# Azure Landing Zone Reference

A practical reference for an Azure environment that follows the Microsoft Cloud Adoption Framework (CAF) Enterprise-scale design without the consulting bill. Built for IT teams that need to be production-ready in 12 weeks, not 12 months. MIT licensed. Authored by VantagePoint Networks.

**Audience:** IT Managers, Cloud Engineers, Infrastructure Architects, Heads of Security
**Use this when:** standing up Azure for the first time, restructuring an unmanaged subscription, preparing for ISO 27001 / SOC 2 / Cyber Essentials Plus, or auditing an existing tenant.

---

## 1. Principles

1. **Hub-and-spoke topology by default.** Connectivity, security, and shared services live in the hub. Workloads live in spokes. Spokes never peer to each other.
2. **Subscription = blast radius.** One workload + one environment = one subscription. Don't reuse subscriptions to save admin work; the cost is observability.
3. **Identity is foundational.** Microsoft Entra ID is the source of truth. PIM is on for all privileged roles. Conditional Access enforces context.
4. **Policies as code.** Azure Policy at management group level. No "mostly compliant" — compliant or remediated.
5. **Centralised egress, inspected.** No direct outbound from workloads. All egress through Azure Firewall (or partner NVA) in the hub.
6. **Diagnostics are non-optional.** Every resource ships logs to a central Log Analytics workspace. Sentinel runs on top.
7. **Tags + naming = governance.** Required tags + naming convention enforced by policy.
8. **Cost is everyone's job.** Budgets at subscription level, FinOps review monthly.

## 2. Tenant & management group structure

```
Tenant Root Group
├── Platform Management Group
│   ├── Identity subscription
│   ├── Management subscription (Log Analytics, Sentinel, Automation)
│   └── Connectivity subscription (Hub VNet, Azure Firewall, Bastion, ExpressRoute / VPN GW)
├── Landing Zones Management Group
│   ├── Corp Management Group (private workloads)
│   │   ├── prod-app-1
│   │   └── prod-app-2
│   └── Online Management Group (internet-facing workloads)
│       ├── prod-public-1
│       └── stage-public-1
├── Sandbox Management Group (free-form, time-boxed)
└── Decommissioned Management Group (subscriptions pending deletion)
```

Mirror to Microsoft CAF Enterprise-scale where helpful.

## 3. Identity (Microsoft Entra ID)

### Authentication
- All sign-ins federated to Entra ID. No local Azure accounts for humans.
- MFA required for all users, all the time.
- Phishing-resistant MFA (FIDO2 / Windows Hello / certificate-based) for admins.
- Passwordless rollout for end-users where feasible.

### Authorisation - Privileged Identity Management (PIM)
- All Azure roles eligible (just-in-time activation), not assigned permanently.
- Activation: maximum 8 hours, justification required, ticket reference for changes.
- Approval required for: Owner, User Access Administrator, Global Administrator, Privileged Role Administrator.
- Break-glass accounts: 2 accounts, exempted from CA, hardware token MFA, in physical safe, monitored 24x7.

### Conditional Access (baseline policies)
| ID | Policy | Enforcement |
|---|---|---|
| CA001 | Block legacy auth | All apps, all users |
| CA002 | Require MFA all users | All cloud apps |
| CA003 | Require compliant device for admin portals | Privileged users |
| CA004 | Block sign-in from disallowed countries | All users |
| CA005 | Require trusted location for admin actions | Privileged users |
| CA006 | Sign-in risk > medium → MFA + reset | All users |
| CA007 | User risk > medium → block | All users |
| CA008 | Token persistence (sign-in frequency) for admin sessions | Privileged users |

### Entitlement management
- Access packages for non-admin role-based access (e.g. "developer access to dev-app-1").
- Auto-expire after project end date.

