Skip to main content
Architecture BlueprintLanding ZonesCloud Adoption FrameworkGovernance at Scale

How to Design Azure Landing Zones: The Enterprise
Architecture Blueprint That Prevents Cloud Sprawl

Cloud sprawl doesn't arrive as a single bad decision. It arrives as fifty reasonable ones, made by different teams, on different days, with no shared foundation underneath any of them. A landing zone is that foundation — decided once, before the first workload lands, so every subscription that follows inherits governance instead of inventing its own.

The scenario this architecture prevents
# Eighteen months of organic growth, no landing zone, five different
# teams "just getting something running." A composite, realistic picture:

  Subscriptions:        50, created ad hoc via support tickets
  Naming conventions:   4 different schemes, none documented
  VMs deployed:         200 (40 abandoned, still billing ~$30K/month)
  Public IPs:            15 (3 with no firewall rules in front of them)
  Central monitoring:    None — each team built its own, or none at all
  Tagging:               Inconsistent — cost attribution is a manual audit
  RBAC:                  Ranges from "everyone is Owner" to undocumented
  Network topology:      Flat VNets, ad hoc peering, no consistent hub

# None of these fifty decisions was individually irrational. Team A
# needed a subscription fast and support took three weeks, so Team B
# just used Team A's. Team C picked their own naming scheme because
# nobody had published one. Multiply reasonable local decisions by
# eighteen months and zero shared foundation, and this is what you get.

# The fix is not a cleanup project. It's deciding, once, BEFORE this
# happens: the management group hierarchy, the subscription model, the
# network topology, and the governance guardrails every future
# subscription inherits automatically. That decision is the landing zone.

The pattern: Cloud sprawl is what happens when subscription creation, networking, and governance are each decided independently, workload by workload, with no shared platform underneath.  The fix: An Azure Landing Zone — a pre-configured, multi-subscription environment with governance, identity, networking, and security decided once and inherited automatically by everything deployed after it.  The cost of skipping it: Not zero — deferred. Every team's local decision becomes a remediation task once the organization eventually needs consistency, and remediation is reliably more expensive than designing it up front.

8 design areas
The Cloud Adoption Framework's Azure Landing Zone architecture is organized around eight design areas, evaluated together, not in isolation
Platform + Workload
Every landing zone splits into platform subscriptions (shared services) and application landing zone subscriptions (workloads)
~80% automatable
The Azure Landing Zone accelerator (portal wizard, Bicep, or Terraform) provisions the majority of a standard platform foundation
One sub, one workload
CAF's standing recommendation: one subscription per workload per environment, for clean blast-radius isolation and cost attribution

Every organization that adopts Azure at scale eventually asks the same question, usually after the fact: who decided the naming convention, who owns network connectivity, and why do fifteen subscriptions have fifteen different security postures? An Azure Landing Zone is Microsoft's answer to asking that question before the fact instead of after. It is not a product you buy or a single resource you deploy — it's an architecture pattern, part of the Cloud Adoption Framework, that defines a multi-subscription environment where governance, identity, networking, and security are decided once, centrally, and inherited automatically by every workload that lands afterward. The name is literal: it's the landing zone a workload lands into, already governed, rather than a blank subscription a team has to govern themselves, inconsistently, under deadline pressure. This guide walks through the architecture end to end — the eight design areas Microsoft's own reference architecture is built around, the management group hierarchy that makes policy inheritance possible, the networking and governance patterns that hold at enterprise scale, and a concrete, step-by-step path to deploying one.

Figure 1 — The reference management group hierarchy: where every policy inherits from
TENANT ROOT GROUP → PLATFORM + LANDING ZONES + SANDBOX + DECOMMISSIONEDTenant RootPlatformLanding ZonesSandboxDecommissionedMgmtsubIdentitysubConnectivitysub (hub)CorpProd sub(s)Non-Prod sub(s)internal appsOnlineProd sub(s)Non-Prod sub(s)public-facing appsPOLICY INHERITANCE FLOWS DOWNWARD, AUTOMATICALLY. A policy assigned at"Tenant Root" (e.g. "require these tags") applies to every subscription in everygroup beneath it. A policy at "Landing Zones" (e.g. "deny public IPs") applies toevery workload subscription, but NOT to Platform — which has different needs.This is the entire mechanism that lets governance scale without manual, per-subscription enforcement.
The management group hierarchy is the structural backbone of an Azure Landing Zone — every governance decision in this guide (policy assignment, RBAC scope, cost tracking) is expressed as "at which level of this tree does this rule apply." Platform subscriptions host shared services (management, identity, connectivity); Landing Zone subscriptions host actual workloads, split by exposure (Corp for internal, Online for public-facing) and further by environment.
01What Is an Azure Landing Zone, Precisely?Definition

Microsoft's Cloud Adoption Framework defines an Azure Landing Zone as the standardized, recommended approach for organizations using Azure — a multi-subscription environment that accounts for scale, security, governance, networking, and identity, built from the start rather than retrofitted later. It provides a consistent way to set up and manage an Azure environment through two categories of subscription working together: platform landing zones (shared services every workload depends on) and application landing zones (the workloads themselves).

