Azure Landing Zone Conceptual Architecture

The Cloud Adoption Framework, which is a collection of Microsoft guidance for Azure adoption and ongoing use, provides a reference design called the Azure landing zone conceptual architecture. The central portion of that design is shown here.

The conceptual architecture uses Azure management groups and subscriptions to logically isolate platform landing zones (shown in lower left half), including identity, management, and connectivity, from landing zones for application workloads (shown in lower right half). This design allows application landing zones to be added and removed while the platform landing zones and their contents remain stable and do not need to be duplicated for each landing zone. For example, cost management and security auditing are performed by resources in the platform landing zones rather than by resources in each application landing zone subscription.

Management groups are logical, nestable containers that organize and govern Azure deployments. Settings such as access control and policies can be defined for higher-level management groups and inherited by lower-level groups, which can simplify access and policy configuration, improve the scalability of operational processes, and enhance other Azure services, such as Cost Management. The conceptual architecture uses management groups to govern the subscriptions used to build the landing zone infrastructure.