Enterprise Scale Cloud landing Zone by Infrastructure as a Code
What is the Landing zone?
One of the best analogies for understanding a landing zone is to compare it to the necessary services upon which a city is built. Before buildings can be erected and people move into them, essentials services must be in place. Roads are essential for people to move around, water and sewer facilities must be in place, power and gas lines must be made available. A landing zone is an essential service required for the different types of applications you will host on Azure. Additional applications may require various services and guardrails and, therefore, will live in different landing zones. Similar to zoning codes in real life.
One of the significant shifts for a centralised IT organisation in this scenario is to move from providing all the infrastructure (building for people to live in) to delivering the zoning guides (guardrails to be in place for other business units to build their infrastructure and application upon).
What are the benefits?
One of the main benefits of the cloud is that you can scale resources based on demand, and there is practically no limit on the scale. The same applies to scaling down. Just like you turn on light bulbs when you need it and turn it off when you do not, and you are charged only for the portion of electricity when the light bulb is turned on, you can turn on any VM, resources, IOT or any other resources when you need it and turn it off when you do not. Azure give you a better option than the turn on and off button. Imagine a Dial light bulb and keep adjusting for the light needed indoors during daytime or night when light changes because of sunlight or cloud. In addition, there is practically no capital cost associated with IT in the cloud because you are not buying hardware to build a data centre. You are using everything and anything on-demand based on need.
Enterprise-Scale landing Zones
The CAF enterprise-scale landing zone architecture represents the strategic design path and target technical state for the customer’s Azure environment. It will continue to evolve in lockstep with the Azure platform and is ultimately defined by the various design decisions the customer organisation must make to define their Azure journey.
Enterprise-scale Design Guidelines:
The following eight critical design areas help translate customer requirements to Microsoft Azure constructs and capabilities and addressthe mismatch between on-premises and cloud-design infrastructure, which typically creates dissonance and friction between the enterprise-scale definition and Azure adoption.
The impact of decisions made within these critical areas will reverberate across enterprise-scale architecture and influence other decisions. Readers should familiarise themselves with the eight locations below to better understand the consequences of encompassed decisions, which may later produce trade-offs within related areas.
- Enterprise Enrolment & Azure AD Tenants
- Identity & Access Management
- Management Group & Subscription Organization
- Network Topology & Connectivity
- Management & Monitoring
- Business Continuity & Disaster Recovery
- Security, Governance & Compliance
- Platform Automation & DevOps
Infra as a code
Home · Azure/terraform-azurerm-caf-enterprise-scale Wiki (github.com)
Terraform Module for Cloud Adoption Framework Enterprise-scale
Resource Type:
Example root module
main.tf
# Get the current client configuration from the AzureRM provider.
# This is used to populate the root_parent_id variable with the
# current Tenant ID used as the ID for the "Tenant Root Group"
# Management Group.data "azurerm_client_config" "core" {}# Declare the Terraform Module for Cloud Adoption Framework
# Enterprise-scale and provide a base configuration.module "enterprise_scale" {
source = "Azure/caf-enterprise-scale/azurerm"
version = "1.1.3"providers = {
azurerm = azurerm
azurerm.connectivity = azurerm
azurerm.management = azurerm
}root_parent_id = data.azurerm_client_config.core.tenant_id
root_id = var.root_id
root_name = var.root_namedeploy_connectivity_resources = var.deploy_connectivity_resources
subscription_id_connectivity = data.azurerm_client_config.core.subscription_id
configure_connectivity_resources = local.configure_connectivity_resources}
Deployed Management Groups
terraform.tf
# Configure Terraform to set the required AzureRM provider
# version and features{} block.terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = ">= 2.96.0"
}
}
}provider "azurerm" {
features {}
}
variables.tf
# Use variables to customize the deploymentvariable "root_id" {
type = string
default = "myorg"
}variable "root_name" {
type = string
default = "My Organization"
}variable "deploy_connectivity_resources" {
type = bool
default = true
}variable "log_retention_in_days" {
type = number
default = 50
}variable "security_alerts_email_address" {
type = string
default = "my_valid_security_contact@replace_me" # Replace this value with your own email address.
