Azure Landing Zone – Networking Overview

In this blog post, we will be going through the networking overview of the Azure Landing Zone.

Networking Decision Guide

The below network decision tree should be used as a starting point to determine the network services that should be used.




Consider the following design elements:

Below are the design consideration for Azure networking and connectivity.

  • Planning for IP Addressing
  • Configure DNS
  • Define an Azure Networking Topology
  • Connectivity to Azure
  • Connectivity to other cloud providers

Planning for IP Addressing

IP address planning is a vital first step when designing a network in Azure especially if you have a hybrid environment to avoid overlapping IP address space across on-premises environment and Azure.

Design Considerations:

  • Azure reserves 5 IP address with each subnet so factor in the address space when sizing the virtual networks.
  • Some Azure service such as Application Gateway – WAF, Azure Firewall, Azure Bastion and VPN Gateway require dedicated subnets.
  • You can delegate subnets to some Azure service that can be injected into the virtual network.

Design Recommendation:

  • IP address space should not overlap the on-premises environment.
  • Use the non-routable, private address spaces.
    • – (10/8 prefix)
    • – (172.16/12 prefix)
    • – (192.168/16 prefix)
  • You cannot add the following address ranges:
    • (Multicast)
    • (Broadcast)
    • (Loopback)
    • (Link-local)
    • (Internal DNS)
  • Plan for future growth since adding address space can cause an outage.
  • Public IP addresses should not be used for virtual networks.

Domain Name System (DNS)

Since DNS is a critical part of networking, some companies may use their exisiting DNS solution and other may adopt native Azure capabilities.

Design Considerations:

  • The maximum number of private DNS zone, which can be linked to a virtual network with auto-registration is one.
  • Be aware of the Azure Private DNS zone limits.

Design Recommendation:

  • Use Azure DNS zones for Azure related name space resolutions.
  • In a mix environment (Azure + on-premises environment), use exiting DNS services such as Active Directory integrated DNS.
  • If the Azure environment is running Azure Firewall, then DNS Proxy should be evaluated.

Azure Networking Topology

Azure Virtual WAN is a Microsoft managed solution that provided end to end global and dynamic transit connectivity.

Virtual WAN simplifies end to end network connectivity from on-premises to Azure and within Azure by creating a hub and spoke network architecture.

Virtual WAN network topology.

Diagram that illustrates a Virtual WAN network topology.

A traditional Azure network topology.

Diagram that illustrates a traditional Azure network topology.

Connectivity to Azure

Design Considerations:

  • Azure ExpressRoute private connectivity to Azure infrastructure since the traffic is not going through the internet.
  • Private Link can be established for connectivity to Azure platform as a service (PaaS) over ExpressRoute with private peering.

Design Recommendation:

  • ExpressRoute should be used as the primary connection for connecting an on-premises environment to Azure. Furthermore, site to site VPN can be used as a backup connectivity.
  • Using a single ExpressRoute connection is the singe point of failure so use dual ExpressRoute circuits.
  • ExpressRoute/VPN Gateway come in various SKUs so choose the right SKU based on the requirements.

Connectivity to other cloud providers

Follow the below cross-cloud connectivity flow chart for choosing an option.

Option 1 – Customer manages routing.
Option 2 – A cloud exchange provider manages routing.
Option 3 – Use site to site VPN.

Design Considerations:

  • Azure virtual network can only be connected to another cloud provider’s virtual private cloud (VPC) if the private IP addresses do not overlap.
  • Site to site VPN have lower throughput and higher latency than ExpressRoute.
  • Design Recommendation:
  • If you do not want to use public internet, then choose option 1 and 2.
  • If ExpressRoute is not available, you can use site to site VPN with traffic going through the internet for the connection between Azure and cloud provider.

This wraps up the Azure Landing Zone – Networking Overview.

Azure Landing Zone Overview

Azure landing zone, which is a subset of Microsoft Cloud Adoption Framework for Azure, help customers set up their Azure environment for scale, security, governance, networking, and identity.

Azure Subscription

Once you create an Azure tenant, the next step is to create a subscription(s). You might be thinking, ‘how many subscription(s) do I need’? This really depends on many factors so lets take a look at it.

