Azure Enterprise Landing Zone Model
This diagram illustrates a well-architected Azure environment, showing the relationship between billing, identity, governance, networking, and resource deployment across different environments.
Billing Account
Top-level financial ownership and cost aggregation for the entire organization.
e.g., Enterprise Agreement or Microsoft Customer AgreementMicrosoft Entra ID Tenant
Single source of truth for identity and access management (IAM).
- Users and Groups e.g., "Dev Team Group", "AKS Admins Group"
-
App Registrations / Service Principals
Identities for automated processes and applications (scoped per environment).
- -- CI/CD Pipeline --
- app-cicd-prod: Pushes images to ACR & deploys to Prod AKS.
- app-cicd-qa: Pushes images to ACR & deploys to QA AKS.
- app-cicd-dev: Pushes images to ACR & deploys to Dev AKS.
Management Group Hierarchy
Organizes subscriptions and applies universal security policies (Azure Policy) and access controls (RBAC).
-
Management Group: "Platform"Policy: Enforce security and operational standards for shared services.
-
Subscription: "Connectivity"
Hosts central networking infrastructure (Hub-and-Spoke model).
-
Resource Group: "rg-platform-connectivity"
-
Hub VNet: "vnet-hub-weu"
Central point for all network traffic.Region: West Europe
- AzureFirewallSubnet: Contains Azure Firewall (Zone-Redundant).AZ
- GatewaySubnet: For VPN/ExpressRoute gateway to on-premises.
- AzureBastionSubnet: For secure RDP/SSH access to VMs.
- AzureFirewallSubnet: Contains Azure Firewall (Zone-Redundant).
- Private DNS Zones For services like Key Vault, ACR, etc. (e.g., privatelink.vaultcore.azure.net)
-
Hub VNet: "vnet-hub-weu"
-
Resource Group: "rg-platform-connectivity"
-
Subscription: "Connectivity"
Hosts central networking infrastructure (Hub-and-Spoke model).
-
Management Group: "Production"Policy: Enforce strict security, logging, and disallow certain VM SKUs.
-
Subscription: "Prod Environment"
Hosts all production resources. Highly restricted access.
-
Resource Group: "rg-prod-app-services"
-
Spoke VNet: "vnet-prod-spoke"
Region: West EuropeVNet Peering: Connected to "vnet-hub-weu"Route Table (UDR): Forces traffic through Hub Firewall
- snet-aks-nodes:For AKS node pools.
- snet-private-endpoints:For all Private Endpoints.
-
AKS Cluster: "aks-prod-main"
Integrates with "vnet-prod-spoke" (snet-aks-nodes).
RBAC: Grant "app-cicd-prod" the AKS Cluster User Role.AZ: Deployed across Availability Zones 1, 2, 3.
-
ACR: "acr-prod-main"
RBAC: Grant "app-cicd-prod" the AcrPush role.Network: Accessed via Private Endpoint in "snet-private-endpoints".
-
Key Vault: "kv-prod-secrets"
RBAC: Grant relevant SPs Secrets User role.Network: Accessed via Private Endpoint in "snet-private-endpoints".
-
Spoke VNet: "vnet-prod-spoke"
-
Resource Group: "rg-prod-app-services"
-
Subscription: "Prod Environment"
Hosts all production resources. Highly restricted access.
-
Management Group: "Non-Production"Policy: More flexible policies for development and testing.
-
Subscription: "QA Environment"
-
Resource Group: "rg-qa-app-services"
-
Spoke VNet: "vnet-qa-spoke"
Region: West EuropeVNet Peering: Connected to "vnet-hub-weu".
- snet-aks-nodes:For QA AKS nodes.
- snet-private-endpoints:For QA Private Endpoints.
- AKS, ACR, Key Vault...Resources configured with QA identities and Private Endpoints in "snet-private-endpoints".
-
Spoke VNet: "vnet-qa-spoke"
-
Resource Group: "rg-qa-app-services"
-
Subscription: "Dev Environment"
-
Resource Group: "rg-dev-user-a"
-
Spoke VNet: "vnet-dev-spoke"
Region: West EuropeVNet Peering: Connected to "vnet-hub-weu".
-
Spoke VNet: "vnet-dev-spoke"
-
Resource Group: "rg-dev-user-a"
-
Subscription: "QA Environment"
No comments:
Post a Comment