Azure Landing Zone Architecture
Enterprise guide to Cloud Adoption Framework landing zones, hub-spoke networking, Entra ID identity, Azure Policy governance, Defender security, and Sentinel monitoring.
Azure Landing Zone Architecture for Enterprise
Quick Answer: An Azure Landing Zone is a pre-configured, enterprise-ready Azure environment that provides the foundational architecture for all workload deployments. It includes six layers: management group hierarchy for subscription organization, hub-spoke networking for centralized connectivity, Entra ID integration for zero-trust identity, Azure Policy for governance guardrails, Defender for Cloud and Sentinel for security, and Log Analytics for centralized monitoring. The Cloud Adoption Framework (CAF) Landing Zone Accelerator deploys this architecture in 2-4 weeks. EPC Group customizes it for regulated industries (HIPAA, SOC 2, FedRAMP) in 6-12 weeks.
Every enterprise Azure deployment starts with a landing zone — or should. Organizations that skip this step and deploy workloads directly into subscriptions accumulate technical debt that becomes exponentially more expensive to fix. Subscriptions without governance policies allow developers to create public-facing resources, bypass encryption, and deploy to unapproved regions. Networks without hub-spoke topology create routing chaos and security blind spots. Identities without conditional access and PIM leave the door open for lateral movement attacks.
The Azure Landing Zone concept, formalized in Microsoft's Cloud Adoption Framework, provides a reference architecture that solves these problems before workloads arrive. It is the equivalent of building a foundation before constructing a house — unglamorous but essential.
EPC Group has designed and implemented Azure Landing Zones for organizations in healthcare, financial services, and government — industries where compliance requirements make proper architecture non-negotiable. This guide covers every layer of the landing zone architecture, from management groups to cost management, with specific guidance for regulated industries. For broader Azure consulting services, contact our team.
Azure Landing Zone Architecture Layers
Enterprise landing zones are built in six layers. Each layer provides configuration points that control how resources are organized, connected, secured, and monitored.
Management Groups
Hierarchical container structure for organizing subscriptions and applying governance at scale.
- Tenant Root Group — top-level, minimal policies
- Platform — shared infrastructure (Management, Identity, Connectivity)
- Landing Zones — application workloads (Corp, Online, Regulated)
- Sandbox — developer experimentation with relaxed policies
- Decommissioned — retired subscriptions pending deletion
Networking
Hub-spoke or Virtual WAN topology connecting all landing zones with centralized security and DNS.
- Hub VNet with Azure Firewall and VPN/ExpressRoute Gateway
- Spoke VNets peered to hub for each application landing zone
- Private DNS Zones for Azure Private Endpoints
- NSGs on all subnets with deny-all default rules
- DDoS Protection Standard on hub VNet
Identity
Zero-trust identity model with Entra ID, conditional access, and privileged identity management.
- Entra ID with Conditional Access and MFA enforcement
- PIM (Privileged Identity Management) for all admin roles
- Management group RBAC for platform-wide permissions
- Service principals with federated credentials (no secrets)
- Break-glass accounts in physical safe
Governance
Azure Policy assignments that enforce compliance guardrails across all subscriptions.
- Allowed locations (restrict to approved regions)
- Required tags (cost center, owner, environment)
- Deny public endpoints (force private connectivity)
- Require encryption (at rest and in transit)
- Diagnostic settings (automatic log collection)
Security
Defense-in-depth security with Defender for Cloud, Sentinel, and Key Vault.
- Microsoft Defender for Cloud (CSPM + all workload plans)
- Microsoft Sentinel for SIEM and automated response
- Azure Key Vault for secrets, keys, and certificates
- Azure Firewall with threat intelligence filtering
- Defender for Identity for AD threat detection
Monitoring
Centralized logging and monitoring with Log Analytics, alerts, and dashboards.
- Central Log Analytics workspace in Management subscription
- Diagnostic Settings on all resources (automatic via Policy)
- Azure Monitor alerts for performance and availability
- Workbooks and dashboards for operational visibility
- Action groups for automated incident response
Hub-Spoke vs Virtual WAN: Network Topology Decision
Network topology is the most impactful architectural decision in landing zone design. It determines how workloads communicate, how on-premises connectivity is established, and how traffic is inspected and secured. Two patterns dominate enterprise deployments.
Hub-Spoke (Traditional)
A central hub VNet contains shared services (Azure Firewall, VPN Gateway, ExpressRoute Gateway, DNS). Spoke VNets peer to the hub for connectivity. You manage all routing and peering.