Azure subscriptions have different limits for different resource types and this link does a great job of explaining the different service limits, quotas, and constraints.

Items to look at when designing the subscription model:
Technical Requirements
•Network Connectivity (shared or dedicated)
•Active directory requirements, clustering, identity, management tools

Security Requirements
•Who are the subscription administrators
•Least privilege model

Scalability Requirements
•Growth plans
•Allocation of limited resources
•Evolution over time (users, shared access, resource limits)

Here are some questions that should be asked before creating a subscription:
•Who will be responsible for creating subscriptions?
•What resources will be in a subscription by default?
•Are there any capacity / technical limitations?
•Do we want to ensure Separation of duties?
•Dev/Test Vs. Production?
•Different end customers?
•Different departments or business units?
•Different projects?
•What is the right naming convention to be used? Here is a great article on naming convention.

Azure Resources

Once the Azure subscription(s) are setup, the next step is to think about how to organize the Azure resources.

Azure Management group

Define the management group hierarchy on organization and environment type such as production, dev/test etc.

The root management group is for global configuration and be careful with the management level assessments as they will cascade through the hierarchy. Assign common polices and RBAC on the management group level.

The built-in RBAC roles for management group are MG contributor and MG reader.

Azure Role-Based Access Control (RBAC)

Using RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope.

  1. Security principal

A security principal is an object that represents a user, group, service principal, or managed identity that is requesting access to Azure resources.

– Service principal – A security identity used by applications or services to access specific Azure resources. You can think of it as a user identity (username and password or certificate) for an application. -Managed identity – An identity in Azure Active Directory that is automatically managed by Azure. You typically use managed identities when developing cloud applications to manage the credentials for authenticating to Azure services.

2. Role definition

A role definition is a collection of permissions. It’s sometimes just called a role. A role definition lists the operations that can be performed, such as read, write, and delete. Roles can be high-level, like owner, or specific, like virtual machine reader. You can create custom roles if none of the existing built-in roles don’t meet the specific needs of your organization.

3. Scope

Scope is the boundary that the access applies to. When you assign a role, you can further limit the actions allowed by defining a scope. This is helpful if you want to make someone a Website Contributor, but only for one resource group.

Azure Tags

Here is the Azure tagging decision guide. Here is the link for best practices on using Resource Tags.

Azure Policy

Azure policy can enforce real time policy and at-scale compliance assessment. Also, the policy evaluates all Azure resource and can generate events that can be used for alerting. Furthermore, Azure policy can be used to automatically remediate problem in the environment.

My recommendation is to start with audit policies, which is a safe way of understanding what a policy will do without affecting the user activity. Furthermore, deny policies should be rolled out in stages to understand the impact.

This wraps up the Azure Landing Zone Overview.

Azure Cloud Adoption Framework Overview

The Microsoft Cloud Adoption Framework for Azure, also referred as CAF, is a collection of documentation, technical guidance, best practices, and tools that provide guidance for cloud adoption.

Cloud Adoption Framework brings together people, process and technology to align business strategy, achieve business goals with actionable, efficient and comprehensive guidance, and deliver fast results with control and stability.

The cloud journey starts with a vision by asking the following questions:

  • Why are we adopting the cloud?
  • What results do we expect to see from adopting the cloud?
  • How will the business measure success?

As your organization evolves, Cloud Adoption Framework adopts with your needs. Each module in the above diagram is an iterative phase that advances your business through the complete lifecycle of cloud adoption.

Below are common blockers that organizations would have to figure out.


As I mentioned above, the first question we need to ask is, Why are we adopting the cloud and what are the motivations behind it?


Here are some motivations to move to the cloud.

  • Data center exit
  • Merger, acquisition
  • Reduce in capital expenses
  • End of support for mission critical technologies
  • Scale to meet market and geographic demands
  • Transform product and services
  • Disrupt the market with new products and services

Business outcomes

Engage stakeholders to document specific business outcomes.

Business justification

Develop business justification that support the motivation for cloud adoption.

Identify first project

Leverage business and technical criteria to choose the first project.


Having a solid cloud adoption plan is very important for cloud adoption success as it will help guide technical efforts in alignment with the business strategy.