## 4. Connectivity

### Hub VNet (Connectivity subscription)
- Address space: /20 from a managed IP plan.
- Subnets:
  - `AzureFirewallSubnet` (/26)
  - `AzureBastionSubnet` (/26)
  - `GatewaySubnet` (for ExpressRoute / VPN, /27)
  - `RouteServerSubnet` (if used)
  - `Shared` (/24) for hub-only resources
- **Azure Firewall** Premium SKU recommended (TLS inspection, IDPS).
- **Azure Bastion** for jump-box-free admin access.
- **VPN / ExpressRoute Gateway** for on-prem connectivity if required.

### Spoke VNets
- One VNet per workload subscription.
- Address space: /16 from IP plan.
- Standard subnet template:
  - `app` (/24) - app tier
  - `data` (/24) - data tier (PaaS endpoints, NSG-locked)
  - `mgmt` (/26) - management endpoints
  - `private-endpoints` (/24) - PE for PaaS services
- Peered to Hub VNet (allow gateway transit, use remote gateways).
- No spoke-to-spoke peering.

### Routing
- User-Defined Routes (UDRs) on spoke subnets:
  - 0.0.0.0/0 → Azure Firewall private IP
  - 10.0.0.0/8 → Azure Firewall private IP (forces east-west through firewall)
- Azure Firewall logs every connection. Logs go to Log Analytics + Sentinel.

### DNS
- Azure Private DNS zones in Connectivity subscription, linked to all VNets.
- Azure Firewall DNS proxy enabled (for DNS-based threat intel).
- For hybrid: Azure DNS Private Resolver, conditional forwarders to on-prem.

## 5. Security

### Defender for Cloud
- Enabled across all subscriptions.
- Plans enabled: Servers, Storage, Databases, App Service, Containers, Key Vault, Resource Manager, DNS, APIs.
- Auto-provisioning: Log Analytics agent, vulnerability assessment, EDR.

### Microsoft Sentinel
- Single workspace in Management subscription (multi-workspace only if regulatory data residency requires).
- Connectors: Entra ID sign-in/audit, Azure Activity, Defender for Cloud, Defender XDR, Office 365, Microsoft 365 Defender, Azure Firewall.
- Detection rule pack: see `runbooks/sentinel-kql-detection-pack.md` (companion document).
- Notebooks for hunt queries.
- SOAR via Logic Apps for tier-1 response.

### Defender for Endpoint (E5 / standalone)
- Deployed to all servers (Azure VMs and on-prem via Defender for Cloud).
- Defender for Cloud Apps for SaaS visibility.

### Network security
- NSG on every subnet (default deny).
- Azure Firewall application + network rules for east-west and north-south.
- DDoS Protection Standard enabled on hub VNet.
- WAF (Application Gateway WAF v2 or Front Door WAF) for any public web app.
- Private endpoints preferred over service endpoints for PaaS connectivity.

## 6. Azure Policy (guardrails)

Apply at management group level. Recommended initiative pack:

| Policy | Effect | Scope |
|---|---|---|
| Allowed locations | Deny | Tenant Root |
| Allowed VM SKUs | Deny | Sandbox + Non-prod |
| Storage account public access | Deny | Tenant Root |
| Require HTTPS for storage | Audit + Deny new | Tenant Root |
| Require encryption with CMK | Audit | Production |
| Require diagnostic settings | DeployIfNotExists | Tenant Root |
| Required tags (Environment, Owner, CostCentre, App, Data) | Append + Audit | Tenant Root |
| Block public IPs on NICs | Deny | Corp landing zones |
| Defender for Cloud plans on | DeployIfNotExists | Tenant Root |
| MFA on subscription Owner role | Audit | Tenant Root |

## 7. Logging & diagnostics

### Central Log Analytics workspace
- Located in Management subscription.
- Retention: 90 days hot (workspace), 2-year archive in dedicated Log Analytics tier or Storage Account immutable.
- Tables include: Activity, Sign-in, Audit, AzureDiagnostics, AzureFirewall, SecurityEvent, DefenderForCloud findings.

### Diagnostic settings
- Every resource type that supports diagnostics is configured via DeployIfNotExists policy.
- Standard: send all logs + all metrics to Log Analytics.
- Activity log: tenant-wide diagnostic setting → Log Analytics.

