How to Implement an Azure Landing Zone Using the Microsoft Cloud Adoption Framework (CAF) — Part 1
A brief introduction of the architecture of an Azure Landing Zone
Part 1 — Azure Landing Zone Architecture
Part 2 — Azure Landing Zone Level 0 — Launchpad
Part 3 — Azure Landing Zone DevOps agent and CI/CD pipeline
Part 4 — Azure Landing Zone Level 1
Part 5 — Azure Landing Zone Level 2
Introduction
In our previous blog Enterprise-scale cloud architecture with Azure Landing Zones, Vincent covered what a Landing Zone is, and why it should be used. Now that we have covered the why, let’s get into how to actually build and implement an Azure Landing Zone. In a series of blogs, we will show you how we helped one of our clients implement a Landing Zone, using the Microsoft open source project: CAF Terraform modules
In this first blog of the series, we will cover:
- Understanding the architecture of a Landing Zone
- The Landing Zone in code
- CI/CD pipeline with Rover
- The different Architecture Levels of the Landing Zone
Understanding the architecture of a Landing Zone
To begin with the burning question you probably have: where do I start? First, we need to have a general idea of the components within an Azure Landing Zone.
In a nutshell, a Landing Zone is an environment for hosting your cloud workloads, pre-provisioned through code. Founded on the Microsoft Cloud Adoption Framework which mainly contains two components:
- Definition of the Landing Zone in code
- CI/CD pipelines to automate the deployment of changes to the Landing Zone. For our customer, we chose Azure DevOps as our git repository and to run pipelines to deploy Landing Zone resources to Azure.
The Landing Zone in code
The underlining infrastructure of the Landing Zone is built based on two Terraform modules:
caf_azurerm contains the definition of all Azure resources you can create within an Azure Landing Zone. It uses variables as input for the configuration and deploys it accordingly. caf_azurerm also utilizes another module, azurecaf_name, to make sure you have a consistent naming convention for the resources. In addition, caf_azurerm has a tag inheritance system in place to make sure all resources are tagged correctly.
The module is still currently in development, so there will be some limitations on resource creation, but given time, it is a great tool to use for all Azure resource deployment and management.
The second module, caf-enterprise-scale, contains the necessary components for you to manage Azure on an Organizational level. It contains management groups, subscriptions, access controls, policies, policy assignments, role and role assignments. It is a central location for you to have a birds-eye view of your Azure organization. Using this module you can organize your Azure cloud resources and permissions correctly and ensure proper security is in place to prevent bad actors from penetrating your organization.
CI/CD pipeline with Rover
The pipeline is where you can deploy all your Landing Zone levels, with the help of Rover and the agents deployed in level 0. We will dedicate a separate blog to show you how.
So, what is Rover?
If caf_azurerm and caf-enterprise-scale are the Lego bricks to build the Landing Zone, then Rover is the glue to bind them all together. Rover makes it easier to develop your Landing Zone locally and helps you create a proper CI/CD pipeline to deploy your Landing Zone to Azure.
In short, it is a container image that contains the Terraform binary and all other necessary scripts to help you deploy the Landing Zone modules to Azure. Rover uses the defined Landing Zone configuration and deploys the Azure Resources with the credential you provide. In addition, it also manages the tfstate files in secure centralized storage accounts in order to help you manage and maintain your Azure Landing Zone infrastructure.
Rover is developed and maintained together with caf_azurerm and caf-enterprise-scale under aztfmod solution, using the compatible versions for all of them is critical to ensure a smooth development and deployment process of your Landing Zone.
The different Architecture Levels of the Landing Zone
The Landing Zone consists of 5 levels, as shown below:
For our customer, we implemented the first 3 levels of the Landing Zone, which we will cover in this series of blogs. The first three layers represent a core part of the Landing Zone and will give your organization what it needs to further expand your usage on Azure.
Level 0
Level 0 is the bootstrap of the Landing Zone. It contains the bare-bone components that are needed in order to deploy further infrastructure. In our level 0, we deploy a Launchpad that includes the following resources:
- Storage accounts for each level used to store all Terraform tfstate files
- Key Vaults for secrets that the agents of CI/CD pipeline can use
- A Virtual Network and subnets for each of the agent levels
- Managed identities and role assignments for each agent level
In addition, level 0 is also where you deploy the Azure DevOps agents. Those will be used to run the automated deployments for the next infrastructure levels using the rover container.
Level 1
This is where the caf-enterprise-scale module is used to deploy the organizational hierarchy, policies, and policy assignment.
This level is also where you can deploy resource components such as Log Analytic Workspaces or Azure Sentinel in order to manage security from an organizational perspective.
Level 2
This is where you deploy your network topology, such as Azure Virtual WAN (VWAN), establish a site-to-site connection to your on-premises, and deploy shared services if need be. In this blog series, we will only touch on VWAN network topology that we deployed for our customer.
Level 3 and Level 4
Levels three and four are used to deploy your actual application and services. This blog series focuses on the first three levels so level 3 and 4 will be outside of the scope for now.
Conclusion
Azure Landing Zone contains a lot of complex components and is, therefore, a lot to take in. Hopefully, at the end of the blog series, you will have a better understanding on how to implement the Landing Zone that is suitable for your organization's needs. Stick with us for the next blogs in the series which we will walk you through each level of the landing zone. If you need more advice or help on getting your Landing Zone up and running, we at The Factory can help you get started in no-time.
Next Blog: A Deep Dive to Level 0, Getting started with Landing Zone development and deploy Launchpad, and Azure DevOps agents to your Azure Infrastructure.
