you have capabilities in place to manage your resource inventory, preventing resource sprawl and cost blowout; monitoring design which helps to ensure performance, reliability and security; operational compliance which helps ensure that your resources are patched and desired configuration is maintained; and business continuity and disaster recovery design which helps maintain a robust recovery strategy in various scenarios

• Governance - Unlike traditional infrastructure services, Azure services are available to be procured on demand. Governance in a Landing Zone environment is about designing guardrails for the environment to maintain compliance not only with organisational policies but also regulatory and security needs. Implementing governance helps prevent unexpected costs, reduces security vulnerabilities and minimises organisational and regulatory non-compliance

• Platform Automation - Platform automation is the practice of implementing automation to deploy and manage Azure services with agility at scale. This involves implementing DevOps and Infrastructure as Code practices to manage the cloud environment. Designing an Azure Landing Zone environment that is repeatable enables rapid deployment, platform standardisation and minimises errors in deployment.

So what is the importance?

The importance of getting your Landing Zone architecture for your business right has the following factors:

• Cost - Cloud services not done right can be expensive. Affecting the organisation's bottom line. Cost can blow out easily if you dont have the right design and controls in place

• Agility - Your ability to deliver at the speed of your competitors can be impacted

• Security - New Security vulnerabilities are being introduced every day. Having the right security controls in place will minimise your chances of being compromised

• Compliance - Whether orgasnisational or regulatory, non-compliance can cost you your business. Make sure you remain compliant

• Scalability and Growth - You dont want your organisation's ability to grow to be impacted by your IT practices. Getting your Landing Zone architecture wrong can lead to your IT environment hindering your growth.