Deploying Azure Landing Zones with Terraform and Enterprise Scale

Deploying Azure Landing Zones with Terraform is a crucial step in establishing a secure and scalable cloud environment.

Terraform provides a consistent and repeatable way to deploy Azure resources, including Azure Landing Zones, through its AzureRM provider.

With Terraform, you can create a Landing Zone in just a few minutes by defining the necessary resources and configurations in a Terraform configuration file.

This approach enables you to quickly provision a secure and compliant Azure environment that meets your organization's requirements.

Azure Landing Zones provide a well-managed foundation for teams to run their workloads. They offer a standard set of resources and configurations for security, governance, and compliance.

Azure Landing Zones are designed to solve the problem of multiple subscriptions, separation of duties, and a well-defined hierarchy for enterprise-scale organizations. This is especially important for organizations that need to manage multiple subscriptions.

A standard set of resources and configurations for security, governance, and compliance is included in Azure Landing Zones. This helps ensure that workloads meet regulatory requirements.

Azure Landing Zones provide scalability, which allows for easy expansion and adaptation as your cloud footprint grows. They also provide operational efficiency by reducing the complexity and operational overhead associated with managing multiple cloud environments.

The key benefits of Azure Landing Zones include scalability, security and compliance, operational efficiency, and integration and connectivity. Here are some of the specific benefits in more detail:

Using the Azure landing zones Terraform module can bring numerous benefits to your organization. It provides a managed and extensible core resource hierarchy for subscription organization through management groups.

The module allows for scalable security governance and compliance through Azure identity and access management (IAM) controls, with an extensive library of custom definitions ready to assign. This ensures consistent security and compliance practices across your entire Azure tenant.

Deploying the module from the Terraform Registry provides several advantages, including an accelerated delivery of Azure landing zones in your environment and a tested upgrade path to the latest version of the module.

The module is verified by HashiCorp and is published to the official Terraform Registry, ensuring its quality and reliability.

Here are some of the key benefits of using the Azure landing zones Terraform module:

By using Terraform, you can also scale and standardize complex resources, including IAM controls, policy enforcement, and managed resources. This simplifies the management of resources for connectivity landing zones, providing better integration, improved user experience, and assured policy compliance.

The Azure landing zone Terraform module provides an opinionated approach to deploy and operate an Azure platform based on the Azure landing zone conceptual architecture as detailed in the Cloud Adoption Framework (CAF).

The module takes advantage of Terraform's configurable nature and is composed of a primary orchestration module that encapsulates multiple capabilities of the Azure landing zone conceptual architecture.

You can deploy each capability individually or in part, such as just a hub network or just the DDoS protection plan, but keep in mind that the capabilities have dependencies.

The architecture utilizes an orchestrator approach to simplify the deployment experience, allowing you to implement each capability using one or more dedicated module instances where each is dedicated to a specific part of the architecture.

The design of Azure landing zones is crucial to ensure a successful deployment. It's based on the Azure landing zone conceptual architecture as detailed in the Cloud Adoption Framework (CAF).

You can choose from several deployment technologies, including portal-based, ARM templates, and Terraform modules. The choice of deployment technology shouldn't influence the resulting Azure landing zones deployment.

The architecture takes advantage of Terraform's configurable nature and is composed of a primary orchestration module. This module encapsulates multiple capabilities of the Azure landing zones conceptual architecture.

You can deploy each capability individually or in part, such as just a hub network or just the DDoS protection plan. However, you need to consider the dependencies between capabilities.

The architecture utilizes an orchestrator approach to simplify the deployment experience. You can also implement each capability using one or more dedicated module instances, where each is dedicated to a specific part of the architecture.

The design of the Azure landing zone is centered around a central resource hierarchy, which is divided into four key capabilities: core resources, management resources, connectivity resources, and identity resources. These capabilities are grouped together because they are intended to be deployed at the same time.

Core resources are a crucial part of the implementation, and they form the foundation of the Azure landing zone. Management resources, on the other hand, are used to manage and monitor the core resources.

Connectivity resources enable communication between different parts of the environment, while identity resources are used to manage access and permissions. By grouping these resources into capabilities, you can control the deployment of each one using feature flags.