Best For:
- Full control over routing tables and UDRs
- Complex NVA (Palo Alto, Fortinet) requirements
- Single-region or 2-3 region deployments
- Organizations with mature network teams
- Cost-conscious deployments (no VWAN license)
EPC Group recommendation for most enterprises
Virtual WAN (Microsoft-Managed)
Microsoft manages the hub infrastructure. Virtual WAN automates spoke connectivity, branch-to-Azure VPN, and inter-region transit. You configure intent-based routing policies.
Best For:
- 20+ branch offices connecting to Azure
- SD-WAN integration requirements
- Multi-region deployments (5+ regions)
- Organizations preferring managed networking
- Simplified operations over granular control
Best for large branch-office organizations
CAF Landing Zone Accelerator
The Cloud Adoption Framework Landing Zone Accelerator is Microsoft's reference implementation that deploys enterprise-scale architecture through the Azure Portal wizard, Bicep templates, or Terraform modules. It provisions the management group hierarchy, platform subscriptions, hub networking, Azure Policy assignments, and logging infrastructure in a single deployment.
The accelerator handles approximately 80% of the work required for an enterprise landing zone. The remaining 20% is customization: adjusting policies for specific compliance requirements, configuring ExpressRoute or VPN connectivity to on-premises infrastructure, setting up Sentinel analytics rules, and integrating with existing ITSM and identity systems.
What the Accelerator Deploys
Management Groups
Full hierarchy: Tenant Root > Platform (Management, Identity, Connectivity) > Landing Zones (Corp, Online) > Sandbox > Decommissioned
Platform Subscriptions
Management subscription (logging, automation), Identity subscription (domain controllers), Connectivity subscription (hub networking)
Hub Networking
Hub VNet with Azure Firewall, VPN Gateway, ExpressRoute Gateway, Azure Bastion, and Private DNS Zones
Azure Policies
100+ policy assignments covering tagging, encryption, diagnostics, allowed locations, deny public endpoints, and Defender enablement
Logging Infrastructure
Central Log Analytics workspace, Diagnostic Settings policies, Azure Monitor baseline alerts, and Activity Log forwarding
Security Configuration
Defender for Cloud enabled on all subscriptions, Sentinel workspace, security contact configuration, and auto-provisioning
Governance with Azure Policy
Azure Policy is the enforcement mechanism for landing zone governance. Policies assigned at the management group level cascade to all child subscriptions, ensuring that every landing zone complies with organizational standards regardless of which team deploys resources.
| Policy Category | Example Policies | Effect |
|---|---|---|
| Location | Allowed locations for resource groups and resources | Deny — prevents deployment to unapproved regions |
| Tagging | Require CostCenter, Owner, Environment tags on all resource groups | Deny — blocks creation without required tags |
| Networking | Deny public IP addresses, require private endpoints, enforce NSGs | Deny — prevents public-facing resources |
| Encryption | Require encryption at rest, enforce TLS 1.2, require HTTPS only | Deny/Audit — enforces or reports non-compliance |
| Monitoring | Deploy diagnostic settings, enable Defender for Cloud, require alerts | DeployIfNotExists — auto-remediate |
| Compliance | HIPAA HITRUST, SOC 2, FedRAMP High regulatory initiatives | Audit — compliance dashboard reporting |
Security Architecture: Defender & Sentinel
Security in an Azure Landing Zone follows a defense-in-depth model with multiple overlapping controls. Microsoft Defender for Cloud provides cloud security posture management (CSPM) and cloud workload protection (CWP). Microsoft Sentinel provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR).
Microsoft Defender for Cloud
- Secure Score — continuous assessment of security posture across all subscriptions
- Regulatory compliance — built-in dashboards for HIPAA, SOC 2, PCI-DSS, FedRAMP
- Defender for Servers — vulnerability scanning, file integrity monitoring, JIT access
- Defender for SQL — threat detection for SQL databases and managed instances
- Defender for Storage — malware scanning and anomaly detection for blob storage
- Defender for Containers — runtime protection and image vulnerability scanning
Microsoft Sentinel
- Data connectors — ingest logs from Azure, M365, on-premises, and third-party systems
- Analytics rules — detect threats using KQL queries, ML, and behavior analytics
- Incidents — automated triage, assignment, and investigation workflows
- Playbooks — automated response using Logic Apps (isolate VMs, block IPs, notify SOC)
- Workbooks — interactive dashboards for security operations center visibility
- Hunting — proactive threat hunting with KQL queries and bookmarks
Cost Management & Optimization
Cost management is a critical landing zone capability that prevents cloud spend from spiraling out of control. The landing zone architecture provides natural cost boundaries through subscription organization and tagging governance, but active cost management practices are essential.
Visibility
Tag-Based Allocation
Enforce cost-center and owner tags through Azure Policy. Aggregate costs in Cost Management by tag for chargeback.
