📘
Azure Governance Made Simple
  • Azure Governance made simple
  • Basic Governance Topics
    • Governance Overview
      • Overview of Azure native features for cloud governance
      • Governance Architecture in Azure
    • Azure Active Directory (Entra ID)
    • Naming standards
    • Azure Subscription
      • Overview of Enterprise Scale Landing Zones
    • Resource Groups
    • Resource Tags
    • Role Based Access Control
    • Resource Locks
  • Advanced Governance Topics
    • Azure Policy
      • Azure Policy best practices
      • Governance suggested policies
    • ARM Templates
    • Azure Blueprints
    • Azure Resource Graph
    • Management Groups
    • Cost Management
  • Conclusion
    • Final considerations
Powered by GitBook
On this page
  1. Basic Governance Topics
  2. Azure Subscription

Overview of Enterprise Scale Landing Zones

PreviousAzure SubscriptionNextResource Groups

Last updated 1 year ago

As described in , the recommendation is that there are at least two signatures, one for the production environment and the other for the non-production environment. Depending on the size of your environment or the strategy of your company, it may be necessary to create more signatures and in addition to combine the design of signatures with the definition of the to be created.

The Microsoft describes in detail several topics over the , which offers a modular design and not only makes it simple to deploy existing and new applications but also allows organizations to start with a lighter deployment implementation and scale depending on their business needs.

Basically, the landing zone will deal with a set of considerations and recommendations based on some design areas:

The choice of network topology to be used is important for the process of governance definition. For example, the Hub and Spoke topology may be inserted in the context of subscriptions as follows:

  • The first subscription for shared services (Hub Virtual Network)

  • A second subscription for the production environment (Spoke Virtual Network - at the top right)

  • A third subscription for the non-production environment (Spoke Virtual Network - at the bottom right)

Some references about Hub and Spoke topology:

Approaching the Enterprise Scale Landing Zone, the architecture above could be translated into the architecture below to bring the "enterprise-scale" ability to the environment:

As you can note, this architecture adopts the usage of different Management Groups and Subscriptions to split the environment into two main groups: Platform and Landing Zones, this principle suggests production environments transitioned to business units and workload units. This allows workload owners to have more control and autonomy of their workloads within the guardrails established by the platform foundation.

Pro tip!

Currently, enterprise-scale offers , which all can be scaled without refactoring when requirements change over time.

️

Enterprise Agreement (EA) enrolment and Azure Active Directory tenants
Identity and access management
Management group and subscription organization
Network topology and connectivity
Management and monitoring
Business continuity and disaster recovery
Security, governance, and compliance
Platform automation and DevOps
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke
https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/decision-guides/software-defined-network/hub-spoke
Enterprise-scale foundation
different reference implementations
✅
Enterprise-Scale - Reference Implementation
this link
landing zone
Cloud Adoption Framework
enterprise-scale landing zone architecture