  • It's an architecture pattern, not a product. There's no single "Landing Zone" resource you provision. It's a way of organizing management groups, subscriptions, policies, and networking that Microsoft documents as a reference architecture and provides tooling (the Landing Zone accelerator) to help deploy.
  • It's opinionated by design. The reference architecture represents Microsoft's recommended target — you're expected to adapt it to your organization's specifics, but it starts from a defined position on every design area rather than a blank slate.
  • It's modular and repeatable. Configurations and controls apply consistently to every subscription that lands in the structure, and components can be deployed or modified independently as requirements evolve.
  • It exists before workloads do. The landing zone is the foundation deployed first — governance, identity, networking, security — so that the first application team to arrive lands into an already-governed environment rather than building governance themselves under deadline pressure.
"Enterprise-scale" is the name for the fully-realized reference implementation

You'll often see "Azure Landing Zone" and "Enterprise-Scale Landing Zone" used close together. Enterprise-scale is Microsoft's recommended architecture specifically for large organizations deploying Azure broadly — it's the landing zone concept taken to its full, opinionated conclusion, with the complete management group hierarchy, policy set, and networking pattern this guide describes. Smaller organizations can and should apply landing zone principles without adopting every piece of the enterprise-scale reference architecture — start with a management group hierarchy, a baseline policy set, and centralized logging, and grow into the rest.

02Where Landing Zones Fit in the Cloud Adoption FrameworkContext

The Cloud Adoption Framework organizes cloud adoption into five phases, and the landing zone is specifically the technical output of the third.

CAF PhaseWhat it coversRelationship to landing zones
StrategyBusiness justification, motivations, expected outcomesInforms why you're adopting Azure at all
PlanDigital estate assessment, adoption plan, skills readinessInforms what needs to migrate or be built
ReadyLanding zone deployment — the architecture foundationThis is where landing zones live
AdoptMigrate existing workloads; build new cloud-native onesBuilds on top of the landing zone foundation
Govern & ManageOngoing governance, operations, cost optimizationOperates the landing zone's guardrails continuously
Skipping "Ready" and jumping straight to "Adopt" is the direct cause of the sprawl scenario

The organic-growth failure mode this guide opened with is, structurally, what happens when an organization skips the Ready phase — deploying workloads directly into Azure without first deciding the management group hierarchy, subscription model, or governance baseline those workloads should inherit. Each team effectively invents their own miniature "Ready" phase, inconsistently, which is why the fifty-subscription sprawl scenario has four different naming conventions rather than one.

03The Eight Design AreasFramework

Microsoft's reference architecture is organized around eight design areas, evaluated together rather than in isolation, because decisions in one area constrain the others — your network topology affects your security design; your subscription model affects your governance policy scope.

#Design areaCore question it answers
1Azure billing & Microsoft Entra tenantHow is billing structured, and which Entra tenant(s) are in play?
2Identity and access managementHow are identities provisioned, and how is access granted and reviewed?
3Management group and subscription organizationHow are subscriptions grouped, and what does each one host?
4Network topology and connectivityHow do workloads reach each other, on-premises, and the internet?
5SecurityWhat's the baseline security posture, and how is it enforced?
6ManagementHow are resources monitored, backed up, and operated day to day?
7GovernanceWhat policies are enforced, audited, and by whom?
8Platform automation and DevOpsHow is the platform itself deployed, updated, and extended as code?

The remaining sections of this guide walk through the design areas that most directly shape the architecture — management groups and subscriptions (design area 3), networking (4), governance (7), security (5), and platform automation (8) — in enough depth to actually make the decisions each requires.

04Management Group Hierarchy: The Backbone of GovernanceDeep Dive

Every governance mechanism in a landing zone — Azure Policy assignment, RBAC scope, cost management boundaries — is expressed as "at which level of the management group tree does this apply." Getting the hierarchy right is disproportionately important, because subscriptions moving between management groups later is a real but non-trivial operation, and a poorly designed hierarchy tends to calcify around whatever shape it started with.