Prevention
Budget Alerts
Set budgets at subscription and resource group level. Automated alerts at 50%, 80%, 100% thresholds.
30-60%
Reserved Instances
Commit to 1-year or 3-year terms for predictable workloads. Apply to VMs, SQL, Cosmos DB, and more.
15-25%
Azure Advisor
Weekly review of right-sizing recommendations, unused resources, and optimization opportunities.
40-55%
Dev/Test Pricing
Use dev/test subscription offer for non-production workloads. Auto-shutdown VMs outside business hours.
60-90%
Spot Instances
Use spot VMs for batch processing, CI/CD, and fault-tolerant workloads that can handle interruptions.
Implementation Timeline
Azure Landing Zone implementation follows a phased approach. EPC Group uses the CAF Accelerator as a starting point and customizes iteratively, which gets workloads running faster than building from scratch. For organizations with specific governance requirements, we extend the timeline to accommodate compliance validation and audit preparation.
Phase 1: Foundation (Weeks 1-2)
Deploy CAF Accelerator, establish management group hierarchy, create platform subscriptions, configure hub networking basics.
Phase 2: Identity & Security (Weeks 3-4)
Configure Entra ID conditional access, enable PIM, deploy Defender for Cloud, configure Sentinel data connectors and baseline analytics rules.
Phase 3: Governance & Compliance (Weeks 5-8)
Customize Azure Policy assignments for regulatory requirements, configure tagging governance, implement budget alerts, establish compliance dashboards.
Phase 4: Application Onboarding (Weeks 9-12)
Create first application landing zones, establish subscription vending process, onboard initial workloads, train application teams on landing zone patterns.
Related Resources
Azure Consulting Services
Enterprise Azure architecture, migration, governance, and managed services from EPC Group.
Read moreAzure Governance Framework
Complete guide to Azure governance with Policy, Management Groups, Blueprints, and compliance frameworks.
Read moreAzure Cloud Migration Guide
Enterprise guide to Azure migration strategies, assessment, and implementation for large-scale environments.
Read moreFrequently Asked Questions
What is an Azure Landing Zone and how do you design one?
An Azure Landing Zone is a pre-configured, enterprise-ready Azure environment that provides the foundational architecture for workload deployment. It includes management group hierarchy, subscription organization, networking (hub-spoke or Virtual WAN), identity integration with Entra ID, governance through Azure Policy, security with Defender for Cloud and Sentinel, and cost management controls. You design one by following the Cloud Adoption Framework (CAF) methodology: define your management group structure, establish connectivity patterns, configure identity and access, apply governance policies, and implement monitoring. EPC Group implements Azure Landing Zones using the CAF Landing Zone Accelerator, customized for each organization regulatory requirements and workload patterns.
What is the Cloud Adoption Framework Landing Zone Accelerator?
The CAF Landing Zone Accelerator is a Microsoft-provided reference implementation that deploys enterprise-scale landing zone architecture through Azure Portal, Bicep templates, or Terraform modules. It provisions: management group hierarchy (Platform, Landing Zones, Sandbox, Decommissioned), platform subscriptions (Management, Identity, Connectivity), Azure Policy assignments for governance guardrails, hub networking with Azure Firewall or third-party NVA, logging infrastructure with Log Analytics and Diagnostic Settings, and Microsoft Defender for Cloud configuration. The accelerator handles 80% of the work — the remaining 20% is customization for your specific compliance requirements, application patterns, and operational model. EPC Group uses the accelerator as a starting point and customizes it for regulated industries (HIPAA, SOC 2, FedRAMP).
What is the difference between platform and application landing zones?
Platform landing zones contain shared infrastructure services: connectivity (hub networking, DNS, ExpressRoute), identity (domain controllers, Entra ID Connect), and management (logging, monitoring, automation). These are managed by the platform team and shared across all workloads. Application landing zones are subscription-level environments where business applications run. Each application team gets their own landing zone (subscription) with pre-configured governance policies, networking connectivity to the hub, and identity integration. The separation ensures that platform changes do not break applications and application teams cannot modify shared infrastructure. EPC Group designs the platform/application boundary based on organizational structure and operational maturity.
Should I use hub-spoke or Virtual WAN for Azure networking?
Hub-spoke is the traditional pattern: a central hub virtual network contains shared services (firewall, VPN gateway, DNS) and spoke virtual networks for workloads peer to the hub. Virtual WAN is a Microsoft-managed networking service that automates hub-spoke connectivity, branch-to-Azure connections, and transit routing. Choose hub-spoke when: you need full control over routing and firewall rules, your network team prefers managing their own infrastructure, or you have complex NVA requirements. Choose Virtual WAN when: you have 10+ branch offices connecting to Azure, you want Microsoft-managed routing, or you need simplified SD-WAN integration. EPC Group recommends hub-spoke for most enterprise deployments because it provides more flexibility and avoids Virtual WAN licensing costs. We recommend Virtual WAN for organizations with 20+ branch locations.
