Azure Landing Zone Blueprint
Build Your Cloud Like LEGO
Ever watched a kid build with LEGOs? Two outcomes: magnificent castle or colorful catastrophe. Your Azure cloud faces the same fate. This blueprint teaches you to sort your bricks, lay the foundation right, and build a landing zone so solid that even the stormiest workload will not knock it down.
🎯 TL;DR
Treat your landing zone as a box of LEGO bricks: snap on governance and network bricks before you start stacking workloads. This guide maps each CAF pillar to a colour-coded brick so you can build, swap, and scale without knocking over the whole tower.
1️⃣ Why Landing Zones Matter (and Why LEGO?)
Walk into a kid's room after a LEGO marathon and you'll find two kinds of builders:
🌪️ Chaos Crafters
Everything mashed into a rainbow spaceship that collapses if you sneeze
📐 Blueprint Builders
Colour-sorted bricks, sturdy baseplates, and a clear plan
Cloud environments tend to mirror the first group—resource groups scattered across random subscriptions, no guardrails, duplicated VNETs. Microsoft's Cloud Adoption Framework (CAF) offers the second approach: the landing zone—a governed, repeatable foundation for any workload.
💡 Tip
CAF landing zones are opinionated but modular. Think of them as an IKEA manual that encourages hacking—swap parts to suit enterprise quirks.
2️⃣ The LEGO Colour Key 🎨
Management
Networking
Identity & Access
Policy & Security
Operations
Cost Management (FinOps)
We'll add these bricks layer by layer! 🏗️
3️⃣ Foundation Layers 🏗️
🔵 3.1 Management Groups & Subscriptions
- •Create Root → Corp → Region/BU groups (e.g., TPENG-EMEA, TPENG-APAC)
- •Policy inheritance starts here—define location & SKU allow-lists at the management-group level
- •Keep the landing-zone subscription separate from Shared Services
data "azurerm_client_config" "current" {}
resource "azurerm_management_group" "emea" {
name = "TPENG-EMEA"
display_name = "TP Engineering – EMEA"
parent_management_group_id = data.azurerm_client_config.current.tenant_id
}3.2 Subscription Naming & Tagging 🏷️
💰 FinOps lens
Tag completeness > 95% is the #1 predictor of accurate chargeback in month 3.
4️⃣ Networking Hub 🌐
Choose Your Topology 🗺️
Hub-and-Spoke
Central firewall, shared DNS, easy security control
Mesh VNET Peering
Low latency East-West, but policy sprawl
⚡ Rule of thumb
If you have more than five VNETs or regulated workloads, pick Hub-and-Spoke.
module "vnet_hub" {
source = "Azure/vnet/azurerm"
resource_group_name = azurerm_resource_group.network.name
address_space = ["10.200.0.0/16"]
subnets = [
{
name = "AzureFirewallSubnet"
address_prefix = "10.200.0.0/24"
}
]
}5️⃣ Guardrails (Red Bricks) 🔐
Azure Policy 📋
{
"mode": "Indexed",
"parameters": {
"allowedLocations": {
"type": "Array",
"allowedValues": ["westeurope", "uaenorth"]
}
},
"policyRule": {
"if": {
"not": {
"field": "location",
"in": "[parameters('allowedLocations')]"
}
},
"then": { "effect": "Deny" }
}
}6️⃣ FinOps Impact 💰
Landing-zone decisions heavily influence your future cloud bill.
💡 FinOps takeaway
Governance ≠ bureaucracy; it's prepaid cost avoidance.
7️⃣ Next Steps 🚀
❓ FAQ
What's the difference between a CAF landing zone and a reference architecture?
CAF landing zones include governance and operations layers (policy, identity, budgets). Reference architectures often focus solely on workload topology without those guardrails.
Can I retrofit an existing subscription into a landing zone?
Yes—perform a gap analysis first. Apply policy assignments in audit mode, remediate drift, and migrate resources only if network CIDR conflicts arise.
This guide provides a comprehensive, governance-first approach to building production-ready Azure landing zones using the LEGO analogy to make complex concepts more accessible and memorable.