Management groupContainsTypical policy focus
PlatformManagement, Identity, and Connectivity subscriptionsPlatform-specific: logging retention, DNS, hub network standards
  └ ManagementLog Analytics, Automation Accounts, monitoring toolingDiagnostic settings enforcement, retention policy
  └ IdentityDomain controllers, identity-related infrastructureStrict network isolation, no public endpoints
  └ ConnectivityHub VNet, firewall, gateways, private DNS zonesNetwork security baseline, peering standards
Landing ZonesApplication/workload subscriptionsBroad governance: tagging, allowed regions, deny public IP
  └ CorpInternal-facing application subscriptionsNo direct internet inbound; hub-routed only
  └ OnlinePublic-facing application subscriptionsWAF requirements, DDoS protection standards
SandboxExperimentation subscriptions, disconnected from productionRelaxed policy, auto-expiry, cost caps
DecommissionedSubscriptions pending deletionLocked down, read-only, awaiting teardown
Corp and Online typically split further into Production and Non-Production

Most enterprise-scale implementations add a further layer under both Corp and Online: separate Production and Non-Production management groups, each with its own policy set. Production inherits stricter security and change-control policies; Non-Production carries relaxed policies alongside cost controls like auto-shutdown schedules for VMs. This split is what lets a single "deny public IP" policy at the Landing Zones level coexist with looser experimentation rules specifically scoped to non-production workloads.

Design for your actual operating model, not just the reference diagram

The reference hierarchy assumes a specific operating model — centralized platform team, workload teams operating within Corp/Online boundaries. If your organization's actual operating model doesn't match (a strongly federated model where business units run near-independent platforms, for instance), copying the reference hierarchy exactly can create friction rather than resolve it. Use the reference as a starting point and default, but validate it against how your organization genuinely makes decisions before locking it in — correcting a management group hierarchy after dozens of subscriptions exist under it is a real migration project, not a quick edit.

05Subscription Design: How Many, and How OrganizedDeep Dive

Subscriptions are Azure's hard isolation boundary — for billing, for quota, for certain security controls (some resources can only be isolated at the subscription level, not the resource group level). Getting subscription granularity right avoids two failure modes: too few subscriptions (blast radius and cost attribution collapse into a shared blob) and too many (operational overhead and quota fragmentation).

Subscription modelWhat it gets youWhat it costs you
One subscription per workload per environmentClean blast-radius isolation, independent RBAC, clear cost attribution — CAF's standing recommendationMore subscriptions to manage; needs a low-friction vending process to stay practical
Shared subscription per business unitFewer subscriptions to administerBlast radius spans every workload in the unit; cost attribution requires disciplined tagging instead of natural subscription boundaries
One giant subscription for everythingSimplest to set up initiallyNo meaningful isolation at all; this is the shape that produces the sprawl scenario at the opening of this guide, just consolidated into fewer subscriptions

The CAF recommendation — one subscription per workload per environment, e.g. separate subscriptions for "App A Production" and "App A Non-Production" — sounds like it produces subscription sprawl of its own, and it does produce more subscriptions than a shared model. The difference is that this sprawl is structured: every subscription has a clear owner, a clear cost boundary, and a clear place in the management group hierarchy, versus the unstructured sprawl of fifty ad hoc subscriptions with four naming conventions and no shared governance.

Platform subscriptions are usually fewer and more centrally controlled

Unlike workload subscriptions, the platform side typically stays intentionally small — a Management subscription, an Identity subscription, and a Connectivity subscription cover most organizations' shared-services needs, sometimes with additional Connectivity subscriptions for multi-region or regulatory requirements. These are provisioned once by the platform team, rarely by self-service, since they carry the shared infrastructure every workload subscription depends on.

Figure 2 — Hub-and-spoke networking: shared connectivity services in the hub, workloads in spokes
HUB (Connectivity subscription) — spokes peer INTO it, never directly to each otherHUB VNet(Connectivity subscription)Azure FirewallVPN GatewayExpressRoute GWAzure BastionPrivate DNS ZonespeeringSpoke: Corp App A(workload subscription)no internet inboundpeeringSpoke: Online App B(workload subscription)public via WAFSpoke: Corp App C(workload subscription)no internet inboundSpoke: Online App D(workload subscription)public via WAFSpokes never peer directly to each other — all inter-spoke traffic routes through the hub firewall.All on-premises connectivity, egress filtering, and DNS resolution are centralized in the hub, once.
The hub — living in the Connectivity platform subscription — holds every shared network service: firewall, VPN/ExpressRoute gateways for on-premises connectivity, Azure Bastion for secure VM access, and private DNS zones. Each workload subscription gets a spoke VNet peered to the hub, but spokes never peer directly to each other — traffic between spokes routes through the hub firewall, giving a single, centrally-managed point of inspection and control for all inter-workload traffic.
06Networking: Hub-and-Spoke vs Virtual WANDeep Dive

Azure Landing Zones support two network topologies, and the choice is largely a function of scale and operational preference rather than one being universally "better."