A benefit of this approach is the ability to add to your environment incrementally over time. For example, you can start with a small number of capabilities and add the remaining ones at a later stage when you're ready.

Here are the four capabilities that make up the central resource hierarchy of the Azure landing zone:

In a hub and spoke topology, you can deploy one or more hub networks based on the traditional Azure networking topology. This setup is great for managing multiple spoke networks from a central hub.

The module configures the networking hub and dependent resources for the connectivity subscription. However, users still need to initiate peering from spoke to hub due to limitations in how the AzureRM provider targets a specific subscription for deployment.

Deploying resources based on a traditional Azure networking topology (hub and spoke) involves deploying and managing various resource types. Here are some of the resources that are deployed and managed:

For more information about how to use this capability, see the Deploy Connectivity Resources wiki page.

The Azure landing zone Terraform module makes it easier to build and enforce consistency across the Azure platform when operating at scale. By packaging these capabilities into a single Terraform module, you can deploy sets of resources that align with critical design areas in Azure landing zones.

These resources include core resources, management resources, connectivity resources, and identity resources. Each of these categories aligns with a specific design area in the Cloud Adoption Framework.

Here are the resource categories and their corresponding design areas:

To deploy these resources, you can use the Provider Configuration on the module block to deploy them across multiple subscriptions. This makes it easier to manage and maintain your Azure resources.

The exact number of resources created by the module depends on the module configuration. For a default configuration, you can expect the module to create approximately 180 resources.

By using the Azure landing zone Terraform module, you can ensure consistency and scalability in your Azure resources, making it easier to manage and maintain your cloud infrastructure.

The Azure landing zone Terraform module is highly customizable to meet specific business needs. You can use it as the basis of your customized deployment to accelerate your implementation.

The module provides options to make changes to existing resources, and you can configure it as per your needs using the GitHub repo wiki. No resources are deployed with this capability.

To deploy management resources, you must set the deploy_management_resources variable to true and the subscription_id_management variable to the ID of the management subscription where the resources are to be deployed.

To set up your Azure environment, you'll need to specify the Azure region where region-bound resources will be deployed. This is done by entering a valid string, such as "eastus", which can be found on the Azure global infrastructure page.

The Azure region you choose will determine where your resources are deployed, so it's essential to select one that meets your needs. For example, if you need to deploy resources in the East US region, you would enter "eastus" in the required input field.

To set the root for all Landing Zone deployments, you'll need to specify the root_parent_id. This is usually the Tenant ID when deploying the core Enterprise-scale Landing Zones.

To make changes to the configuration, read through the module's documentation to deploy the landing zone exactly how you would like. This will ensure that you're not using the default configuration, which is unlikely to be suitable for a production workload.

The module's documentation provides extensive examples, including deploying connectivity resources, custom policies, and identity resources. These examples can be used as a starting point for your customized deployment.

To deploy connectivity resources, refer to the Deploy Connectivity Resources section, which provides guidance on how to deploy these topologies. This will help you configure the resources that are necessary for your specific use case.

To make changes to existing resources, you can use the Azure landing zones Terraform module as the basis of your customized deployment. This module provides a way to accelerate your implementation by removing the need to start from scratch.

To deploy the identity capability, set the deploy_identity_resources variable to true and specify the ID of the identity subscription where the policies are to be configured. This will ensure that the identity resources are deployed correctly.

No resources are deployed when making changes to the configuration, as this capability is used to configure Azure Policy assignments that protect resources in the identity platform landing zone subscription.

DNS is a crucial part of any network setup, and Azure makes it easy to manage with its Private DNS zones.

The module can deploy Private DNS zones to support Private Endpoints and link them to hub and/or spoke Virtual Networks.

You can also deploy user-specified public and private DNS zones as needed.

The module will deploy and manage various resource types depending on the configuration, including Resource Groups, DNS Zones, Private DNS Zones, and Private DNS Zone Virtual Network Links.

Here's a breakdown of the resources that the module will deploy and manage:

Security and Protection is a top priority when setting up an Azure Landing Zone Terraform module. The module can optionally deploy DDoS Network Protection to link Virtual Networks, but it's only available for traditional virtual networks due to platform limitations.

