Skip to Content

ENTERPRISE SCALE LANDING ZONE DESIGN

April 11, 2025
Priti Shah

This blog provides a structured approach to designing an enterprise-scale landing zone in the cloud. It outlines key concepts, design patterns, security considerations, and best practices to ensure scalability, security, and operational efficiency in cloud adoption.

What is a Landing Zone and Its Importance

A landing zone is a pre-configured, scalable, and secure cloud environment for hosting applications. It is built following best practices and design principles to support enterprise-scale cloud adoption and serves as the foundation for cloud workloads and applications.

Importance in Enterprise Scale Landing zone:

  • Scalability & Agility: Establishes a repeatable environment that grows with organizational needs.
  • Security & Compliance: Incorporates standardized security controls and governance policies.
  • Operational Efficiency: Centralizes shared services (e.g., identity management, connectivity, monitoring), reducing duplication and simplifying management.
  • Cost Optimization: Enables cost control by streamlining resource allocation and implementing billing policies.
  • Risk Reduction: Defines network topologies, identity controls, and security frameworks to minimize misconfigurations.

Types of Landing Zones

Landing zones are generally categorized into two types, each serving distinct purposes while working together

  1. Platform Landing Zone
  2. Application Landing Zone

Platform Landing Zone

A dedicated subscription (or set of subscriptions) that hosts shared services such as identity, connectivity, management, and security tools.

Key Characteristics:

  • Centralized Management:  Enforced organization-wide policies by central IT teams.
  • Shared Services: Networking, logging, security, and monitoring services available across applications.
  • Governance & Compliance: Acts as the control plane for governance, ensuring all environments adhere to established standards.
  • Operational Efficiency: Consolidates resources reducing operational overhead.

Application landing zone

A subscription dedicated to hosting specific applications or workloads, provisioned via automation and governed by management policies.

Key Characteristics:

  • Decentralized Deployment:  Managed by application teams while maintaining central oversight.
  • Tailored Environment: Configured for performance, security, and compliance needs.
  • Delegated Administration: Application teams manage daily operations under central governance.
  • Resource Isolation:  Provides secure, independent environments for workloads.

Comparison of Platform vs. Application Landing Zones

AspectPlatform Landing ZoneApplication Landing Zone
OwnershipManaged by central IT teamsManaged by application teams
PurposeHosts shared services and core infrastructureHosts specific workloads and applications
GovernanceCentralized, enforcing uniform policiesGoverned through pre-defined policies with some autonomy
Operational EfficiencyReduces duplication via consolidation of services Optimized configurations for specific needs
Security & ComplianceCentralized controls and monitoringCustom security configurations as per application

Design Patterns for LZ

Two common landing zone design patterns, Hub and Spoke design and Virtual WAN design address different scalability, connectivity, and management requirements.

Hub and Spoke Design

A central hub (hosting shared services) connects multiple spokes (individual workloads or applications).

  • Centralized Connectivity: Firewalls, VPN gateways, or ExpressRoute connections are managed centrally.
  • Regional Flexibility: Suitable for single- or multi-region deployments where transitive connectivity is limited.
  • Granular Routing: Allows for centralized network virtual appliances (NVAs) and controlled routing, enabling detailed traffic management.
  • Scalability Considerations: Best for limited VPN connections (<100 per gateway) and centralized monitoring.
Image source

Virtual WAN Design

Virtual WAN is a Microsoft-managed solution that provides global, dynamic transit connectivity across Azure regions and on-premises locations.

  • Global Connectivity: Supports any-to-any connectivity (virtual network to branch, branch to branch, etc.) across regions without manual transitive routing.
  • Simplicity: Eliminates the need to manually configure complex network topologies as connectivity is managed by Microsoft.
  • Enhanced Scalability: Designed for large-scale, global deployments where multiple regions and on-premises connectivity are essential.
  • Centralized Resource Management: Typically deploys all resources into a single resource group within a connectivity subscription, simplifying management.

8 Design Considerations for Building a Landing Zone

A well-designed landing zone follows eight key principles to support cloud adoption at scale:

  1. Azure Billing & Microsoft Entra Tenant: Proper tenant creation, enrollment, and billing setup.
  2. Identity and access management: Establishes security boundaries and compliance requirements
  3. Management Group and Subscription Organization: Impacts governance, operations, and adoption patterns.
  4. Network topology and connectivity: Ensures foundational networking and connectivity decisions.
  5. Security: Implement controls and processes to protect cloud environments.
  6. Management: Provides visibility, operational compliance, and disaster recover strategies.
  7. Governance: Automate auditing and enforces governance policies.
  8. Platform automation and DevOps: Utilizes best tools and templates for deployment.
Image source

Security Considerations for Enterprise-Scale Landing Zones

1. Network Architecture & Perimeter Security

  • VWAN based Hub and Spoke Network Architecture
  • Firewalls (e.g., Azure, Cisco Firewall)
  • WAF and Application Gateway
  • DMZ design for external applications
  • NSGs, Route tables, Network Watcher, and Vnet Flow Logs to monitor and control IP traffic
  • Bastion in Connectivity Hub
  • DDOS protection for Hub and Production environments

2. Identity & Access Management (IAM)

  • Multi-Factor Authentication
  • Role-Based Access Control (RBAC) and Custom RBAC System  and User Assigned Managed Identities
  • Privileged Identity Management (PIM)
  • Microsoft Entra ID Conditional Access Policies Federated Identity for seamless authentication

3. Security Monitoring & Logging

  • Defender for Cloud for all subscriptions and services
  • Azure Sentinel with central Log Analytics Workshop (LAW)Application Insights with AMPLS to securely transmit logs

4. Governance, Policies, & Compliance

  • Built-in and custom Azure Policies Domain Controllers & DNS Forwarders in Management Hub
  • Centralized Private DNS zones for PaaS and serverless services

5. Data Protection & Encryption

  • Azure Key Vault for safeguarding secrets
  • Microsoft & Customer Managed Keys with rotation policies
  • Private Endpoints (with “No Access Keys” enforced)
  • Enforcing TLS 1.2 or higher for secure data transmission.
Important Links

This blog has been authored by Priti Shah and Praneshwar Singh

About the author

Priti Shah

Director | India
Priti Shah is an L3 Chief Architect currently serving as the NCE Sales Acceleration Lead and India TransformU Lead. She is also a core member of the F23 team, driving strategic growth initiatives across Europe.

Praneshwar Singh is an IT professional with 15+ years of experience in Microsoft technologies and cloud architecture. As an Azure Architect and cloud migration expert, he has led medium-to-large-scale cloud migrations for over 5 years. With 6+ years in leadership, he excels in mentoring teams and driving innovative cloud solutions.

Related posts

Cloud usage optimization with Explainable Artificial Intelligence

29 Apr 2025

Multi-Region and Multi-AZ in the cloud

5 Feb 2025

Application Architecture and Call Count Mechanism

11 Nov 2024

Custom Hybrid GenAI-RAG for Intent Classification

16 Oct 2024

Tracking Calls Across Applications: Ensuring Accurate Chargeback

1 Oct 2024

Understanding Application Architecture: From Monoliths to Edge Computing

24 Sep 2024

Modern Applications: Enable the organization with a cloud native foundation

9 Sep 2024

Presentation – Cloud Framework

19 Jul 2024

9 ways to reduce carbon footprint of cloud computing

25 Jun 2024

Azure Private DNS

14 Jun 2024

Leave a Reply

Your email address will not be published. Required fields are marked *

Slide to submit