Blog Infrastructure Azure

What is an Azure Landing Zone?

An Azure Landing Zone is your starting point when building secure, scalable infrastructure in Azure.

It's where you define the foundational setup aligned to Microsoft's Cloud Adoption Framework. This setup includes identity, networking, security, governance, and platform services.
 
This article explains the purpose, benefits, architecture, and design considerations of Azure Landing Zones and how they can streamline your Azure cloud migration.

Rinie Huijgen

Author

Rinie Huijgen CTO

Reading time 9 minutes Published: 05 October 2020 Latest update: 06 August 2025

What are Azure Landing Zones?

A landing zone is the base environment in the public cloud where you build your infrastructure, following Microsoft’s best practices and framework guidelines. It ensures your cloud resources are deployed securely, efficiently, and compliant.

Or, as Microsoft says: An Azure Landing Zone is a conceptual framework within the Azure Cloud Adoption Framework that provides guidance on establishing a secure and scalable cloud environment.

With an Azure Landing Zone, you're creating a framework for your organisation that enables you to perform and manage your cloud migration efficiently. Within a landing zone, you’ll select the parameters or guardrails that will be used to determine how to use your data and application in the cloud.

Landing Zones are the necessary building blocks for each successful cloud adoption strategy. You can compare this with building a new house; you need to have the resources in place before the actual construction.

The video below explains what an Azure landing zone is in 2 minutes:

 

Why you need an Azure Landing Zone

A well-structured landing zone offers these benefits: 

  • Standardisation: When building at scale, using consistent setups makes support easier, especially in large environments. If you start with standard patterns from the beginning, it saves time later. This also helps new users. With a consistent setup, they don’t need to figure out how to do something, but just pick the existing pattern and use it.
  • Confidence: Adopting a public cloud can feel risky at first, with many moving parts and unfamiliarity. Landing zones help build confidence in your cloud setup because you're following known, proven patterns with clear guidance from Microsoft.
  • Operational efficiency: Doing things in the same way makes operating much more efficient. Shared platform components (like log analytics workspaces, hub-and-spoke networking, or firewalls) can be reused by different teams. That saves duplication of effort. It also separates the application and platform teams responsibilities.
  • Security and Compliance: If your organisation has specific security or compliance requirements, you can define them upfront and integrate them into your landing zone. This makes the platform more secure and ensures compliance.

 

Azure Landing Zone Architecture

The repeatable setup of an Azure Landing Zone Architecture lets you apply consistent configurations and controls across all subscriptions. With modules, you can easily deploy, update, or replace parts of the architecture as your needs change.

Based on feedback and lessons learned from many organisations that have migrated to Azure, Microsoft made a conceptual, scaled-out architecture framework for Azure Landing Zones.

It helps guide the design and implementation of your own landing zone and can be found below:

 

Microsoft conceptual architecture of Azure landing zones
Source: Microsoft

Or by clicking this link: Azure landing zone conceptual architecture

An Azure Landing zone provides:

  • A pre-configured environment (networking is set up, ready hub-and-spoke topology, configured virtual networks, etc).
  • A foundation for your cloud infrastructure
  • Set of best practices and frameworks
  • Ready-to-use base for workloads

 

Key Design Areas of Azure Landing Zones

When you're architecting your landing zone in Azure, there are eight areas you need to focus on:

  1. Azure billing and Microsoft Entra tenant: Relates to how you're charged for what you use in the cloud and how everything fits together at a high level within your Microsoft Entra ID (formerly Active Directory) tenant. 
  2. Identity and Access Management (IAM): Controls who has access to your environment, role permissions and access to resources.
  3. Resource organisation: Refers to structuring your resources so they're easy to manage and aligned with how you operate.
  4. Network topology and connectivity: Defines how different areas in the landing zone connect, stay secure, and scale as your cloud presence grows.
  5. Security: Addresses how you protect your Azure environment in a public cloud. In the cloud, security is a shared responsibility between you and the cloud provider.  Azure provides security baselines, but you must design your setup to protect it and maintain its security.
  6. Management: As your environment grows, you must be able to manage it and keep it sustainable over time.
  7. Governance: Depending on your organisation, you might have to meet specific requirements (ISO 27001, NIST, etc.). You need to set governance policies, implement them, and monitor compliance.
  8. Automation and DevOps: As your environment grows, automation and DevOps allows you to scale by reducing manual effort. It uses infrastructure as code (IaC), CI/CD pipelines, and automated workflows to deploy and manage resources efficiently.

 

Platform Landing Zone Vs. Application Landing Zone

Azure landing zones can be categorised into two types: platform landing zones (1) and application landing zones (2).

Each serves a different purpose in your cloud environment:

1. Platform Landing Zone

Platform landing zones are designed to provide shared resources and foundational services for multiple applications.