AspectHub-and-Spoke (traditional)Virtual WAN
Management modelYou build and manage the hub VNet, gateways, and peering yourselfMicrosoft-managed backbone; you configure connections, not the underlying transit infrastructure
Best fitSingle region or a small number of regions; teams wanting full control over hub configurationMany regions, many branch/VPN connections, large-scale global connectivity
Complexity at scaleGrows manually — more regions means more hubs to manage and peerScales more automatically — Virtual WAN handles cross-region transit natively
FamiliarityWell-understood, widely documented, easier to reason about for smaller teamsNewer mental model; fewer engineers have deep operational experience with it

Both topologies share the same core landing zone principle: shared connectivity infrastructure — firewalls, gateways, DNS — lives centrally (in the hub or in Virtual WAN's managed backbone), and workload subscriptions connect to it rather than each building their own path to the internet or on-premises networks.

Don't default to Virtual WAN "because it's newer" for a small footprint

One of the most common landing zone anti-patterns is over-engineering the network topology relative to actual scale — deploying Virtual WAN, Azure Firewall Premium, and a full Sentinel deployment to support twenty resources. The governance infrastructure ends up costing more, and requiring more specialized operational knowledge, than the workloads it protects. Hub-and-spoke is a perfectly sufficient, well-understood starting point for most organizations; grow into Virtual WAN when the number of regions and connection types genuinely justifies it.

The hub VNet's core components, regardless of topology choice

Whichever topology you pick, the hub typically hosts the same core set of shared services: Azure Firewall (or a third-party NVA) for centralized egress and inter-spoke traffic inspection, VPN Gateway and/or ExpressRoute Gateway for on-premises connectivity, Azure Bastion for secure RDP/SSH access to VMs without exposing public IPs, and Private DNS Zones for name resolution across private endpoints. These live in the Connectivity platform subscription, managed centrally, consumed by every spoke.

07Governance and Policy at ScaleDeep Dive

Governance is where the management group hierarchy actually pays off — Azure Policy assignments at each level enforce and audit rules automatically, without a human checking every new subscription by hand. A mature enterprise-scale landing zone commonly carries well over 100 policy assignments across the hierarchy, though the count matters far less than the coverage.

Policy categoryExample ruleTypical assignment level
TaggingRequire costCenter, owner, environment tags on all resourcesTenant Root — applies everywhere
Allowed locationsRestrict resource deployment to approved regionsTenant Root or Landing Zones
Network exposureDeny public IP creation on VMsLanding Zones (Corp especially)
EncryptionRequire encryption at rest for storage accounts, disksTenant Root
DiagnosticsRequire diagnostic settings sending logs to the central Log Analytics workspaceTenant Root or Landing Zones
Security postureRequire Microsoft Defender for Cloud plans enabledTenant Root
Non-production controlsAuto-shutdown schedules, relaxed SKU restrictionsNon-Production sub-groups only
Start in Audit mode, move to Deny deliberately

Every new policy assignment should typically start in Audit effect — logging non-compliant resources without blocking them — so you can measure the real-world impact before switching to Deny, which actively blocks non-compliant deployments. Flipping straight to Deny on a policy nobody has validated against real traffic is a common way to turn a governance improvement into an unplanned outage for a team who had no warning their deployment pattern would suddenly fail.

Increased governance complexity is a real, documented trade-off of deviating from the hierarchy

Microsoft's own design principles guidance is explicit that segmenting workloads differently from the management group hierarchy — grouping by Azure service instead of by the organizational structure the hierarchy assumes, for instance — increases governance policy complexity and access control complexity measurably. It's not a hypothetical risk; it's a documented, common failure mode. Align workload organization to the management group hierarchy rather than working around it, unless there's a specific, well-understood reason not to.

08Security Baseline: Identity, Defender, SentinelDeep Dive

A landing zone's security baseline is what every workload inherits by default, before any application-specific hardening. Three pillars carry most of the weight.

PillarWhat it establishesWhere it lives
Identity (Microsoft Entra ID)The primary security boundary. Role-based access control, Conditional Access, Privileged Identity Management for just-in-time elevated accessTenant-wide, foundational to everything else
Microsoft Defender for CloudCloud Security Posture Management (CSPM) and workload protection plans — vulnerability scanning, threat detection, secure scoreEnabled tenant-wide via policy, typically enforced from Tenant Root
Microsoft SentinelCentralized SIEM/SOAR — security event correlation and response across the whole estateDeployed in the Management platform subscription, ingesting from every workload

Identity-related risk is consistently cited as a top driver of landing zone security design — role-based access, least-privilege, and Zero Trust principles need to be built into the identity model from the start, because retrofitting access control after hundreds of role assignments already exist is a much harder problem than designing it correctly from the first subscription.

