Forem

Thesius Code
Thesius Code

Posted on • Originally published at datanest-stores.pages.dev

Azure Landing Zone Kit

#aws #architecture #terraform #cloud

Azure Landing Zone Kit

Enterprise-grade Azure Bicep and ARM templates that implement Microsoft's Cloud Adoption Framework landing zone architecture. This kit gives you a repeatable, governance-first foundation for deploying workloads at scale — management groups, policy assignments, hub-spoke networking, and identity integration all wired together and ready to deploy. Built for platform teams who need to hand off secure, compliant subscriptions to application teams.

Key Features

  • Management Group Hierarchy — Pre-built taxonomy matching Microsoft's reference architecture (Platform, Landing Zones, Sandbox, Decommissioned)
  • Azure Policy as Code — 40+ policy definitions and initiatives covering CIS Benchmark, encryption, allowed regions, and naming conventions
  • Hub-Spoke Networking — Hub VNet with Azure Firewall, Bastion, VPN Gateway, and peered spoke templates
  • Identity Foundation — Azure AD integration with PIM-ready role assignments, emergency access accounts, and conditional access templates
  • Subscription Vending — Automated subscription provisioning with pre-applied policies and RBAC
  • Diagnostic Settings — Centralized Log Analytics workspace with resource-level diagnostic configurations
  • Cost Management — Budget alerts, resource locks on production, and tag enforcement policies
  • Modular Design — Deploy the full kit or pick individual modules for incremental adoption

Quick Start 

# Authenticate to Azure
az login
az account set --subscription "YOUR_PLATFORM_SUBSCRIPTION_ID"

# Deploy management group hierarchy
az deployment tenant create \
  --location eastus2 \
  --template-file src/management-groups/main.bicep \
  --parameters src/management-groups/parameters.json

# Deploy hub networking
az deployment group create \
  --resource-group rg-hub-networking \
  --template-file src/networking/hub-vnet.bicep \
  --parameters configs/hub-networking.production.json
Enter fullscreen mode Exit fullscreen mode

Architecture 

┌──────────────────────────────────────────────────────────┐
│                   Tenant Root Group                      │
│  ┌────────────────────────────────────────────────────┐  │
│  │  AcmeCorp (top-level MG)                          │  │
│  │  ┌──────────┐ ┌──────────────┐ ┌───────────────┐  │  │
│  │  │ Platform │ │ Landing Zones│ │   Sandbox     │  │  │
│  │  │ ┌──────┐ │ │ ┌──────────┐ │ │ (dev/test)   │  │  │
│  │  │ │Mgmt  │ │ │ │  Corp    │ │ │               │  │  │
│  │  │ │Conn. │ │ │ │  Online  │ │ └───────────────┘  │  │
│  │  │ │Ident.│ │ │ │  SAP     │ │                    │  │
│  │  │ └──────┘ │ │ └──────────┘ │                    │  │
│  │  └──────────┘ └──────────────┘                    │  │
│  └────────────────────────────────────────────────────┘  │
│                                                          │
│  Hub-Spoke Network Topology:                             │
│  ┌──────────┐      ┌──────────┐      ┌──────────┐       │
│  │ Spoke A  │◄────►│   Hub    │◄────►│ Spoke B  │       │
│  │ 10.1.0/16│      │10.0.0/16│      │10.2.0/16│       │
│  └──────────┘      │ Firewall │      └──────────┘       │
│                    │ Bastion  │                          │
│                    │ VPN GW   │                          │
│                    └──────────┘                          │
└──────────────────────────────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

Usage Examples

Management Group with Policy Assignment 

// src/management-groups/main.bicep
targetScope = 'tenant'

