Cloud Migration or Build Apps with an Architectural Foundation | Azure Landing Zones

In Cloud Consulting

Cloud Migration or Build Apps with an Architectural Foundation | Azure Landing Zones - read the full article about cloud migration, Cloud Consulting and Data migration, Cloud infrastructure management from Microsoft Mechanics on Qualified.One
Microsoft Mechanics
Youtube Blogger

- Coming up, were joined by Azure expert, Matt McSpirit to look at how you can set yourself up for success as you migrate or build new solutions in the cloud with Azure Landing Zones and set up reference environments to choose from that provide the operational foundation to host your workloads in Azure.

So Matt, its great to have you back on the show.

- Thank you.

Its nice to be on as the subject matter expert from time to time.

- Yeah, thanks for joining us from home today.

So we decided to cover this topic because were seeing a huge surge in cloud adoption, whether youre kicking the tires or architecting broader efforts, its important to start in the right way to avoid operational issues down the line.

- Yeah, youre right.

And this is a challenge thats true of any cloud adoption.

Its not just specific to Azure.

Now on the one hand, the cloud is a great enabler.

It makes innovation a lot faster, but on the other hand, not everyone has a common understanding of networking, security, and identity management and governance.

- Right, and many of us have experienced the impact of that.

For example, if youve got like 15 different teams that are experimenting or running workloads or maybe using 15 different network topologies, things arent going to match up and youre going to be less likely to set things up properly for consistent security and maybe even governance requirements.

- Exactly, so with Azure Landing Zones, we go beyond best practice documentation.

So we give you the building blocks and the scaffolding at the workload or the organizational level to ensure that any resource that you build or migrate to Azure aligns with the rules and policies that you set.

So practically speaking, this means that we provision a set of Azure baseline services that you deploy as code via resource manager templates, policies and blueprints to give you a landing zone to host your workloads.

Now, this ensures consistency across foundational services like how you configure networking, identity, resource organization, governance policy, operations and more.

- Weve all been there.

If youre managing things on prem, probably you have a plan in place maybe for business continuity or security.

So this then is going to onboard you into operational best practices in the cloud, so that the right people can access your apps, your services, your resources and it ensures that your networking is consistently configured and any of the policies that you want in place, those are there as well.

- Yeah, thats right.

And we give you a number of landing zone options.

Now, most people choose to start small and expand, which helps you to centralize your operations incrementally to learn the ways of the cloud.

Now, there are three main landing zones to choose from in this category.

The first is focused on migration.

And this is where most people get started when they want to lift and shift VMs into Azure.

The second is our foundation blueprint, which gets you ready to add policy and governance.

And the third is a landing zone from Terraform.

- Can we take a look at some of these so everyone can see what these look like in action? - Absolutely.

So Im going to pick a generic scenario that we see a lot.

Lets say Ive got hundreds of VMs to move in a limited amount of time.

Ive got a mixture of non-mission critical workloads and high-risk workloads with sensitive data.

And also Ive got existing policies and security and operations tools that I use on-prem.

And I want to have the same control, if not better in Azure.

Now of course, with this landing zone approach, we want to learn as we go.

And so my goal is to move over the VMs for our non-critical workloads first.

- Okay, so how do then Azure Landing Zones help in this case? - Well, first you need a few things before you get started.

Youll obviously need a target subscription in Azure.

and with Azure AD in place, youll want to make sure that your tenant has the right identity and access controls configured.

And to help you out, you can check out our best practice guidance at

Once you have these in place, youll search for Azure blueprints in the Azure portal.

Im going to type in blue and click on blueprints, which takes me to the getting started page.

Now, then Ill hit create and Im presented with a few options.

And in this case, Ill pick cloud adoption framework, CAF Migration landing zone.

This gives me a starting point to create my blueprint.

So Ill go ahead and give it a name, a definition location to define the resource group where this will be stored.

Or you can optionally add a subscription.

