How to Create an Azure Landing Zone

 

An Azure Landing Zone is an architecture designed to provide organisations with a secure and cost-efficient environment to manage their cloud infrastructure. It is a collection of best practices and automated processes that streamline the deployment and management of Azure services, and it includes a defined set of policies and standards, governance structures, security protocols, and automation mechanisms that are tailored to the organisation’s specific needs. 

 

The Landing Zone also provides organisations with the ability to quickly scale their cloud infrastructure as their needs change. This allows organisations to add new services and resources quickly and easily to their cloud environment, without having to manually configure and deploy them. Additionally, the Landing Zone provides organisations with the ability to monitor and manage their cloud environment, ensuring that their resources are secure and compliant with industry standards. 

 

Creating an Azure Landing Zone can provide organisations with several benefits, including: 

 

 

 

So how do you get started? There's a lot of work involved, and sometimes the first step of just formulating a plan is the most difficult. So I've put together a high level overview of some of the main actions. 

 

Organisations should configure governance structures to help manage policies and standards. This includes setting up a management group structure within Azure, followed by defining rules for subscription creation and resource groups. 

 

For example, and management group structure may reflect a company's physical structure (i.e. location based), or organisation (i.e. department based). This will help control the follow of access and policies. Getting this structure wrong will create complexities and management overhead, so time spent thinking this through now will save you time and money later! 

 

Identity and Access Management (IAM) is about creating a secure user directory that can protect against your users' accounts and thus prevent access from malicious actors. Once your users are in (Authentication), you need to ensure they only have access to what they should (Authorisation). 

 

At a bare minimum this entails setting up services such as Multifactor Authentication (MFA) to protect against password theft, but to truly secure your environment you should enable more advanced features such as regular Access reviews, Just in Time Access, Conditional Access, and Privileged Identity Management. 

 

I&AM also involves defining a suitable set of Roles & Groups that provide access to the correct resources and only those resources and then assigning users to those groups. There is often cross over with the Leaver and Joiners processes to ensure that user's accounts are disabled and access removed when they leave. 

 

Finally, having a good organisational structure helps here as it allows you to set the role and group access in your organisation hierarchy without need to assign access to individual resources/users. 

 

Many companies have specific requirements around how components should be used and configured. These might come from the need to align to customer needs, or for regulatory reasons within a given industry. A common example of PCI requirements for systems that handle card Payments. 

 

This starts with defining the required standards and range from and agreeing naming conventions, to tagging resources with meta data, or even documenting rules for how to divide workloads - for example do you have multiple subscriptions or one subscription with multiple resource groups? There's no wrong or right answer, at depends on the size and complexity of your organisation. 

 

Once you have defined your policies you can then codify them in Azure using Azure Policies. Azure Policies can either report on, block and automatically apply configurations to any component in Azure regardless of the role a user has been assigned. 

 

For example, if you want to ensure that Storage accounts only ever allow access from an internal network, and therefore block internet access, one way you can do this is by created an Azure Policy to always set Public Access to Disabled whenever a storage account is created. The policy can be set to: 

 

 

Azure Policies have other variations of these actions, but essentially all this means is that if it's configurable, you can report, deny or enforce it. 

 

Other examples of what you can use Policies to control are 

 

 

To further protect resources you should also employ perimeter controls around your assets. Again, these will look different depending on the asset in question. 

 

For example, internal assets, i.e. applications and databases that should only be accessible from your corporate network need to ensure you have private connections from your offices into Azure - either in the form of a VPN or an Azure Express route. Efficiently and secure configuring these connections requires thought and planning. 

 

Other areas to consider are when building public facing applications - using traditional firewalls and Web Application Firewalls help block known attacks, and modern products even utilise AI and threat analysis to dynamically react to different types of attacks. 

 

Finally, you should only expose the smallest possible portion of your application. So if you have a Web App with a SQL backend database, only the WebApp should be exposed (and only over a secure SSL connection), and your backend databases, storage accounts and other internal processes should be blocked off and only allow access what is absolutely required. 

 

Organisations can use automation tools such as Azure Resource Manager templates or Open-Source multi-platform Infrastructure as Code (IaC) tools such as Terraform. These help to streamline the deployment process and help organisations quickly deploy cloud resources in a secure and cost-effective manner, while also ensuring that deployments adhere to the organisation’s policies and standards. 

 

Although a base set of standardised templates are often built as part of a Landing Zone setup, requirements are often a moving target. Setting up a Cloud Centre of Excellence (CCoE) that meets regularly to investigate, define and build new standards will help ensure this good work continues. 

 

Once the Azure Landing Zone has been established, organisations should monitor their cloud environments to ensure that they are secure and cost-effective. Organisations can use tools such as Azure Monitor or Log Analytics to monitor their cloud resources. Additionally, they can use cost optimization tools such as Azure Advisor or Resource Optimization Advisor to identify areas where they can reduce costs. 

 

There are of course several 3rd party platforms can also specialise in this area, but either way you must ensure your resources are logging out just the information you need. If they don’t send enough you may miss something important, too much and your costs increase or you get lost in the deluge. 

 

Once you have your logs you must act on them. You can perform manual reviews using Azure Dashboards, workbooks and security tools such as Security Centre or Sentinel, but these products also heavily utilise AI to help you spot and respond to threats and other events. 

 

Creating an Azure Landing Zone can be challenging for organisations due to the complexity of the process. There are a variety of best practices that you should follow when setting up their Landing Zone including, many of which we have covered here. 

By following these steps and best practices, you can ensure that their Azure Landing Zone is properly set up for success. 

 

It is also important to ensure that your Azure Landing Zone is regularly updated to ensure that it remains secure and cost-effective. 

 

Make no mistake, this process takes a lot of upfront effort, and must be reviewed regularly, however if you get it right it will save you time and money in the long run, as well as ensuring your systems are safe and secure. 

 

 

Our industry-leading Cloud Practice team works with businesses to understand their goals and establish tailored Landing Zones, allowing them to innovate, save money and optimise agility. Please don’t hesitate to contact Iridium’s Cloud Practice lead, brett.hargreaves@ir77.co.uk, with any Cloud questions or requirements.