These services establish the infrastructure and governance framework necessary to support a diverse range of workloads across your organisation.

Azure Landing Zone conceptual framework showing a hierarchical structure of management groups and subscriptions within an organisation

It includes foundational architecture elements such as:

  • Identity and access management (IAM)
  • Networking
  • Resource organisation (management groups, subscriptions, resource groups)
  • Security and compliance
  • Monitoring
  • Cost management
  • Backup and disaster recovery

These services establish the infrastructure and governance framework necessary to support a diverse range of workloads across your organisation. Centralising these shared services improves operational efficiency by reducing duplication, simplifying management and leading to better control and visibility across environments.

 

2. Application landing zones

Application landing zones focus on specific configurations, resources and governance needed for individual applications or workloads. It's tailored to meet the particular needs of each application. 

Zoom in of Microsoft conceptual framework showing Azure landing zone structure with virtual networks in multiple regions, resource groups, and shared services.

They often inherit policies and services from the platform landing zone as it builds on the foundational architecture offered by the platform landing zone.

 

With an application landing zone, the goal is to address the individual needs and characteristics of each application while staying aligned with broader organisational policies.”

Microsoft's conceptual architecture diagram below: "Landing zone A1 subscription" and "Landing zone A2 subscription", shows two separate application landing zones:

A conceptual architecture diagram of an Azure landing zone with Application & Platform Landing Zones overlaid
Source: Microsoft

Click the link or click here to zoom in.

Feature Platform Landing Zone Application Landing Zone
Purpose Establish shared services and governance. Host specific workloads or applications.
Focus Area Governance, compliance, centralised services. Application deployment and operations.
Networking Central hub in a hub-and-spoke topology. Spoke connected to the central hub.
Resource Scope Enterprise-wide shared resources. Workload-specific resources.
Scalability Focuses on organisational scaling. Scales to meet application needs.
Examples DNS, firewalls, monitoring tools. Web apps, databases, Kubernetes clusters.

Read Microsoft’s documentation to learn more about the available options for deploying platform and application landing zones.

Key design decisions in your Azure Landing Zone

The fundamental choices you will need to make in your Landing Zone will differ for each workload and each organisation.

For example: If you are going to use Azure Compute, ensure you are maximising your efforts in automating the management and administration of these systems. It’s also interesting to note that the step for using modern PaaS services more often than not is a lot smaller than you might initially expect.

Depending on the workload type, you can directly leverage highly scalable and efficient Azure App Services, Container Instances, or Azure Functions.

The Cloud Adoption Framework contains a handy decision tree that guides you through the possible options:

 

If you are considering setting up a hybrid environment, you should also directly include the networking requirements as part of your first Landing Zone. The usage of Azure Virtual Networks might be a requirement and you might also need a VPN Gateway or ExpressRoute to connect both worlds. When publishing services or apps to the outside world, consider using services like Azure Front Door, Application Gateway, or Traffic Manager and integrate them into your Landing Zone.

Governance is an easy topic to ignore, but it is at least as important as the technical elements of your Landing Zone. Especially when setting up your first Landing Zone, you’ll need to make decisions regarding the use of policies, monitoring, cost management, and identity. To remain in control, also directly include primitives such as a naming convention, subscription design, resource groups, and the usage of management groups.

As you can see, there are a lot of choices to be made.

Therefore, always determine the scope and purpose of your Landing Zone first.

Start small and scale-up

After creating your first Landing Zone it’s important to keep improving, you have now reached the refactoring phase. Within this phase, you can focus on using more cloud-native tooling for monitoring and management or use Azure Lighthouse to create a single control plane to view and manage resources across multiple tenants.

Part of this phase in your journey is to also look at the different failure modes in your environment and, improve by leveraging the usage of multiple instances or by switching to a Premium tier that might better suit your workload. 

In Azure, you also want to use horizontal scaling over vertical scaling where possible. If your dev/test and production systems are not completely separated, or if the same applies to frontend workloads like Web App and backend workloads like Web APIs, this is also the phase to restructure these workloads.

Infrastructure as code

The Azure Portal is a great graphical interface for those who are still learning how to use Azure. It offers valuable insights into the various options and their interrelationships.

Landing Zones, however, are created in code. Luckily, there are several ways to convert what you have set up to Infrastructure as Code.

Iac Ebook CTA Image (1)

Do you want to learn more about IaC in Azure?

Read our latest white paper about IaC in Azure, master Azure Bicep, Azure Verified Modules (AVM) and more!

Download the IaC whitepaper for free!

FAQ About Azure Landing Zones

What is the purpose of Azure landing zone?

What is the difference between Azure landing zone and Azure Subscription?

Can you have multiple landing zones in Azure?

Azure Fundamentals Governance Migrate ISV Roadmap