### Audit log retention requirements
- Sign-in / audit logs: 1+ year (E5 includes; otherwise stream to Log Analytics).
- Change logs: 7 years for regulatory workloads (immutable storage).

## 8. Naming & tagging

### Naming convention
`<resource>-<workload>-<env>-<region>-<NN>`

Examples:
- `vnet-app1-prod-uks-01`
- `nsg-app1-prod-uks-app-01`
- `kv-shared-prod-uks-01`

Region codes (short):
- `uks` = UK South
- `ukw` = UK West
- `weu` = West Europe
- `neu` = North Europe

### Required tags (enforced via Policy)
- `Environment` (prod / stage / dev / sandbox)
- `Owner` (team / DL email)
- `CostCentre` (finance code)
- `Application` (short name)
- `DataClassification` (public / internal / confidential / restricted)

## 9. Backup & DR

- Recovery Services Vaults per landing zone, cross-region replication for production.
- Azure Backup default policy: daily backups, 35-day retention.
- For critical workloads: Azure Site Recovery for VM DR, ASR for RPO < 1 hour.
- Test restore quarterly, documented in DR runbook.

## 10. Cost management

- Cost Management + Billing reports per management group.
- Budgets at subscription level: alert at 50% / 80% / 100% of forecast.
- Reservations / Savings Plans purchased centrally.
- Tag-based chargeback: Cost reports filtered by `CostCentre`.
- FinOps review monthly with workload owners.

## 11. Compliance mapping

| Control area | Where covered |
|---|---|
| ISO 27001 A.5.15 (access control) | Section 3 (Identity / PIM / CA) |
| ISO 27001 A.8.16 (monitoring) | Section 7 (Logging) + Sentinel |
| ISO 27001 A.8.24 (crypto) | Section 6 (Policy: encryption with CMK) |
| Cyber Essentials Plus | Sections 4 (boundary firewall), 5 (Defender), 6 (Policy as secure config) |
| SOC 2 CC6 (logical access) | Section 3 |
| SOC 2 CC7 (system operations) | Sections 5 + 7 |
| GDPR Article 32 | Sections 3, 5, 6, 7 (collectively) |

## 12. Implementation order (12-week starter)

| Week | Milestone |
|---|---|
| 1 | Tenant root group hardening, break-glass accounts, billing alerts |
| 2 | Management group structure created, Platform subscriptions provisioned |
| 3 | Entra ID baseline (MFA, PIM, CA001-007) |
| 4 | Log Analytics workspace + diagnostic settings policy applied |
| 5 | Hub VNet + Azure Firewall + Bastion deployed |
| 6 | Defender for Cloud across all subscriptions |
| 7 | Azure Policy initiative deployed at Tenant Root |
| 8 | First workload landing zone built per template |
| 9 | Sentinel deployed, baseline detection pack imported |
| 10 | Backup org policy applied; first restore test |
| 11 | Documentation + handover to Cloud Platform team |
| 12 | First quarterly review + drift remediation |

## 13. Tooling

- **Azure Landing Zones (ALZ)** Bicep / Terraform — opinionated reference implementation. Use this if you can; this reference describes what it does.
- **Microsoft Cloud Adoption Framework (CAF)** — the broader methodology this reference sits inside.
- **Azure Verified Modules (AVM)** — vetted Bicep / Terraform modules for resources.
- **AzAdvertizer** — tracks Azure Policy and role definition changes.
- **AzGovViz** — tenant-wide visualisation of management groups, policies, role assignments.

## 14. What this reference is NOT

- Not a single-subscription / hobbyist guide.
- Not a substitute for Microsoft CAF — read CAF's "Ready" methodology alongside.
- Not free of cost — Defender plans, Sentinel ingestion, Firewall Premium, ExpressRoute all have ongoing costs. Budget accordingly.

## 15. Keep this alive

- Re-baseline annually.
- Track Microsoft Build / Ignite announcements affecting CAF reference.
- Compare workloads against Azure Well-Architected Framework on a per-workload basis; ALZ is the platform floor.

---

**Authored by:** VantagePoint Networks (Hak, Senior Engineer & Author)
**Licence:** MIT