Compliance frameworks map onto the same governance mechanism, not a separate one

Whether your organization needs to demonstrate alignment with HIPAA, PCI DSS, SOC 2, FedRAMP, GDPR, or another framework, the mechanism is the same one this guide has already described: policy initiatives (bundled sets of individual policies) assigned at the appropriate management group level, with Defender for Cloud's regulatory compliance dashboard providing continuous, automated evidence of adherence rather than a periodic manual audit. Compliance isn't a bolt-on to the landing zone — it's an expression of the same governance-at-scale mechanism, applied to a specific framework's requirements.

09Platform Engineering: Subscription Vending and IaCDeep Dive

A landing zone's governance is only as good as how easy it is for teams to actually get a compliant subscription. If getting a new subscription takes three weeks of tickets, application teams will find workarounds — reusing an existing subscription, or escalating for an exception — that quietly erode the isolation the whole architecture was designed to provide. Subscription vending is the fix: an automated, typically self-service process that provisions a new, correctly-configured subscription on demand.

Step in a vended subscription's creationWhat happens automatically
Request submittedA team requests a new subscription via a form, portal, or pull request — self-service, no manual ticket triage
Approval (if required)Lightweight approval gate, often automated for standard requests and manual only for exceptions
Subscription createdNew subscription provisioned under the correct management group automatically
Policy inheritanceGovernance policies apply immediately, inherited from the management group — no separate configuration step
Network peeringSpoke VNet created and peered to the hub automatically
Monitoring wired upDiagnostic settings pointed at the central Log Analytics workspace
RBAC assignedRequesting team granted appropriate roles on their new subscription

The difference this makes in practice is stark: a manual, ticket-driven process commonly takes weeks; an automated vending process can complete the same work in minutes. That speed difference is what determines whether teams work within the governed platform or route around it.

Everything in this guide should be deployed as code, versioned, and reviewed like any other codebase

The eighth design area — platform automation and DevOps — is not an optional extra layered on top of the architecture; it's how the architecture stays correct over time. Management group structure, policy assignments, the hub network, and the subscription vending process itself should all be defined in Bicep or Terraform, stored in source control, and deployed through a reviewed pipeline. A landing zone configured by hand through the portal drifts from its documented design the first time someone makes an emergency change under pressure and forgets to document it — infrastructure as code is what keeps the deployed reality matching the architecture this guide describes.

10Step-by-Step: Deploying Your First Landing ZoneHow-To

A practical, ordered path from zero to a working platform foundation, using the Azure Landing Zone accelerator as the starting point rather than hand-building every management group and policy from scratch.

  1. Design the management group hierarchy on paper before deploying anything

    Start from the reference hierarchy (Platform / Landing Zones / Sandbox / Decommissioned), and validate it against your actual organizational structure and operating model. This is the decision that's hardest to change later — get explicit sign-off from whoever owns governance before moving to deployment.

  2. Decide your networking topology: hub-and-spoke or Virtual WAN

    Base this on your actual region count and connectivity needs today, not a guess about future scale. Most organizations starting out should default to hub-and-spoke; reserve Virtual WAN for genuinely multi-region, multi-connection scenarios.

  3. Deploy the platform foundation using the Azure Landing Zone accelerator

    Use the portal-based wizard for a first exploratory deployment, or go straight to the Bicep or Terraform module set if your team is ready to manage it as code from day one. This step provisions the management group hierarchy, the Management/Identity/Connectivity subscriptions, the hub network, and a baseline set of policy assignments in one coordinated deployment.

  4. Validate the baseline policy set in Audit mode before enforcing Deny

    Let the accelerator's default policies run in audit-only mode against your environment for a defined period — a few weeks is common — and review what would have been blocked. Adjust exceptions or policy parameters based on real findings, then move validated policies to Deny.

  5. Build and test the subscription vending process

    Before onboarding any real application team, provision a test subscription through your vending pipeline end to end — request, approval, creation, management group placement, network peering, monitoring, RBAC — and confirm every step actually works as designed, not just individually but as a full chain.

  6. Onboard one pilot workload team before opening broadly

    Choose a real but low-risk application team as your first tenant. Their experience — how long provisioning actually took, which policies caused friction, what documentation was missing — is far more valuable feedback than anything caught in internal testing, and it's much cheaper to fix issues discovered with one team than after fifty teams have onboarded.

  7. Document the platform and open self-service vending broadly

    Publish the subscription request process, the management group structure, the policy set, and who owns what — then open the vending process to the rest of the organization. This is the point where the landing zone stops being a project and starts being the platform.

Realistic timelines vary enormously with automation maturity and organizational complexity

A minimal landing zone using the accelerator's defaults can be stood up in days. A fully customized enterprise deployment — custom policies, hybrid networking, multiple compliance frameworks, CI/CD-driven platform automation — realistically takes several weeks of dedicated architecture and engineering time, even with strong automation. Be wary of either extreme claim: "days" for a fully customized enterprise environment undersells the real design work involved, and "months" for a straightforward, accelerator-driven deployment usually reflects process friction more than technical necessity.