To increase protection of your Azure platform, the Azure landing zones guidance recommends enabling DDoS Network Protection. However, this capability is disabled in the Azure landing zones Terraform module for non-production and MVP deployments due to the associated cost.

In production environments, it's strongly recommended to enable DDoS Network Protection to prevent unexpected costs and ensure maximum security. The module deploys and manages resource groups and DDoS Protection plans as part of this capability.

Here's a breakdown of the resources managed by the module:

Identity is a crucial aspect of security and protection, and it's great to see that there are tools available to help manage it. The module provides an option to configure policies relating to identity and access management landing zone.

To configure policies, you can use the configure_identity_resources input variable, which doesn't deploy any resources. This capability aligns to the Azure identity and access management design area of the Cloud Adoption Framework.

Azure Policy assignments are configured to protect resources in the identity platform landing zone subscription when the deploy_identity_resources variable is set to true. This is a great way to ensure that your identity resources are secure.

To deploy the identity capability, you'll need to set the deploy_identity_resources variable to true and provide the ID of the identity subscription where the policies are to be configured. This ID is stored in the subscription_id_identity variable.

Enabling DDoS Network Protection can increase protection of your Azure platform, as recommended by the Azure landing zones guidance.

This capability is disabled in the Azure landing zones Terraform module due to the cost associated with this resource, to prevent unexpected costs in non-production and MVP deployments.

For production environments, it's strongly recommended to enable this capability.

The module can optionally deploy DDoS Network Protection and link Virtual Networks to the plan if needed.

To enable deployment of DDoS Protection plan resources, the module deploys and manages the following resource types:

DDoS Protection plans can only be enabled for traditional virtual networks due to platform limitations. Virtual Hub support is not currently available.

The Terraform module for Azure landing zones is designed to be highly reusable, allowing you to deploy resources independently from each other.

You can use this module multiple times in the same environment to deploy different resources, which is particularly useful in large organizations with multiple teams responsible for different capabilities.

This module acts as an orchestration layer, enabling you to select which resources are deployed and managed using the module.

The module exports a wide range of outputs, including configuration data for Azure resources such as Automation Accounts, DNS Zones, and Virtual WANs, among others.

These outputs provide a clear picture of the resources created by the module, making it easier to manage and maintain your Azure environment.

Modules are a core concept in Terraform that enable you to organize deployments into logical groupings, improving the readability of your Terraform files by encapsulating complex details of your deployment.

Modules allow you to easily reuse them for different deployments, offering a real benefit when defining and deploying landing zones, which enables repeatable, consistent environments in code while reducing the effort required to deploy at scale.

The Terraform implementation of Azure landing zones is delivered using a single module that acts as an orchestration layer, allowing you to select which resources are deployed and managed using the module.

This orchestration layer can be used multiple times in the same environment to deploy resources independently from each other, making it useful in organizations where different teams are responsible for different capabilities or collections of sub-resources.

Here are some key benefits of using modules in Terraform:

The outputs of this module are quite impressive, and it's worth noting that they're exported as configuration data for various Azure resources.

The user-assigned identity for Azure Monitor Agent is created by this module and is available as an output.

You can also get the configuration data for all Automation Accounts created by this module, which is a great resource for anyone managing automation tasks.

The module also returns the configuration data for all DNS Zones created by it, which can be useful for network administrators.

Log Analytics workspaces are another important resource that this module exports as an output, providing configuration data for all workspaces created.

Management Groups are also a key output of this module, with configuration data available for all Management Groups created by it.

In addition to these resources, the module also exports configuration data for all Private DNS Zones created by it.

The output also includes configuration data for all Public IPs created by the module, which can be useful for network administrators.

Resource Groups are another important output of this module, with configuration data available for all Resource Groups created.

Role Assignments and Role Definitions are also exported as outputs, providing configuration data for all Role Assignments and Role Definitions created by the module.

Subnets and Virtual Networks are also important resources that this module exports as outputs, with configuration data available for all Subnets and Virtual Networks created.

Virtual Hubs and Virtual WANs are also key outputs of this module, with configuration data available for all Virtual Hubs and Virtual WANs created.

The output also includes configuration data for all Virtual Network Gateways created by the module, which can be useful for network administrators.

Note that the following statement is applicable from release v2.0.0 onwards.