Azure Landing Zones
Enterprise-scale cloud adoption with Landing Zones: multi-subscription architecture, environment isolation, and governance at scale.
🧠 ELI5 Explanation
A "landing zone" is a pre-configured Azure environment ready for your workloads. Instead of each team building their own infrastructure from scratch (chaos!), you provide a landing pad: networking pre-done, policies enforced, security hardened, billing ready. Now teams can land their workloads safely.
What Is a Landing Zone?
A landing zone = ready-to-use Azure subscription(s) with:
- Networking pre-configured (VNets, subnets, routing, security groups)
- Governance policies enforced automatically
- Identity & access controls in place
- Monitoring & logging configured
- Billing & cost controls set up
Benefit: Teams deploy applications without reinventing infrastructure.
Landing Zone Topology: Hub-and-Spoke
Hub-and-Spoke Network Architecture
On Premises (ExpressRoute)
↓
Hub VNet (10.0.0.0/16)
├── Gateway Subnet (ExpressRoute/VPN gateway)
├── Firewall Subnet (Azure Firewall)
└── Bastion Subnet (Admin access)
↑
[Peering]
↓
Spoke VNets (each /24)
├── Spoke 1: Web App (10.1.0.0/24)
├── Spoke 2: Database (10.2.0.0/24)
└── Spoke 3: Dev/Test (10.3.0.0/24)
Internet → Azure Firewall (Hub) → Routes to Spoke
Landing Zone Architecture
Multi-Subscription Design
Why multiple subscriptions?
- Scale limits: 50 VMs per subscription soft limit
- Billing boundaries: separate cost per team/project
- Administrative isolation: prevent one team from affecting another
- Blast radius: if one subscription is compromised, others safer
Common Landing Zone Structure
- Connectivity Sub: Hub VNet, gateways, firewalls (shared infrastructure)
- Identity Sub: Azure AD, MFA, identity governance (shared services)
- Management Sub: Monitoring, logging, backup (observability)
- Platform Landing Zones: Pre-built for different workload types (web app, database, data processing)
- Application Landing Zones: Per team/project (app 1, app 2, etc.)
Landing Zone Types
Real-world Example: Enterprise Landing Zone Setup
Structure:
Root MG
├── Platform Services (shared infrastructure)
│ ├── Connectivity Sub (hub VNet, firewall, gateways)
│ ├── Identity Sub (Azure AD governance)
│ └── Management Sub (Azure Monitor, Log Analytics)
├── Production Environment
│ ├── Website App LZ Sub (web tier, spoke VNet)
│ ├── Database LZ Sub (db tier, spoke VNet)
│ └── Analytics LZ Sub (data lake, spoke VNet)
└── Non-Production
├── Dev LZ Sub
└── Test LZ Sub
Network Flow:
Internet → Azure Firewall (Hub) → Routes traffic to spoke (Web/DB/Analytics)
On-Premises → ExpressRoute → Hub Gateway → All Spokes
Governance:
• Policies enforced at Root or Environment MG (cascades to all subs)
• Monitoring centralized (all logs → Log Analytics in Management sub)
• Billing tracked per LZ subscription
• RBAC: Web team can only access Web LZ
Landing Zone Design Decisions
Decision 1: Flat vs Hub-and-Spoke Networking
- Flat: Direct peering between spokes (simple, but less secure)
- Hub-and-Spoke: All traffic via hub (more complex, but firewall controls all flow, better security)
- When to use hub-and-spoke: Enterprise, must audit all traffic, on-prem connectivity
Decision 2: Single vs Multiple Subscriptions
- Single: Simpler management, but limited isolation
- Multiple: Better isolation, separate billing, but more overhead
- When to use multiple: Enterprise with multiple teams, large-scale deployments, regulatory requirements
Summary
- Landing Zone: Pre-configured Azure environment (connectivity, governance, security)
- Why: Enables teams to deploy safely without reinventing infrastructure
- Hub-and-spoke: Common topology for larger organizations (firewall enforces security)
- Multi-subscription: Scales better, provides isolation, enables cost tracking
- Platform vs Application LZ: Shared services vs workload-specific
Interview Questions
Q: What is a landing zone and why is it important?
A: A landing zone is a pre-configured Azure environment (networking, governance, security, monitoring) that teams can deploy into safely. It avoids duplicating efforts, enforces standards, and scales governance automatically.
A: A landing zone is a pre-configured Azure environment (networking, governance, security, monitoring) that teams can deploy into safely. It avoids duplicating efforts, enforces standards, and scales governance automatically.
Q: Explain hub-and-spoke networking and why use it?
A: Hub = central VNet with firewall/gateways. Spokes = application VNets. All traffic flows through hub, enabling centralized security controls. Best for enterprises that need audit trails and security enforcement.
A: Hub = central VNet with firewall/gateways. Spokes = application VNets. All traffic flows through hub, enabling centralized security controls. Best for enterprises that need audit trails and security enforcement.
Q: Why use multiple subscriptions in a landing zone design?
A: Scale (higher limits), isolation (teams don't interfere), cost tracking (bill per team), separate policies (different rules per environment), blast radius (limit damage if one is compromised).
A: Scale (higher limits), isolation (teams don't interfere), cost tracking (bill per team), separate policies (different rules per environment), blast radius (limit damage if one is compromised).