11Anti-Patterns That Cause Sprawl Even With a Landing ZoneTraps

A landing zone isn't immune to producing sprawl of its own if the design or the operating discipline around it goes wrong. These are the specific ways that happens.

Anti-patternWhy it feels rightWhy it isn't
Skip the landing zone, plan to "add governance later""We need to move fast; governance can catch up"Governance later never comes cheaply — by the time it does, there are hundreds of unmanaged resources and the fix is a remediation project costing multiples of what up-front design would have
Over-engineer on day one"Let's build the full enterprise architecture from the start"Virtual WAN, Firewall Premium, and a full Sentinel deployment for twenty resources means the governance infrastructure costs more than the workloads it protects, and adds operational complexity nobody yet needs
Copy the reference hierarchy without validating against your operating model"Microsoft's diagram must be right for us too"The reference assumes a specific operating model. A strongly federated organization forcing itself into a centralized hierarchy creates friction the diagram doesn't warn you about
No subscription vending automation"We'll handle subscription requests manually for now"Slow, manual provisioning is exactly what pushes teams toward workarounds — reusing subscriptions, requesting exceptions — that quietly recreate the sprawl the landing zone exists to prevent
Configure the platform by hand through the portal"Just this once, it's faster than writing Bicep"Manual changes drift from documented design immediately and invisibly. The next person to read the Bicep templates sees a platform that no longer matches what's actually deployed
Flip new policies straight to Deny without an audit period"We're confident this policy is correct"An unvalidated Deny policy can block a legitimate, unanticipated deployment pattern with no warning — turning a governance improvement into an outage for whichever team hits it first

Key Takeaways

A landing zone is an architecture pattern, not a product. It's a way of organizing management groups, subscriptions, networking, and policy so governance is inherited automatically rather than invented per-team.
Eight design areas, evaluated together. Billing/tenant, identity, management groups/subscriptions, networking, security, management, governance, and platform automation — decisions in one constrain the others.
The management group hierarchy is where policy inheritance lives. Platform (Management/Identity/Connectivity) hosts shared services; Landing Zones (Corp/Online, split by environment) hosts workloads — get this structure right before deploying anything under it.
One subscription per workload per environment is CAF's standing recommendation. It looks like more sprawl but is structured sprawl — every subscription has a clear owner, cost boundary, and governance scope.
Hub-and-spoke is the right default for most organizations. Reserve Virtual WAN for genuinely multi-region, multi-connection scale — don't over-engineer networking relative to actual footprint.
Subscription vending determines whether teams use the platform or route around it. A slow, manual provisioning process recreates the exact sprawl the landing zone exists to prevent.
Deploy the platform itself as code. Management groups, policy, and networking configured by hand through the portal drift from documented design the first time someone makes an emergency change.

Frequently Asked Questions

Do small organizations need a full enterprise-scale landing zone?
No — enterprise-scale is Microsoft's fully-realized reference architecture aimed at large organizations, and adopting every component of it for a small footprint is itself an anti-pattern this guide covers explicitly (over-engineering on day one). Smaller organizations still benefit substantially from landing zone principles at a smaller scale: a basic management group hierarchy, a baseline set of Azure Policies (required tagging, restricted regions, denied public IPs), and centralized logging cover most of the governance value with a fraction of the operational complexity. Start with that minimal foundation and grow into additional design areas — Virtual WAN, a full Sentinel deployment, extensive policy initiatives — only as actual scale and risk justify the added complexity.
What's the difference between a platform landing zone and an application landing zone?
A platform landing zone is a subscription hosting shared services every workload depends on — the Management subscription (logging, automation), Identity subscription (domain controllers and identity infrastructure), and Connectivity subscription (hub network, firewall, gateways). An application landing zone (sometimes just called a "landing zone subscription" in context) is a subscription hosting an actual workload — an application's compute, storage, and networking resources. Platform landing zones are typically few in number, centrally managed, and provisioned once by the platform team. Application landing zones are numerous, provisioned continuously as new workloads onboard (ideally through an automated subscription vending process), and owned by individual workload teams operating within the governance guardrails the platform landing zone establishes.
Can I migrate an existing, ungoverned Azure environment into a landing zone structure?
Yes, though it's meaningfully more complex than a greenfield deployment. The general approach: design and deploy the management group hierarchy and platform foundation first (as if starting fresh), then reorganize existing subscriptions into the new hierarchy, apply governance policies incrementally starting in audit-only mode to understand impact before enforcing, and peer existing virtual networks to the new hub rather than requiring a network redesign for every workload simultaneously. This is a genuine migration project — budget real time for it — but it's the standard, well-documented path organizations take when a landing zone is introduced after ungoverned growth has already happened, which describes most real-world adoptions more accurately than a clean greenfield story does.
Should I use the Azure Landing Zone accelerator, or build the architecture entirely custom?
For most organizations, start with the accelerator (available as a guided portal wizard, Bicep module set, or Terraform module set) rather than building from scratch. It provisions the substantial majority of a standard platform foundation — management group hierarchy, platform subscriptions, hub networking, and a baseline policy set — in a single coordinated, Microsoft-maintained deployment, leaving the remaining customization (organization-specific policies, non-standard networking requirements, custom compliance mappings) as the smaller portion of the work. Building the entire architecture custom from first principles is rarely justified unless your requirements diverge from the reference architecture so significantly that the accelerator's assumptions actively work against you — a genuinely uncommon situation for most enterprise environments.