And in my case, Ill choose Sub106 and select.

And then Ill move on to artifacts.

This presents me with a few foundational components, and in my case its provisioning resource groups for shared services like Key Vault that were going to use to manage our secrets.

Log analytics for monitoring.

And behind the scenes, its also provisioning a storage account.

Networks, which will create a virtual network with subnets for the gateway, firewall and a jump box.

And its going to provision an Azure Migrate project so that Ill be able to migrate my servers.

So from here, Ill save the draft.

And thats going to take me back to the getting started page and youll see the definition succeeded.

- Alright, so now youve got a draft blueprint and youve kind of saved your progress, but nothings provisioning or being enforced yet.

- Thats right.

And the nice thing with these blueprints is that you can also go back and edit them at any time.

So next Ill go in to blueprint definitions and back into the one we just created and hit edit blueprint.

Now this is going to let me customize my landing zone further and add some artifacts.

And you can see youve got a few options.

You can add policies that are applied to the subscription or the resource group level.

You can assign roles to govern who gets to use resources or add resource manager templates, which will allow you to do further automation.

Now in my case, Im going to select policy assignment and add a policy for tagging.

So Ill search for tag and Ill choose this one to append the tag and its value to resource groups.

And this is going to ensure that any new resource in my resource group gets tagged, which is useful to track the resources.

In my case, its going to help me create filtered views later for my VM usage and costs of my migrated machines.

I can go ahead and add additional artifacts if I want to, but Im going to move on and save the draft again.

- Okay, so I there that there were a lot of different options listed when youre adding that tagging policy.

But what if I wanted to add more policies or artifacts? How would I even know where to start with this? - So I just showed a blueprint for migration, but you can take the next step once youre more familiar with policies and artifacts and deploy the Cloud Adoption Framework Foundation blueprint to your subscription.

So as you can see here, it gives you a really useful baseline with a handful of common policies predefined.

And this will also turn on native security and operational tools like the Azure Security Center to monitor security vulnerabilities across your resources.

- And one thing to note here: these blueprints are complimentary and you can apply them to specific resource groups or also across an entire subscription.

- Exactly, and we actually encourage that you start small and grow from there.

Its a great way to build your operational muscle incrementally.

But lets go back to our migration landing zone.

So Im going to publish the blueprint and give it a version number, along with some notes for the change.

And now with that published, I can assign the blueprint to our subscription.

Its automatically going to complete the name and the version, but Im just going to add a quick name prefix here.

And as a tip, youll typically want to make sure your locations match as much as possible.

So in this case, Im going to select East US.

Im going to add my organization name, in this case subdemo.

Now another tip here is to ensure that your name you choose is unique and all lower case without any spaces and dashes for this to work.

And this is similar to when you set up a storage account.

Next, you need to define the parameters for your artifacts.

Now for the tag artifact I added earlier, Im going to give it a name cost center.

And for value, Im just going to type "one, two, three, four, five, six," as well as the value needed for my Key Vault deployment.

Now to find that value, Ill jump into Azure AD to show where that is.

For this, youll typically want to use a service principal account and grab the object ID as you see here.

Now Ill switch back to my blueprint and paste in that parameter.

Ill make a few other adjustments for log analytics retention, choose East US region again.

Then Ill define my VNETs address space.

And with the Azure Migrate artifact, were going to choose Central US.

And this is mainly because at the moment this service isnt currently offered in East US.

And finally, Ill click assign and thats going to link my blueprint to my subscription and the resources will start to provision.

Now thats going to take a moment, but you can watch the progress as resources are provisioned.

Once everything has succeeded, we can take a look at our new resource groups.

So if I click into the network and resource group, youll network security groups have been built for Core and Jumpbox, and a virtual network was created.

- Right, and in this case, we actually picked the cloud adoption framework, migration landing zone blueprint, but how does that link to the Azure Migrate set of tools? - Well from here, you can open Azure Migrate and see its been deployed to your landing zone.

