Azure Landing Zone Design: Building Enterprise-Grade Cloud Foundations

The most expensive mistake in enterprise cloud adoption is building workloads before the foundation is ready. You provision a few Azure subscriptions, teams start deploying, and six months later you have security gaps, no governance, inconsistent naming conventions, orphaned resources with unknown ownership, and an operations team drowning in alerts they cannot correlate.

The Azure Landing Zone pattern, defined by Microsoft's Cloud Adoption Framework (CAF), is the antidote. A Landing Zone is an environment — with identity, network, security, management, and governance pre-configured — into which workloads land. Think of it as the building code for your cloud estate: you define the rules before construction begins, not after.

Management Group Hierarchy — Governance at Scale

Azure Policy and RBAC assignments at the Management Group level cascade automatically to all child subscriptions. This is the most powerful governance mechanism in Azure — design the hierarchy carefully, because restructuring it later is painful and disruptive.

The recommended CAF hierarchy:

Tenant Root Group └─ Platform │ ├─ Identity (Entra Connect, Domain Controllers) │ ├─ Management (Log Analytics, Automation, Monitoring) │ └─ Connectivity (Hub VNet, Firewall, VPN/ER Gateway, DNS) └─ Landing Zones │ ├─ Corp (Internal, VNet-connected workloads) │ └─ Online (Internet-facing workloads) └─ Sandboxes (Isolated dev/test — less restrictive policies) └─ Decommissioned (Subscriptions pending offboarding)

Assign policy at the highest appropriate level. Global requirements — allowed regions, mandatory encryption, audit logging — go at the Tenant Root or just below it. Workload-specific controls go at the Corp or Online level. The Sandbox management group carries audit-only (non-enforcing) policies to allow experimentation without governance friction.

⚠️ Common Mistake

Avoid assigning Deny policies broadly in the early stages — they block deployments and frustrate teams unfamiliar with the controls. Start with Audit to understand the compliance gap, switch to Deny once teams have adjusted their deployment patterns. Do it management group by management group, not all at once.

Subscription Design — Use Boundaries Strategically

Subscriptions are your strongest isolation boundary in Azure. They separate billing, RBAC scope, and policy scope cleanly. Use them to separate environments (prod vs non-prod), business units, workload criticalities, or regulatory perimeters (a subscription exclusively for PHI workloads, for example).

Implement a subscription vending model: a pipeline (Terraform or Bicep in Azure DevOps or GitHub Actions) that provisions new subscriptions with baseline configuration pre-applied at creation time — Management Group placement, required tags, Policy assignments, RBAC baseline, and connectivity to the hub. This makes every new subscription start from a known-good state instead of a blank slate.

Hub-Spoke Network Topology — The Connectivity Foundation

The Connectivity subscription hosts the hub VNet — the nerve center of your network architecture. All traffic between spoke VNets transits through the hub, providing centralized visibility, policy enforcement, and traffic inspection.

Hub VNet Contains

Azure Firewall Premium — centralized east-west and north-south traffic inspection with IDPS and TLS inspection
VPN Gateway or ExpressRoute Gateway — on-premises connectivity
Azure Bastion — browser-based secure VM management for the entire estate
Private DNS Resolver — centralized DNS for all private endpoint FQDNs
Azure DDoS Protection Standard — shared protection plan across all connected spoke VNets

Spoke VNets

One spoke per workload subscription, peered to the hub. User-Defined Routes (UDRs) force all outbound traffic through Azure Firewall. Private DNS Zones are centralized in the hub subscription — linked to the hub VNet with DNS forwarding ensuring all spokes can resolve private endpoint FQDNs without individual DNS zone links (which become unmanageable at scale).

🏗 Architecture Decision

For large estates (>50 spoke VNets) or global deployments, consider Azure Virtual WAN instead of classic hub-spoke. Virtual WAN automates routing between spokes, supports multiple hubs for regional resiliency, and integrates natively with SD-WAN partners. The trade-off is reduced customisation flexibility compared to a manually managed hub.

Azure Policy as Code — Enforcing Guardrails at Scale

Policy is your governance enforcement mechanism. Treat it as code — version-controlled in Git, peer-reviewed, and deployed via CI/CD pipeline. Never manually assign policies through the portal in production.