Popular posts from this blog

The Cloud Incumbent: AWS Bedrock Hosts Every Frontier Model and Amazon Is Betting on Neutrality AWS at $37.6 billion quarterly revenue, growing 28%. $13 billion invested in Anthropic. A $100 billion Anthropic-to-AWS commitment. Trainium with $225 billion in customer revenue commitments. The most quietly powerful AI strategy in the race. By Francis Avorgbedor | Azure Engineer  ·  July 4, 2026  ·  14 min read  ·  Amazon · AWS · Cloud AI 74 SEVENAI Momentum Score — Rank #5 $37.6B AWS Q1 2026 revenue — 28% YoY growth ▲ Fastest in 15 quarters $13B Total Amazon investment in Anthropic to date ▲ Strategic anchor 100K+ Customers running Claude on AWS Bedrock ▲ Distribution moat Amazon's AI strategy is built on a thesis that every other Magnificent Seven company is testing against — and that Amazon is uniquely positioned to win regardless of the outcome. The thesis is neutrality. In a race where Microsoft has bet on OpenAI, Google has bet on Gemini, and Meta has bet...
Performance Fix Foundry Local 1.2 Linux ARM64 Embeddings Offline ASR The Edge Latency Drop: Fixing Latency Spikes by Offloading Embeddings to Foundry Local 1.2 You are paying a full cloud round trip — network, TLS, queue, throttle risk — to turn a twelve-word search query into a vector. That is the most expensive way possible to do one of the cheapest computations in your stack. Foundry Local 1.2 now runs on Linux ARM64, which means embeddings and speech recognition can happen on a Raspberry Pi, a Jetson, or a Graviton instance — offline, unmetered, and in single-digit milliseconds. The failure signature this guide resolves # Application Insights — the embedding call, not the LLM, is your tail latency: name p50 p95 p99 calls/day POST /embeddings (cloud) 89 ms 412 ms 3,847 ms 1,240,000 POST /chat/completions (cloud) 940 ms 1,720 ms 2,910 ms 38,000 ^^^^^^^^ ...
  The 500GB System File That Eats Your Hard Drive Something on your Windows 10 drive is consuming hundreds of gigabytes and the normal tools cannot find it. This guide identifies every known culprit — from hibernation files and shadow copies to runaway backups and the Windows component store — and tells you exactly what is safe to delete, what to leave alone, and what the commands actually do.
How to Reset an Azure Virtual Machine to Factory Settings Using a Managed Disk Azure does not have a single "factory reset" button. What it does have is something better: the OS Disk Swap — a method that swaps out the corrupted or misconfigured OS disk for a clean Windows Server managed disk without deleting the VM, its NICs, its IP addresses, or any attached data disks. Here is how it works, when to use it, and the exact steps to execute it safely. FA Francis Avorgbedor Azure Engineer July 16, 2026 15 min read Azure VMs · Windows Server · Real-World Fix 3 Methods to achieve a clean Windows Server installation on an existing Azure VM ~15min Typical OS Disk Swap duration — VM retains its NICs, IPs, and data disks throughout 0 Data disks affected by an OS Disk Swap — data disks remain attached and untouched 1 Snapshot of the original OS disk you must take before starting — no exceptions Introduction Why Azure Does Not Have a Simple Factory Reset — and What to Do Instead On a ph...

AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use

Incident Playbook AKS Kubernetes kubectl 2026 AKS CrashLoopBackOff, Pending Pods, and NotReady Nodes — The Real Fixes Engineers Use Every AKS engineer eventually faces the same nightmare: CrashLoopBackOff at 2am, pods stuck Pending for no clear reason, or nodes flipping to NotReady mid-deployment. The difference between panic and control is knowing the exact diagnostic sequence — and the real fixes that work in production. This guide gives you both. 3 commands get pods, describe pod, and logs diagnose roughly 90% of AKS incidents before you touch anything else Exit 137 The code that means OOMKilled — the container hit its memory limit and was killed by the kernel (128 + SIGKILL 9) Events The bottom of kubectl describe is where the real cause lives — Pending, FailedScheduling, and image errors all surface there CoreDNS The single component behind most "intermittent" production failures — service discovery breaks quietly and looks like an app bug Table of Contents 01 The 3 Comm...
Can I Update My Old Computer to Windows 11 — and How Much Will It Cost? Your i7, 16GB RAM, 512GB SSD machine is powerful enough to run Windows 11 comfortably. The TPM 2.0 and Secure Boot wall is a security checkbox, not a performance ceiling. Here are two proven ways to get past it, what each one costs, and what you are trading away by doing so. $0 Cost of the Windows 11 licence if your existing Windows 10 is genuine — the upgrade remains free in 2026 2 Proven methods to bypass TPM 2.0 and Secure Boot — Rufus (easy) and Registry edit (manual) 25H2 Current Windows 11 version — all known bypass methods tested and confirmed working as of July 2026 Oct 2025 Windows 10 end of life — no more security updates. Staying on Windows 10 now carries real risk. First — Check Your BIOS Before Anything Else You Might Not Actually Need a Bypass Before running any bypass, open your BIOS and look at two settings. Many computers that fail the Windows 11 compatibility check have TPM 2.0 present in the hard...
2026 Edition 100 Tools Software Engineering DevOps AIOps Top 100 Best AI Tools for Azure  Engineers and DevOps Professionals in 2026 85% of developers now regularly use AI tools. Fully AI-generated code accounts for nearly 28% of all pull requests. The question is no longer whether to use AI tools — it is which ones, in which combination, for which part of the lifecycle. This guide cuts through the noise: 100 tools, 10 categories, honest pricing, real use cases, and a selection framework for building your stack without redundancy. 85% Percentage of developers who now regularly use AI tools, per JetBrains' 2025 State of Developer Ecosystem report — up from near zero three years ago 28% Share of all pull requests containing primarily AI-generated code in 2026 — the metric that signals AI coding assistants have moved from experiment to workflow $50B Cursor's reported valuation in April 2026 Series D talks — the number that signals investor confidence in the AI developer tools mark...

Azure Files vs Azure NetApp Files: Which One Should You Choose?

Azure Files vs Azure NetApp Files: Which One Should You Choose? Performance tiers, protocol support, dual-protocol capability, pricing models, SAP/Oracle/HPC suitability, data management features, and the decision framework that maps each workload type to the right service — with step-by-step setup procedures for both. FA Francis Avorgbedor Azure Engineer July 15, 2026 20 min read Azure Storage · Architecture 4 Azure Files tiers: Premium SSD, Standard Hot, Cool, Tx Optimized 3 ANF performance tiers: Standard, Premium, Ultra — all SSD-backed 4TiB ANF minimum provisioning — significant cost floor for small workloads Dual ANF serves the same data via SMB and NFS simultaneously — AF cannot Introduction Two Services, One Surface Area — Completely Different Purposes Microsoft offers two fully managed, enterprise-grade file storage services in Azure. They share a surface area — both serve file shares over standard protocols, both run on managed infrastructure, and both integrate with Microsof...
Troubleshooting Guide AKS Kubernetes Real Solutions kubectl Azure Kubernetes Service (AKS) Troubleshooting Guide: Real Solutions to Common Problems CrashLoopBackOff at 2am. Pods stuck Pending with no obvious cause. Nodes going NotReady mid-deployment. DNS resolution silently failing in production. Every AKS engineer encounters these — the difference between engineers who panic and engineers who stay calm is knowing the exact sequence of diagnostic commands to run. This guide gives you that sequence, the root cause analysis for each failure mode, and the fix. 3 commands 90% of AKS problems are diagnosed with the same three kubectl commands: describe pod, logs --previous, and get events — in that order, every time Exit 137 The exit code that tells you everything: container killed by SIGKILL — either the Linux OOM killer (memory limit exceeded) or kubelet after grace period expired 5 min The CrashLoopBackOff ceiling: Kubernetes applies exponential backoff (10s → 20s → 40s → 80s → 160s → 3...

How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service

Step-by-Step Guide Azure OpenAI App Service Production Python How to Deploy an AI Chatbot on Azure Using Azure OpenAI and App Service From zero to a production-grade AI chatbot: provision Azure OpenAI, write a streaming Flask API backend, deploy it on Azure App Service with Managed Identity, wire in conversation history and content safety, and instrument it with Application Insights — all with complete code and Terraform IaC. No API keys in environment variables. No hardcoded secrets. No half-finished PoC patterns. 7 phases This guide covers the full deployment lifecycle: architecture design → resource provisioning → backend code → App Service deployment → streaming → security → monitoring Zero keys The chatbot authenticates to Azure OpenAI using Managed Identity and DefaultAzureCredential — no API keys stored in environment variables, Key Vault, or code SSE Server-Sent Events stream GPT tokens to the browser as they generate — the same token-by-token typing effect users expect from pr...