Azure Cloud Landing Zone Architecture
Reference architecture for an enterprise Azure Landing Zone — covering management group hierarchy, hub-spoke networking, subscription model, identity, policy framework, and governance at scale.
A Cloud Landing Zone is the pre-configured foundation — networking, identity, security, and governance — that application teams land on when they start building in Azure. Without it, every team builds their own networking, creates their own policies, and makes their own security decisions. The result is fragmentation, security gaps, and cloud costs that escape governance entirely.
A well-designed landing zone makes the correct configuration the default configuration. Application teams inherit security policies, network routing, and compliance controls automatically. They build applications — not infrastructure foundations.
- ✓Multiple teams will deploy workloads to Azure at scale
- ✓Regulatory or compliance requirements demand consistent governance
- ✓You need cost visibility and chargeback across business units
- ✓Hybrid connectivity to on-premises is required
- ✗A single small team with one or two workloads (overhead exceeds benefit)
- ✗Short-lived proof-of-concept environments
- ✗You have no capacity to maintain policy and network infrastructure
- ✗The organisation has not decided on its cloud governance model yet
Subscription Design
| Criterion | Subscription | Purpose | Access policy |
|---|---|---|---|
| Management | Log Analytics, Azure Monitor, Security Centre, Automation | Admin-only, strict RBAC | |
| Connectivity | Hub VNet, Azure Firewall, ExpressRoute/VPN, Private DNS | Network team only | |
| Identity | AD Domain Controllers, Azure AD DS, privileged workstations | Identity team only | |
| Corp Landing Zones | Internal workloads needing private on-prem connectivity | Application teams, standard policies | |
| Online Landing Zones | Internet-facing workloads via Azure Firewall | Application teams, extra network security |
Get the Azure Landing Zone Reference Architecture
The hub-spoke diagram, subscription design table, and policy checklist — ready for your cloud governance review.
Implementation Sequence
- 01Define management group hierarchy and namingWeek 1
Establish the management group structure (Platform, Landing Zones, Decommissioned) and a naming convention before any subscriptions are created. This hierarchy is the foundation for all policy inheritance.
- 02Deploy platform subscriptionsWeek 2–3
Create Management, Connectivity, and Identity subscriptions and deploy core infrastructure. Deploy the hub VNet with Azure Firewall, private DNS zones, and VPN/ExpressRoute connectivity.
- 03Define and apply policy at management group levelWeek 3–4
Azure Policy initiatives: tagging requirements, allowed regions, Defender enablement, diagnostic settings. Use deny and deployIfNotExists effects — not advisory. Apply before any workload lands.
- 04Build a subscription vending processWeek 4–6
Provide application teams with automated subscription vending via Azure DevOps or GitHub Actions. Manual subscription creation produces inconsistency — teams get different configurations depending on who created their subscription.
- 05Establish FinOps from day oneWeek 6+
Subscription-level budgets, cost alerts, and monthly chargeback reporting. Cost governance applied after the fact is far harder than cost governance built into the landing zone foundation.
There are 9 more like this. Plus AI advisors that go deeper.
Sign up free to get new research in your inbox, download frameworks as PDFs, and try the Cloud Architecture Advisor — AI that personalises this guidance for your specific situation.
The Leadership Brief
Weekly practitioner intelligence — platform engineering, AI, cloud architecture. Every Monday. Free forever.
Downloadable frameworks
Platform Gravity Model™, IDP selection flowchart, AI Deployment Ladder — as one-pager PDFs for your team.
Early access to research
New reports and frameworks reach members before public release.
1 free AI Advisor question
Try a Reymentos AI Advisor on what you just read. No subscription needed to try.
Free forever · No credit card · Unsubscribe anytime · $39/mo for AI advisors