Anatomy of an Azure Landing Zone: the foundation of enterprise cloud

An Azure Landing Zone is the set of configurations, policies and guardrails that prepares the Azure subscription to host workloads securely, in a governed and scalable way. It is the foundation — building it correctly saves months of remediation later.

The 8 design areas

The Cloud Adoption Framework defines 8 design areas:

1. Azure Billing & Active Directory Tenants
2. Identity & Access Management
3. Resource Organization (Management Groups + Subscriptions)
4. Network Topology & Connectivity
5. Security
6. Management (Monitor, Backup, BCDR)
7. Governance (Policy, Cost)
8. Platform Automation

Management Group hierarchy

Root Management Group
├── Platform
│   ├── Identity (AD DS, AAD Connect)
│   ├── Management (Log Analytics, Azure Monitor)
│   └── Connectivity (Hub VNet, Firewall, ExpressRoute)
└── Landing Zones
    ├── Corp (workloads with internal network access)
    └── Online (workloads with Internet exposure)

Azure Policies as guardrails

Policies automatically apply rules to all created resources:

# Example: enforce an "Environment" tag on all resources
az policy assignment create \
  --name require-env-tag \
  --policy /providers/Microsoft.Authorization/policyDefinitions/... \
  --scope /providers/Microsoft.Management/managementGroups/LandingZones

Accelerators

Microsoft provides ALZ-Bicep and Terraform CAF as a starting point for deploying landing zones via IaC in minutes.

Conclusion

Investing in a well-designed Landing Zone before migrating the first workload avoids governance technical debt. A solid foundation accelerates cloud adoption and reduces the risk of security incidents and unexpected costs.