Architecture BlueprintEstablished

Azure Cloud Landing Zone Architecture

Reference architecture for an enterprise Azure Landing Zone — covering management group hierarchy, hub-spoke networking, subscription model, identity, policy framework, and governance at scale.

Budhisamvad Research·Jan 2026·16 min read·Includes architecture diagram
cost to retrofit governance vs building it correctly first
Practitioner estimate
5
core platform subscriptions in a standard landing zone
Azure CAF
100%
of subscriptions should inherit policy from management groups
Budhisamvad standard
0
workloads that should exist before policy is applied
Budhisamvad standard

A Cloud Landing Zone is the pre-configured foundation — networking, identity, security, and governance — that application teams land on when they start building in Azure. Without it, every team builds their own networking, creates their own policies, and makes their own security decisions. The result is fragmentation, security gaps, and cloud costs that escape governance entirely.

A well-designed landing zone makes the correct configuration the default configuration. Application teams inherit security policies, network routing, and compliance controls automatically. They build applications — not infrastructure foundations.

The landing zone principle
Use this when
  • Multiple teams will deploy workloads to Azure at scale
  • Regulatory or compliance requirements demand consistent governance
  • You need cost visibility and chargeback across business units
  • Hybrid connectivity to on-premises is required
Avoid when
  • A single small team with one or two workloads (overhead exceeds benefit)
  • Short-lived proof-of-concept environments
  • You have no capacity to maintain policy and network infrastructure
  • The organisation has not decided on its cloud governance model yet
Architecture diagram — Azure Enterprise Cloud Landing Zone (Hub-Spoke topology)
Azure Cloud Landing Zone — management group hierarchy and hub-spoke networkManagement Group HierarchyRootTenant Root GroupPlatformLanding ZonesDecommissionedMgmtSubConnSubIdentitySubCorpOnlineSAPHub-Spoke Network TopologyHub VNetAzure Firewall · VPN/ExpressRouteDNS Resolver · BastionDDoS Protection · Private DNSOn-PremisesExpressRoute / VPNInternetvia Azure FirewallCorp Spoke(Workloads)Online Spoke(Public apps)DevTest Spoke(Non-prod)Shared Svcs(KeyVault, ACR)Azure Policy & Governance (applied at Management Group level)Defender for Cloud · Cost alerts · Resource tagging · Allowed regions · Audit logs → Log AnalyticsAll subscriptions inherit policies from parent management group · deny assignments at platform level
Practitioner insight
From the field: The most expensive landing zone mistake is applying policy after workloads already exist. Retrofitting mandatory tagging, diagnostic settings, and security baselines onto running production workloads creates remediation debt that takes quarters to clear — and generates political friction with application teams who experience it as the platform team "breaking" their environments. Policy must be applied at the management group level before the first workload lands. This is the single decision that most determines whether the landing zone succeeds.

Subscription Design

CriterionSubscriptionPurposeAccess policy
ManagementLog Analytics, Azure Monitor, Security Centre, AutomationAdmin-only, strict RBAC
ConnectivityHub VNet, Azure Firewall, ExpressRoute/VPN, Private DNSNetwork team only
IdentityAD Domain Controllers, Azure AD DS, privileged workstationsIdentity team only
Corp Landing ZonesInternal workloads needing private on-prem connectivityApplication teams, standard policies
Online Landing ZonesInternet-facing workloads via Azure FirewallApplication teams, extra network security
Watch out
A single subscription for all workloads means the blast radius of any security incident or misconfiguration is the entire organisation. Subscription boundaries are security boundaries. The cost of additional subscriptions is near-zero; the cost of a shared blast radius can be catastrophic. Always separate platform subscriptions from workload subscriptions, and separate internet-facing from internal workloads.
FrameworkPolicy Before Workloads
The governing rule of landing zone design: define and apply Azure Policy at the management group level before any subscription receives a workload. Critical controls — mandatory tagging, diagnostic settings, allowed regions, Defender enablement — require deny or deployIfNotExists effects, not advisory policies. Advisory policies are ignored. If a control matters, it must be enforced at the management group level so that every child subscription inherits it automatically and cannot opt out.

Get the Azure Landing Zone Reference Architecture

The hub-spoke diagram, subscription design table, and policy checklist — ready for your cloud governance review.

Implementation Sequence

  1. 01
    Define management group hierarchy and namingWeek 1

    Establish the management group structure (Platform, Landing Zones, Decommissioned) and a naming convention before any subscriptions are created. This hierarchy is the foundation for all policy inheritance.

  2. 02
    Deploy platform subscriptionsWeek 2–3

    Create Management, Connectivity, and Identity subscriptions and deploy core infrastructure. Deploy the hub VNet with Azure Firewall, private DNS zones, and VPN/ExpressRoute connectivity.

  3. 03
    Define and apply policy at management group levelWeek 3–4

    Azure Policy initiatives: tagging requirements, allowed regions, Defender enablement, diagnostic settings. Use deny and deployIfNotExists effects — not advisory. Apply before any workload lands.

  4. 04
    Build a subscription vending processWeek 4–6

    Provide application teams with automated subscription vending via Azure DevOps or GitHub Actions. Manual subscription creation produces inconsistency — teams get different configurations depending on who created their subscription.

  5. 05
    Establish FinOps from day oneWeek 6+

    Subscription-level budgets, cost alerts, and monthly chargeback reporting. Cost governance applied after the fact is far harder than cost governance built into the landing zone foundation.

Found this useful? Share it →
This article is free to read. No paywall, no limits, ever.
✦ You just finished this article

There are 9 more like this. Plus AI advisors that go deeper.

Sign up free to get new research in your inbox, download frameworks as PDFs, and try the Cloud Architecture Advisor — AI that personalises this guidance for your specific situation.

The Leadership Brief

Weekly practitioner intelligence — platform engineering, AI, cloud architecture. Every Monday. Free forever.

Downloadable frameworks

Platform Gravity Model™, IDP selection flowchart, AI Deployment Ladder — as one-pager PDFs for your team.

Early access to research

New reports and frameworks reach members before public release.

1 free AI Advisor question

Try a Reymentos AI Advisor on what you just read. No subscription needed to try.

P
S
A
M
R
Join technology leaders worldwide

Free forever · No credit card · Unsubscribe anytime · $39/mo for AI advisors