Rationalize digital estate

Rationalize your digital estate to determine the best cloud adoption approach.

Skills readiness plan

Identify the skills gap for the staff and plan a learning path.

Initial organization alignment

Align governance and cloud adoption to mitigate risks.

Cloud adoption plan

Create an actionable cloud adoption plan that aligns to your business strategy.


The ‘Ready’ module establishes a cloud foundation or adoption target that can provide hosting for any adoption efforts.

Azure setup guide

Azure setup guidance on the tools and approaches you need to create a landing zone

First landing zone

Choose the most appropriate landing zone option to establish a code-based starting point for your environment.

Expand the blueprint

Meet the platform considerations of your cloud adoption plan by expanding your landing zone.

Best practices

Leverage best practices to establish and prepare Azure environment.
Azure Fundamentals
Identity and access control
Cost management


Why is the company adopting the cloud?

Organizations choose to move to the cloud for various reasons but below are the two main motivations:

1. Migration

Move on-premises workload to the cloud by following the Assess, Migrate Optimize and Secure and Manage process.

5Rs of Rationalization

A rehost effort move the current workload to Azure with minimal architectural change. Also known as lift and shift. For example, migrating the on-premises SQL Server workload to Infrastructure as a service (IaaS) solution.

Some reasons to rehost is to reduce capital expenditure (CapEX) since Azure is considered operating expense (OPEX), and to achieve rapid rate of investment in the cloud.


Refactoring application code to make it fit for Platform as a service (PaaS), which is designed to support the complete web application life cycle. For example, migrating the on-premises SQL Server workload to Azure SQL.

Some of the benefits of refactor include faster and shorter updates, code probability and greater cloud efficiency.


Applications that are not compatible with cloud providers as they were build for on-premises environment, and would need to be rearchitected to be cloud-compatible.

By rearchitecting the applications, the benefit could be cost and operational efficiencies.


In this mode, the application is started from scratch and a new code base is created to align with a cloud native approach.

The benefits include accelerated innovation by building faster applications and reducing operational cost.


In this scenario, the software as a service (SaaS) model can provide all the necessary functionality for the application. Migrating the on-premises email environment to the cloud such as Microsoft 365 is a great example of SaaS.

This helps standardize around industry best practice and accelerate adoption.

2. Innovate

In this model, organizations can take advantage of cloud-native technologies and modernize solutions.


Why is governance important? Because it sets a balance between transformation and risk management.

Here are the questions that an organization should ask when thinking about governance:

  • Who is responsible for monitoring, support, and operations?
  • Which services should be migrated to Azure?
  • What roles & responsibilities must be defined?
  • What security measures should I consider?
  • What are the core processes needed for service management?
  • How do I ensure a balance between innovation, cost and agility?
  • What organizational changes are needed?
  • Azure governance building blocks?

Define corporate policy

Business risks

Document business risk, and business’ tolerance for risk .

Policy and compliance

Convert risk decision into policy statements to establish cloud adoption boundaries


Establish processes to monitor violations and adherence to corporate policies.

Five discipline of cloud governance

Cost Management

Evaluate & monitor costs, limit IT spend, scale to meet need, create cost accountability.

Security Baseline

Ensure compliance with IT security requirements by applying a security baseline to all adoption efforts.

Resource consistency

Ensure consistency in resource configuration. Enforce practices for on-boarding, recovery, and discoverability

Identity baseline

Ensure the baseline for identity and access are enforced by consistently applying role definitions and assignments

Deployment acceleration

Accelerate deployment through centralization, consistency, and standardization across deployment templates


The manage module helps organizations develop business and technical approaches for providing cloud management for the ongoing operations.

Establish a management baseline

Define the criticality classifications, cloud management tools, and processes required to deliver your minimum commitment to operations management.

Define business commitments

Document supported workloads to establish operational commitments with the business and agree on cloud management investments for each workload.

Expand the management baseline

Based on business commitments and operations decisions, make use of the included best practices to implement the required cloud management tooling.

Ensure advanced operations and design principles

Platforms or workloads that require a higher level of business commitment might require a deeper architecture review to deliver on resiliency and reliability commitments.

This wraps up the Azure Cloud Adoption Framework Overview.