What is an ALZ?
Microsoft has recently introduced the concept of an “Azure Landing Zone” which can have many and sometimes confusing interpretations. I like to think of the analogy of an empty building being transformed into an enterprise datacentre for hosting business applications. You wouldn’t trust your business-critical data in that building until it had an acceptable level of access control, behaviour policies, environmental monitoring, etc. In the same way that a subscription with Microsoft allows very easy deployment of resources in Azure globally, it is wise to ensure that similar governance is applied to that subscription first.
So, an Azure Landing Zone is an Azure subscription to deploy resources into …
- … with policies to enforce compliance standards
- … resources to support security
- … role-based access control to manage access
- … and supports best practices defined in Microsoft’s Cloud Adoption Framework (CAF)
Examples of policies applied to the subscription include:
- Resources must only be created in UK datacentres
- All data transfer must be encrypted
- Network and security monitoring tools must be enabled
Resources that support security management include:
- Log Analytics workspaces for log data collection and alerting on threat detection
- Key vaults for securely storing certificates, secrets and encryption keys
- Diagnostics storage accounts for retaining data used for problem investigation
Role-based access control (RBAC) provides the security framework for defining a set of permissions (a role) to which users are assigned and removed as required. In the building/datacentre analogy, only authorised personnel would be allowed to enter the building and further restrictions would apply to sensitive rooms within the datacentre. By applying RBAC permissions to resource groups, only those authorised can access groups of Azure resources.
For more information, Microsoft’s Cloud Adoption Framework (CAF) describes best practices and includes advice for deploying landing zones.