@description('Top-level management group name')
param topLevelMGName string = 'AcmeCorp'

resource topLevelMG 'Microsoft.Management/managementGroups@2021-04-01' = {
  name: topLevelMGName
  properties: {
    displayName: topLevelMGName
  }
}

resource platformMG 'Microsoft.Management/managementGroups@2021-04-01' = {
  name: '${topLevelMGName}-Platform'
  properties: {
    displayName: 'Platform'
    details: { parent: { id: topLevelMG.id } }
  }
}

resource landingZonesMG 'Microsoft.Management/managementGroups@2021-04-01' = {
  name: '${topLevelMGName}-LandingZones'
  properties: {
    displayName: 'Landing Zones'
    details: { parent: { id: topLevelMG.id } }
  }
}
Enter fullscreen mode Exit fullscreen mode

Hub VNet with Azure Firewall 

// src/networking/hub-vnet.bicep
param location string = resourceGroup().location
param hubVnetCidr string = '10.0.0.0/16'

resource hubVnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: 'vnet-hub-${location}'
  location: location
  properties: {
    addressSpace: { addressPrefixes: [hubVnetCidr] }
    subnets: [
      { name: 'AzureFirewallSubnet',  properties: { addressPrefix: '10.0.1.0/26' } }
      { name: 'AzureBastionSubnet',   properties: { addressPrefix: '10.0.2.0/26' } }
      { name: 'GatewaySubnet',        properties: { addressPrefix: '10.0.3.0/27' } }
    ]
  }
}

resource firewall 'Microsoft.Network/azureFirewalls@2023-05-01' = {
  name: 'fw-hub-${location}'
  location: location
  properties: {
    sku: { name: 'AZFW_VNet', tier: 'Standard' }
    ipConfigurations: [{
      name: 'fw-ipconfig'
      properties: {
        subnet: { id: '${hubVnet.id}/subnets/AzureFirewallSubnet' }
        publicIPAddress: { id: firewallPip.id }
      }
    }]
  }
}
Enter fullscreen mode Exit fullscreen mode

Configuration 

// configs/hub-networking.production.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "location":         { "value": "eastus2" },
    "hubVnetCidr":      { "value": "10.0.0.0/16" },
    "enableFirewall":   { "value": true },
    "enableBastion":    { "value": true },
    "enableVpnGateway": { "value": true },
    "vpnGatewaySku":    { "value": "VpnGw2" },
    "logAnalyticsWorkspaceId": {
      "value": "/subscriptions/YOUR_SUB/resourceGroups/rg-mgmt/providers/Microsoft.OperationalInsights/workspaces/law-central"
    },
    "tagValues": {
      "value": {
        "Environment": "Production",
        "ManagedBy": "PlatformTeam",
        "CostCenter": "IT-Infra-001"
      }
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Best Practices

  • Deploy management groups before anything else — Policies and RBAC cascade down from MGs to subscriptions
  • Use a dedicated platform subscription — Keep hub networking, firewalls, and shared services isolated from workloads
  • Enforce tagging with deny policies — Don't rely on audit; teams will ignore advisory-only policies
  • Start with Azure Firewall Standard — Upgrade to Premium only if you need TLS inspection or IDPS
  • Peer spokes to hub, not to each other — Spoke-to-spoke traffic should route through the firewall for inspection
  • Export Bicep modules to a private registry — Enables version-controlled reuse across teams

Troubleshooting

Issue Cause Fix
AuthorizationFailed on MG deployment Account lacks tenant-level permissions Elevate access in Azure AD > Properties > "Access management for Azure resources"
Policy assignment shows NonCompliant Existing resources predate the policy Create a remediation task for the policy assignment
VNet peering shows Disconnected Peering only created in one direction Ensure peering is created in both hub and spoke VNets
Firewall blocks legitimate traffic No application or network rule match Check Firewall logs in Log Analytics, add appropriate rule collection

This is 1 of 11 resources in the Cloud Architecture Pro toolkit. Get the complete [Azure Landing Zone Kit] with all files, templates, and documentation for $49.

Get the Full Kit →

Or grab the entire Cloud Architecture Pro bundle (11 products) for $149 — save 30%.

Get the Complete Bundle →

Related Articles

Top comments (0)