Scope	Example Policy Assignments	Effect
Root MG	Allowed regions, require tags (environment, cost-center, owner), diagnostic settings	Deny / DeployIfNotExists
Platform MG	Defender for Cloud plans enabled, Log Analytics agent deployed	DeployIfNotExists
Landing Zones MG	No public IPs, private endpoints required, TLS 1.2 minimum, CMK for storage	Deny
Corp MG	NSG required on all subnets, no internet egress without Firewall	Deny
Sandboxes MG	Same policies as above	Audit only

Use DeployIfNotExists for remediating missing configurations at scale — deploying the Log Analytics agent to all VMs automatically, or creating diagnostic settings on new resources. Use Deny for hard guardrails where non-compliance is unacceptable. Built-in initiatives for ISO 27001, NIST 800-53, SOC 2, and HIPAA/HITRUST provide a compliance baseline you can assign in minutes.

Identity Baseline

The Platform Identity subscription contains hybrid identity components (Entra Connect for AD sync, Domain Controllers for legacy Kerberos workloads). Keep it as minimal as possible — modern workloads should authenticate natively to Entra ID without requiring on-premises AD dependencies.

Key identity baselines enforced at the management group level via Policy:

MFA required for all users (Conditional Access, not Security Defaults — the latter has no exclusion model)
Legacy authentication blocked across all applications
PIM activated for all management-plane role assignments
Service principal usage audited via Entra ID Workload Identities — certificate auth enforced (no client secrets)
Entra ID Access Reviews scheduled quarterly for all privileged roles

Management Subscription — The Observability Foundation

Every workload subscription forwards telemetry to the centralized Log Analytics Workspace in the Management subscription. This single workspace becomes the source of truth for operations, security, and compliance.

Log Analytics Workspace — centralized, with workspace-level RBAC (security team vs operations team access separation)
Microsoft Sentinel — SIEM/SOAR, connected to Entra ID, Defender, Firewall, and Activity Logs
Defender for Cloud — enabled at management group scope, all plans active
Azure Automation Account — update management, runbooks, hybrid worker for on-premises patching
Azure Monitor Workbooks and Dashboards — operational visibility per subscription and workload
Cost Management + Budgets — per-subscription budget alerts at 80% and 100% of monthly forecast

Tagging and Cost Management

Define required tags via Azure Policy (Deny effect for non-compliant deployments) before any workload lands:

environment: prod | staging | dev | sandbox
cost-center: e.g., 1234 (maps to finance allocation)
application: e.g., patient-portal, ehr-integration
owner: team alias or individual responsible
data-classification: public | internal | confidential | restricted

Consistent tagging enables meaningful cost allocation, chargeback reporting, and targeted governance — without it, cloud spend becomes an undifferentiated blob that no team owns.

Getting Started: A Phased Approach

Phase 1 — Week 1–2

Foundation

Create Management Group hierarchy
Apply baseline Policy assignments (Audit mode)
Enable Defender for Cloud at MG scope
Deploy centralized Log Analytics workspace

Phase 2 — Week 2–3

Connectivity Hub

Provision Connectivity subscription
Deploy hub VNet, Azure Firewall, Bastion
Configure Private DNS Zones
Connect on-premises (VPN or ExpressRoute)

Phase 3 — Week 3–4

First Landing Zone

Provision first workload subscription via vending model
Deploy spoke VNet, peer to hub
Apply workload-specific Policy assignments
Onboard to centralized monitoring

Phase 4 — Ongoing

Workload Migration

Land workloads with governance pre-applied
Progressively switch Audit policies to Deny
Iterate on tagging and cost allocation
Enable Sentinel analytics rules

Key Takeaway

The investment in a proper Landing Zone pays back within months — in reduced incident response time, faster audit preparation, predictable operational costs, and fewer security exceptions to manage. Every shortcut taken at the foundation becomes a structural debt that compounds as the estate grows.

Start small (a single management group and one workload subscription), build the pattern correctly, then scale it. The CAF Landing Zone accelerators (available as Bicep and Terraform modules on GitHub) give you a working foundation in hours, not weeks — the real work is in tailoring the Policy assignments and networking design to your organization's specific requirements.