Azure Landing Zone Design: the Foundation of Your Cloud
Understand what an Azure landing zone is, its identity, network, governance, and security building blocks, and why it prevents costly rework.
What a landing zone is
A landing zone is the pre-configured, governed base environment where your workloads will live in Azure. Think of it as the plot of land prepared with foundation, plumbing, and wiring before you build the house. Without that foundation, every project reinvents networking, identity, and security policy in a different way — and the result is an expensive, insecure, hard-to-audit cloud.
Microsoft formalizes this concept in the Cloud Adoption Framework (CAF) and the Azure Landing Zone, a set of best practices and reference architectures. As a Microsoft Solutions Partner, RHC uses this framework to deliver environments ready to scale from the very first migrated workload.
The eight design areas
A well-built landing zone covers eight decision areas. Ignoring any of them creates technical debt:
- Account and subscription hierarchy — how to separate production, development, and business units.
- Identity and access — integration with Microsoft Entra ID and RBAC.
- Network topology — hub-spoke, hybrid connectivity, and segmentation.
- Management and monitoring — Azure Monitor, Log Analytics, and alerts.
- Business continuity — backup and disaster recovery.
- Security — Microsoft Defender for Cloud, encryption, and secrets.
- Governance — Azure Policy, tags, and cost control.
- Automation — infrastructure as code with Bicep or Terraform.
Subscriptions and Management Groups
The first costly mistake is putting everything in a single subscription. The recommendation is to organize Management Groups that group subscriptions by purpose, allowing policies to be applied hierarchically.
| Level | Example | Role |
|---|---|---|
| Root Management Group | Organization | Global mandatory policies |
| Platform | Identity, connectivity, management | Shared services |
| Landing zones | Production, non-production | Business workloads |
| Sandbox | Experimentation | Bounded, non-production environment |
This separation lets a security policy applied at the root be inherited by all subscriptions, while project teams retain freedom within defined boundaries.
Identity as the new perimeter
In Azure, identity is the security perimeter. The landing zone integrates Microsoft Entra ID (formerly Azure AD) as the authentication source and applies RBAC (role-based access control) to give each person exactly the access they need. Best practices include:
- Just-in-time access with Privileged Identity Management for admin roles.
- Mandatory multifactor authentication.
- Groups instead of individual assignments.
- Break-glass emergency accounts, documented and monitored.
Network: the backbone
The most common topology is hub-spoke: a central network (hub) concentrates hybrid connectivity, firewall, and shared services, while satellite networks (spokes) host isolated workloads. This provides segmentation, traffic control, and a single point for security inspection. Connectivity to the on-premises environment happens via VPN or ExpressRoute, depending on bandwidth and latency requirements.
Governance and cost from day one
Governance is not bureaucracy — it is what keeps the cloud predictable. The landing zone applies:
- Azure Policy to block disallowed regions, enforce tags, and prevent non-standard resources.
- Mandatory tags for cost center, environment, and owner, essential for FinOps reporting.
- Budgets and alerts to avoid billing surprises.
- Consistent naming conventions across all resources.
Ready-made vs. custom landing zone
There are two deployment paths:
- Landing zone accelerator (portal) — deploys a complete, opinionated reference architecture in a few clicks. Ideal for teams that want speed and adherence to the Microsoft standard.
- Custom landing zone with IaC — built with Bicep or Terraform, letting you tune each block to company rules. Ideal for regulated environments or specific requirements.
RHC usually starts with the accelerator and evolves toward versioned IaC, ensuring the environment is reproducible and auditable.
Checklist / Key takeaways
- The landing zone is the foundation that prevents rework and insecurity in the cloud.
- Organize subscriptions with Management Groups by purpose.
- Treat identity (Entra ID + RBAC) as the security perimeter.
- Adopt a hub-spoke network topology with planned hybrid connectivity.
- Apply Azure Policy, tags, and budgets from the first resource.
- Prefer infrastructure as code for reproducibility.
Building the landing zone before migrating workloads seems to delay the project, but in practice it accelerates everything that follows — with governance, security, and cost under control.
Frequently asked questions
Read next
Ready to do more with Microsoft?
Talk to an expert and discover how to optimize licensing, security and productivity.