The Cloud Adoption Framework for Azure enterprise-scale landing zone architecture varies between customers. So there is no one size fits all but there is a lot in common that can be reused next time.
Often I hear Azure Enterprise-scale is not for me it is enterprise. Wrong anyone can use the CAF and Azure Enterprise-scale. as it is modular by design. But if you have just 1 VM there is still some usage that you could use say the management groups or monitoring ,RBAC.
The enterprise-scale approach to construct landing zones includes three sets of assets to support cloud teams:
- Design guidelines: Guide to the critical decisions that drive the design of the Cloud Adoption Framework for Azure enterprise-scale landing zone.
- Architecture: Conceptual reference architecture that demonstrates design areas and best practices.
- Implementations: Azure Resource Manager template of the architecture to accelerate adoption.
But how do we start with this what to build Well Microsoft made this easy there is a accelerator that I will explain below.
With this solution accelerator you can setup the foundation in one process.
Often there is this error showing even if you are an Azure subscription owner
You don’t have authorization to perform action ‘Microsoft.Resources/deployments/validate/action’.
This can be fixed by adding the user account to the Owner role at Tenant root scope. This can only be done with powershell assign Owner role at Tenant root scope (“/”) as a User Access Administrator to current user
New-AzRoleAssignment -Scope ‘/’ -RoleDefinitionName ‘Owner’ -ObjectId “user objectID”
go to the user and grab the object ID
Now that everything is ready we can start.
Choose where the instance needs to land, pick the proper region for your azure resources. If your default is west europe then choose west europe here
As I did not want to deploy it in a dedicated subscription, I’ll pick my own. the prefix for the management groups is based on the text that is visible later.
The management groups holds the subscriptions and policys can be placed on the management groups.
Here are the options for the log analytics and the policys. to keep a good governance you need logging and policy’s in the Azure Microsoft defender for cloud you can see later the policys and the secure score.
At this time I don’t want to use the devops pipeline. but it is a great add on and you can start from there with the pipeline deployment
Now you need to choose the deployment go for a hub spoke or Azure virtual wan. Depending on your needs, personally I’m a big fan of Azure virtual wan so I’ll choose this. As optional resources can be added as:
- DDoS Protection Standard
- Azure Private DNS Zones for Azure PaaS services
- VPN and ExpressRoute Gateways
- Azure Firewall
With these options you may need to choose the right sku and a proper subnet and or zone redundancy.
I choose the standard sku, this is without the IDS and TLS inspection, best option is choose premium.
Always use a NSG on your network, never never never add a vm direct to the web.
In the Enterprise-scale it is best practice to use multiple subscriptions, see also the enterprise-scale layout
Now that the deployment is ready we can view de Azure virtual wan with the firewall.
The deployment of the resources are easy to find as the prefix is used on all the resources
Looking at the log analytics and de policys, always check this. maybe you need to adjust the workload and or add extra settings on the workload the make things compliant.
Overall the template is a great starter, and yes you need to configure a lot more than just the foundation, but this gives you a good understanding on what is needed and what to connect and play with the resources.
Look on my blog for how to configure the VPN and Azure firewall.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Robert Smit MVP Linkedin profile
Google : Robert Smit MVP profile