How do you configure identity and access in an Azure Landing Zone?
Identity configuration in Azure Landing Zones involves four layers: 1) Entra ID (Azure AD) — the identity provider for all Azure and Microsoft 365 authentication, configured with conditional access policies, MFA, and PIM (Privileged Identity Management), 2) Management group RBAC — role assignments at the management group level that cascade to all subscriptions (e.g., Security Reader for the SOC team across all landing zones), 3) Subscription RBAC — role assignments at the subscription level for application teams (Owner, Contributor, Reader), 4) Resource-level RBAC — granular permissions for specific resources (e.g., Key Vault access policies). Best practice: use Entra ID groups for all role assignments (never individual users), enable PIM for all privileged roles, and require MFA for all administrative access. EPC Group implements zero-trust identity models for all landing zone deployments.
What Azure Policies should I apply to landing zones?
Essential Azure Policies for enterprise landing zones include: 1) Allowed locations — restrict resource deployment to approved Azure regions, 2) Allowed resource types — prevent deployment of unapproved services, 3) Require tags — enforce tagging standards for cost allocation and ownership, 4) Deny public endpoints — prevent resources from having public IP addresses unless explicitly approved, 5) Require encryption — enforce encryption at rest and in transit for all storage and databases, 6) Diagnostic settings — automatically configure logging to central Log Analytics workspace, 7) Defender for Cloud — enforce security monitoring on all subscriptions, 8) Network restrictions — require resources to use private endpoints and service endpoints. The CAF Landing Zone Accelerator deploys 100+ policies by default. EPC Group customizes these for regulated industries — adding HIPAA, SOC 2, or FedRAMP-specific policies as needed.
How do you implement security in an Azure Landing Zone?
Azure Landing Zone security is implemented across five layers: 1) Network security — Azure Firewall or NVA in the hub, NSGs on all subnets, DDoS Protection Standard on the hub VNet, 2) Identity security — Conditional Access, MFA, PIM, Entra ID Identity Protection, 3) Workload security — Microsoft Defender for Cloud (CSPM + CWP) on all subscriptions, Defender plans for servers, databases, storage, containers, 4) Data security — encryption at rest (customer-managed keys for regulated workloads), encryption in transit (TLS 1.2+), Azure Key Vault for secret management, 5) Monitoring — Microsoft Sentinel for SIEM/SOAR, Diagnostic Settings for all resources, alerts for security events. EPC Group implements defense-in-depth security aligned to the specific compliance frameworks (HIPAA, SOC 2, FedRAMP) required by each client.
How long does it take to implement an Azure Landing Zone?
Implementation timelines depend on complexity: Basic landing zone (CAF Accelerator with minimal customization) takes 2-4 weeks. This covers management group hierarchy, hub-spoke networking, basic policies, and logging infrastructure. Enterprise landing zone (full customization for regulated industries) takes 6-12 weeks. This adds custom policies for compliance, advanced networking (ExpressRoute, multi-region), Sentinel configuration, and integration with existing on-premises infrastructure. Ongoing optimization takes 2-4 weeks per quarter for policy tuning, cost optimization, and security posture improvement. EPC Group follows an accelerator-first approach: deploy the CAF Accelerator in week 1, then customize iteratively. This gets workloads running faster than building from scratch.
How do you manage costs in an Azure Landing Zone?
Cost management in Azure Landing Zones involves: 1) Tagging governance — enforce cost-center, owner, and environment tags on all resources through Azure Policy, 2) Budget alerts — set budgets at the subscription and resource group level with automated alerts at 50%, 80%, and 100% thresholds, 3) Azure Advisor — review cost recommendations weekly (right-sizing VMs, reserved instances, unused resources), 4) Cost allocation — use cost management scope (management group level) to aggregate costs across all landing zones, 5) Reserved Instances and Savings Plans — commit to 1-year or 3-year terms for predictable workloads (30-60% savings), 6) Auto-shutdown — configure dev/test subscriptions to auto-shutdown resources outside business hours, 7) Policy enforcement — deny expensive SKUs in non-production subscriptions. EPC Group cost optimization engagements typically reduce Azure spend by 25-40% within the first quarter.
Design Your Azure Landing Zone
EPC Group designs and implements Azure Landing Zones for regulated enterprises. CAF Accelerator deployment, custom governance policies, Defender and Sentinel security, and compliance validation for HIPAA, SOC 2, and FedRAMP.