Azure Landing Zone Vending — Part 1

Published in

SpareBank 1 Utvikling

5 min readOct 31, 2023

Introduction

This blog post is the first of a 3-part series where we explain the concept of Azure Landing Zone vending, and how we have implemented this in SpareBank 1.

Part 1: The Holy Grail?

If you have been working with Azure as long as I have (Classic portal, anyone!?), then you will remember that for a long time, Microsoft’s recommended architecture was an all-encompassing Azure Subscription per environment (dev, test, prod and so on). The logical workload boundary and unit of scale was at the resource group level. This was do-able but did mean a number of inherent problems that traditionally had to be fixed by the platform team. Access control being maybe the most obvious. However, in 2020 Microsoft launched the first full Cloud Adoption Framework guidelines, and this together with Azure Landing Zones (originally called Enterprise Scale Landing Zones) reference architecture that came out in it’s current version in 2021 completely changed all this. The best practice became to use the actual Azure subscription as workload boundary and unit of scale. At this time, an Azure Subscription was renamed to a Landing Zone in the context of this model.

This brings numerous advantages and simplifies things, certainly in small environments…. but for larger organizations, it potentially increases the dangers of subscription sprawl, and an inability to keep control and oversight. Like most things with the cloud, the only way to control this over time is to do everything in code, automate and standardize as much as possible. These things are great of course, but if you’re really going to push adoption, lower the barriers to entry and open up Azure for everyone, then you need to take things up a level.

The Vending Machine

The Vending machine concept is the next level (and holy grail?) for Azure platform teams because it means that the creation of Landing Zones becomes fully automated, just like a vending machine, and as such adheres to the inherent characteristics of one: Self-service, automated, quick, convenient and always available. The first known reference to a vending machine is nearly 2000 years old, so this is not a new concept, but it is new in the world of Azure Landing Zones. Microsoft have only quite recently included this in the Cloud Adoption Framework under platform automation and DevOps (march 2023):

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/subscription-vending

Why do this?

As cool as this concept is, it’s not straightforward and needs a lot of engineering in order to create and not least to keep updated over time. However, there are some key and very sizable benefits to this approach:

Improved speed, and time to market

20 minutes from ordering a Landing Zone to availability in the portal. Fully built in code, fully automated, and ready to use. That’s always been our goal. It’s an ambitious target, but we are edging ever closer. We believe that this will drive innovation and time to market. We had a meeting with a large multinational company a while ago and they had somehow created such a complex manual structure that it took many weeks before a Landing Zone was provisioned!! Not exactly Agile.

Streamlined process

With such a quick and simple process, it’s easy to sell in this as a first step for any team that needs to start innovating and creating in Azure. A single place to order Landing Zones, thet are then provisioned automatically means reduced friction and on-boarding problems. We also have a specific requirement to deliver to different banks in their own tenants. These banks can also have their own processes and routines. As such a complete solution, from frond end to Lanzing Zone delivery simplifies the experience for everyone.

Full automation is efficient

Once automation is in place this process then becomes extremely efficient. Everyone benefits from this; The cloud platform team, the developers as well as security and compliance teams. This then frees up time that can be used on more value added tasks.

Quality and control

Automation is a no-brainer when it comes to improved quality. People make mistakes, whilst an automated process is correct everytime (assuming it is engineered correctly!) By using an automated process governance and compliance needs are easier to meet too. No settings or steps are forgotten in the provisioning process and all configuration is pre-defined and approved in advance.

The Negatives

There is, of course, a question of whether this unfettered democratization of landing Zone creation is a good idea in an enterprise setting. You can hear the CFO now: “What!? Anyone can just get a landing zone and start creating resources and spending money!?”

Well of course there should be controls in place (FinOps and people processes) to handle this problem. And it’s very possible to build in guard rails or approval processes if required. But the point is that you don’t want the provisioning of a landing zone to slow down innovation… the cloud team shouldn’t be the weakest link in the chain.

There is also the question of cost and complexity in creating such a system. If you’re only creating a few landing zones per year, the the effort to establish a vending solution probably won’t be worth the investment.

In Summary

We have developed our own vending solution based on the needs we have in the SpareBank1 Alliance. Our solution is more complex than a standard vending solution would typically need to be, not least because the SpareBank 1 Alliance is multi-tenant, and we have a distributed ownership and operations model. We need to deliver Landing Zones across the whole environment (It’s easiest to think of us as a Cloud service provider, providing shared services and economies of scale), which means that all elements of the vending solution need to take this into account.

The complexity is huge, and we a have used a good amount of time and energy on this. However, like most organisations at the moment, there is a ramping up of a migration and modernising to the cloud, and we expect Landing Zones to be provisioned regularly and often. With this in mind, and together with the demanding technical landscape, we feel that this was not a solution that was nice to have, but one that is absolutely necessary for SpareBank 1.