A key phase in executing successful cloud migration strategies is correctly configuring the Azure landing zone. Having assessed the workloads we’re moving and applications to be modernised, the Ergo Azure practice team will put the foundations in place to build an environment that supports the key components of cloud infrastructure – scalability, security, governance, networking and identity.
Think of the landing zone as a launch pad for a cloud journey, where all the elements have to be in place to support sometimes challenging projects; where the rubber hits the road on turning Ergo’s cloud adoption framework into a practical roadmap, tailored to each client’s needs.
Azure landing zones explained
A landing zone is a platform that helps organisations set up their well-architected cloud environments for scale, security, governance, networking, and identity. It can be preconfigured to accelerate the migration of applications and data to the cloud, not just saving time and money in the short term but creating long-term value through highly automated processes that are scalable and repeatable, enabling organisations to grow faster.
There are two types of landing zone that organisations need to understand as they plan their cloud strategy. Each allows for design principles to be put in place that will accommodate multiple application portfolios, facilitating not just migration, but modernisation and innovation at scale. The main difference between a platform landing zone and an application landing zone in Azure lies in their purposes and the resources they manage.
Platform landing zones
These types of landing zone provide shared services that are used across multiple applications. These services include identity management, network connectivity, security and governance. These landing zones are typically managed by central IT or a dedicated team to ensure consistency and efficiency.
Application landing zones
These type of landing zones host specific application workloads and resources. Pre-provisioned code and policy controls are typically applied. Controls are modified for each zone, following management rules set up in advance. Application development or operations teams typically manage these zones, allowing for more flexibility and customization.
The function of well-designed landing zones is to improve operational efficiency, while aligning the environments with business priorities and regulatory responsibilities which vary from client to client. The Ergo team will adapt the zones to each client’s unique needs, using tried-and-tested templates in our cloud operating model.
Building the right landing zone is a vital stage in Ergo’s cloud adoption journey, the step between planning a migration and the actual re-platforming of applications and workloads. Arguably, it is the most important for ensuring successful outcomes in terms of optimising value and performance, which is why pay it so much attention.
Landing zones enable creation of Azure templates with module catalogues that can be reused and repeated across the organisation. Properly designed, they remove the risk of duplicating effort and accelerate time-to-completion of future migration projects.
Matching zones to client needs
An Azure Landing zones should cover 8 design areas:
- Azure billing and Microsoft Entra tenant;
- Identity and access management;
- Resource organization;
- Network topology and connectivity;
- Security;
- Management, including recovery capabilities;
- Governance;
- Platform automation and DevOps.
For identity design areas, we set about creating role-based access controls, matching security principles to users, groups or services and assigning appropriate permissions. Every company will be different with their own hierarchies and priorities around who has access to what, which we map on to the design.
For connectivity design areas, we look at network topology, how networking capabilities intersect with the client’s existing infrastructure and future strategy. Issues to consider are the requirement for virtual networks, connecting on-premise workloads and providing detailed specifications on where firewalls need to sit.
Work in the management design area is largely around implementing consistent and well-thought-out naming conventions and applying resource tagging. It sounds deceptively simple, but we know from experience that it’s essential for running an effective cloud service. Getting it right paves the way for accurate cost-benefit analysis, where cost centres are clearly understood and made transparent for continual improvement.
We can advise on landing zone best-practice to define your hierarchy, based on organisation and environment type, and the way to structure and tag different management groups in global organisations. At the same time, we will set identity management rules so you can limit who has access to your data.
Ergo has been taking organisations on Azure migration journeys for over a decade. We know the pitfalls that have to be navigated. As an Azure Expert MSP (Managed Service Provider), we make sure that all our clients have access to the very latest tools and services to optimise landing zones for their cloud strategy. That means centralising control to enforce good governance and achieve long-term value.
Talk to us about your requirements
Whether you’re thinking about applications migration or starting a greenfield development in Azure, we can help you on your journey.