And now when I migrate my VMs over using Azure Migrate, theyll use my landing zone to connect to the VNET Ive defined, apply my tagging and policies, enable monitoring and adhere to whatever guardrails Ive set up.

Now, obviously Im summarizing a bit here for time, but if you want more guidance on using Azure Migrate to move your VM and other the resources into Azure, you can check out

But with this landing zone now active, youve got a safe place to host your workloads in Azure.

And you can get familiar with Azures management approaches using Azure Resource Manager and Azure Policy.

- Right, and as you say, this approach really to start small and scale helps you to incrementally govern your environment.

But now what you showed can also be scoped to a subscription or resource group.

But what if I need a compliant architecture across a large enterprise on day one? - Well, weve got some options for that too.

So for enterprise operations where you cant afford to start small and expand, but need a highly-governed architecture before you can even start in the cloud, weve got an architecture that builds out a comprehensive Azure foundation, and this in turn enables you to operationalize and construct many landing zones at scale.

Now, the good news is that this helps you to build centers of excellence for management, connectivity and identity with security baked in throughout to help manage your organizations cloud operations.

- Okay, so what are some of the options then to get these up and running? - So your options here are pretty expansive.

In the cloud adoption framework in Microsoft docs, youll see we have three reference implementation options for enterprise scale.

The enterprise scale foundation landing zone, which assumes all resources are hosted in the cloud.

The enterprise scale Virtual WAN, which assumes hybrid connectivity with VWANs.

And the enterprise-scale hub and spoke for Azure using VNET hybrid connectivity to on-prem resources.

And if I click into this last one, youll see were going to provision new management groups and subscriptions with all the resources you see in this topology.

Now enterprise scale landing zones are good if you need to move secure, mission-critical workloads to the cloud right away.

And if youre already committed to migrating 100% to the cloud, this provides an upfront blueprint to really kickstart your efforts.

And of course, if youre operating in a highly-regulated industry, this option can really accelerate compliance.

And everythings also available on GitHub at

- So can we get an idea then of what one of these would look like then fully implemented? - Yeah, absolutely.

Ive got one right here.

So here we have the enterprise scale hub and spoke for Azure reference implementation already deployed straight from GitHub.

Now, right from my Azure homepage, I can see that the landing zone has provisioned separate subscription for connectivity, landing zone and management, along with a few other provision resources.

And if I jump into management groups, youll get a better idea of the group hierarchy.

Ill click into platform and youll see additional nested management groups for connectivity, identity and management.

And drilling further under connectivity, you can see the dedicated subscription.

Within that subscription, youll see the resource groups and here you can see its provisioned a firewall, public IP and VNET.

But this doesnt stop with group and resource provisioning.

Like our blueprints, it also deploys policy.

So here in policy assignments, youll see weve already provisioned eight policies and initiatives that were assigned with this landing zone.

So even though this is highly structured and builds out several services, the intent here is to give autonomy to the workload teams for their environment and to make sure that the right resources and guardrails are in place.

And thats really what landing zones are all about.

And you can start small and expand, or opt for an Enterprise landing zone.

Its really up to you and what your situation calls for.

- And its really great to see that everythings not only been well thought out, but its also backed by automated provisioning of resources and policies.

And its not just reams of documentation-based best practices that a lot of us in IT grew up with.

This is the real deal.

So whats the best way then to get started with Azure Landing Zones? - Well to get started, check out the Azure Landing Zones documentation as part of the cloud adoption framework at

And there are some additional tutorials available on Microsoft Learn at

- Thanks Matt for the great intro to Azure Landing Zones.

Of course, keep checking back to Microsoft Mechanics for the latest updates.

Subscribe if you havent yet, and thank you for watching.

(light melodic music)

Microsoft Mechanics: Cloud Migration or Build Apps with an Architectural Foundation | Azure Landing Zones - Cloud Consulting