ARM Template | Scale without refactoring |
---|---|
Yes |
The Enterprise-Scale architecture is modular by design and allow organizations to start with foundational landing zones that support their application portfolios, regardless of whether the applications are being migrated or are newly developed and deployed to Azure. The architecture enables organizations to start as small as needed and scale alongside their business requirements regardless of scale point.
This reference implementation is ideal for customers who want to start with Landing Zones for their workloads in Azure, where hybrid connectivity to their on-premises datacenter is not required from the start.
Please refer to Enterprise-Scale Landing Zones User Guide for detailed information on prerequisites and deployment steps.
If the business requirements changes over time, such as migration of on-prem applications to Azure that requires hybrid connectivity, the architecture allows you to expand and implement networking without refactoring Azure Design with no disruption to what is already in Azure. The Enterprise-Scale architecture allows to create the Connectivity Subscription and place it into the platform Management Group and assign Azure Policies or/and deploy the target networking topology using either Virtual WAN or Hub and Spoke networking topology. For more details, see the next steps section at the end of this document.
To deploy this ARM template, your user/service principal must have Owner permission at the Tenant root. See the following instructions on how to grant access before you proceed.
The deployment experience in Azure portal allows you to bring in an existing (preferably empty) subscription dedicated for platform management, and an existing subscription that can be used as the initial landing zone for your applications.
To learn how to create new subscriptions programmatically, please visit this link.
To learn how to create new subscriptions using Azure portal, please visit this link.
Enterprise-Scale landing zones offers a single experience to deploy the different reference implementations. To deploy Enterprise-Scale foundation, click on the Deploy to Azure button at the top of this page and ensure you select the following options:
- In the Enterprise-Scale core setup blade, select the option for Dedicated (recommended) subscriptions for platform resources.
- In the Network topology and connectivity blade, under Deploy network topology select No.
The rest of the options across the different blades will depend on your environment and desired deployment settings. For detailed instructions for each of the deployment steps, refer to the Enterprise-Scale Landing Zones user guide.
By default, all recommendations are enabled, and you must explicitly disable them if you don't want them to be deployed and configured.
- A scalable Management Group hierarchy aligned to core platform capabilities, allowing you to operationalize at scale using centrally managed Azure RBAC and Azure Policy where platform and workloads have clear separation.
- Azure Policies that will enable autonomy for the platform and the landing zones.
- An Azure subscription dedicated for Management, which enables core platform capabilities at scale using Azure Policy such as:
- A Log Analytics workspace and an Automation account
- Azure Security Center monitoring
- Azure Security Center (Standard or Free tier)
- Azure Sentinel
- Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics
- (Optionally) An Azure subscription dedicated for Identity in case your organization requires to have Active Directory Domain Controllers in a dedicated subscription.
- (Optionally) Integrate your Azure environment with GitHub (Azure DevOps will come later), where you provide the PA Token to create a new repository and automatically discover and merge your deployment into Git.
- Landing Zone Management Group for Online applications that will be internet-facing, where a virtual network is optional and hybrid connectivity is not required.
- This is where you will create your Subscriptions that will host your online workloads.
- Landing zone subscriptions for Azure native, internet-facing Online applications and resources.
- Azure Policies for online landing zones, which include:
- Enforce VM monitoring (Windows & Linux)
- Enforce VMSS monitoring (Windows & Linux)
- Enforce Azure Arc VM monitoring (Windows & Linux)
- Enforce VM backup (Windows & Linux)
- Enforce secure access (HTTPS) to storage accounts
- Enforce auditing for Azure SQL
- Enforce encryption for Azure SQL
- Prevent IP forwarding
- Prevent inbound RDP from internet
- Ensure subnets are associated with NSG
If you later want to add connectivity to your Enterprise-Scale architecture to support workloads requiring hybrid connectivity, you can:
- Create a new child management group called 'Connectivity' in the Platform management group
- Move/create new subscription into the Connectivity management group
- Deploy your desired networking topology, being VWAN (Microsoft managed) or hub & spoke (customer managed)
- Create new management group (Corp) in the landing zone management group, to separate connected workloads from online workloads.
Once you have deployed the reference implementation, you can create new subscriptions, or move an existing subscriptions to the Landing Zone management group (Online), and finally assign RBAC to the groups/users who should use the landing zones (subscriptions) so they can start deploying their workloads.
Refer to the Create Landing Zone(s) article for guidance to create Landing Zones.