}variable "connectivity_resources_location" {
type = string
default = "uksouth"
}variable "connectivity_resources_tags" {
type = map(string)
default = {
demo_type = "deploy_connectivity_resources_custom"
}
}
settings.connectivity.tf
# Configure the connectivity resources settings.
locals {
configure_connectivity_resources = {
settings = {
hub_networks = [
{
enabled = true
config = {
address_space = ["10.100.0.0/16", ]
location = "northeurope"
link_to_ddos_protection_plan = true
dns_servers = []
bgp_community = ""
subnets = []
virtual_network_gateway = {
enabled = true
config = {
address_prefix = "10.100.1.0/24"
gateway_sku_expressroute = "ErGw2AZ"
gateway_sku_vpn = ""
}
}
azure_firewall = {
enabled = true
config = {
address_prefix = "10.100.0.0/24"
enable_dns_proxy = true
availability_zones = {
zone_1 = true
zone_2 = true
zone_3 = true
}
}
}
spoke_virtual_network_resource_ids = []
enable_outbound_virtual_network_peering = true
}
},
{
enabled = true
config = {
address_space = ["10.101.0.0/16", ]
location = "westeurope"
link_to_ddos_protection_plan = true
dns_servers = []
bgp_community = ""
subnets = []
virtual_network_gateway = {
enabled = true
config = {
address_prefix = "10.101.1.0/24"
gateway_sku_expressroute = ""
gateway_sku_vpn = "VpnGw2AZ"
}
}
azure_firewall = {
enabled = false
config = {
address_prefix = ""
enable_dns_proxy = true
availability_zones = {
zone_1 = true
zone_2 = true
zone_3 = true
}
}
}
spoke_virtual_network_resource_ids = []
enable_outbound_virtual_network_peering = true
}
},
]
vwan_hub_networks = []
ddos_protection_plan = {
enabled = true
config = {
location = "northeurope"
}
}
dns = {
enabled = true
config = {
location = null
enable_private_link_by_service = {
azure_automation_webhook = true
azure_automation_dscandhybridworker = true
azure_sql_database_sqlserver = true
azure_synapse_analytics_sqlserver = true
azure_synapse_analytics_sql = true
storage_account_blob = true
storage_account_table = true
storage_account_queue = true
storage_account_file = true
storage_account_web = true
azure_data_lake_file_system_gen2 = true
azure_cosmos_db_sql = true
azure_cosmos_db_mongodb = true
azure_cosmos_db_cassandra = true
azure_cosmos_db_gremlin = true
azure_cosmos_db_table = true
azure_database_for_postgresql_server = true
azure_database_for_mysql_server = true
azure_database_for_mariadb_server = true
azure_key_vault = true
azure_kubernetes_service_management = true
azure_search_service = true
azure_container_registry = true
azure_app_configuration_stores = true
azure_backup = true
azure_site_recovery = true
azure_event_hubs_namespace = true
azure_service_bus_namespace = true
azure_iot_hub = true
azure_relay_namespace = true
azure_event_grid_topic = true
azure_event_grid_domain = true
azure_web_apps_sites = true
azure_machine_learning_workspace = true
signalr = true
azure_monitor = true
cognitive_services_account = true
azure_file_sync = true
azure_data_factory = true
azure_data_factory_portal = true
azure_cache_for_redis = true
}
private_link_locations = []
public_dns_zones = []
private_dns_zones = []
enable_private_dns_zone_virtual_network_link_on_hubs = true
enable_private_dns_zone_virtual_network_link_on_spokes = true
}
}
}location = var.connectivity_resources_location
tags = var.connectivity_resources_tags
advanced = null
}
}
The following resource types are deployed and managed by this module when using the core capabilities:
Azure ResourceTerraform ResourceManagement GroupsMicrosoft.Management/managementGroupsazurerm_management_groupManagement Group SubscriptionsMicrosoft.Management/managementGroups/subscriptionsazurerm_management_groupPolicy AssignmentsMicrosoft.Authorization/policyAssignmentsazurerm_policy_assignmentPolicy DefinitionsMicrosoft.Authorization/policyDefinitionsazurerm_policy_definitionPolicy Set DefinitionsMicrosoft.Authorization/policySetDefinitionsazurerm_policy_set_definitionRole AssignmentsMicrosoft.Authorization/roleAssignmentsazurerm_role_assignmentRole DefinitionsMicrosoft.Authorization/roleDefinitionsazurerm_role_definition
The exact number of resources created depends on the module configuration, but you can expect upwards of 180 resources to be created by this module for a default installation based on the example below.
