What is An Azure Landing Zone?

An Azure Landing Zone creates a framework for your organization that enables you to efficiently perform and manage your cloud migration. Within a landing zone you’ll select the parameters or guardrails that will be used to determine how to use your data and application in the cloud.

The Landing Zone in your Azure environment accounts for scale, security governance, networking, and identity. Azure landing zones enable application migration, modernization and innovation at enterprise-scale in Azure. There are the necessary building blocks for each successful cloud adoption strategy. You can compare this with building a new house, you need to have the resources in place before the actual construction can begin.

Sample Architecture Solution Diagram:

Virtual Network (VNet)

Azure Virtual Network (VNet) is the foundation for cloud architectures and applications, since it enables the ability to access, connect, secure, and modify cloud resources. It is the building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you'd operate in your own data center, but brings with it additional benefits of Azure's infrastructure such as scale, availability, and isolation.

The main purpose of Virtual Networks is to act as a communication channel between resources launched in the cloud.

Why Virtual?

Because there are no actual routers or switches in the cloud.

Important considerations when creating a Vnet in Azure:

• Create an overarching private IP range for your virtual network. This can then be divided into smaller subnets Multiple ranges with in your VNet. The IP range must be different than on-premises and peered virtual networks.

• You are able to segment IP range into subnets.

• On VNet in Azure you are able customise DNS which can be set to assign automatically to resources.

• Application gateway, Azure firewall and Bastion require their own dedicated subnet.

• VNet Peering allows communication between resources in different VNets.

• IP range cannot be modified after establishing VNet peering with other VNets.

Network Security Groups

You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol.

Source and destination can be IP address, VNet, Service Tag or an Application Security Group (ASG). NSG can be assigned to subnet or directly to the NIC.

Default rules

All network security groups contain a set of default rules. You cannot delete the default rules, but since they are assigned the lowest priority, they can be replaced by the rules you create.

Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability; It filters traffic between VNets and the internet.

Key Features of Azure Firewall:

· Built-in high availability

· Availability Zones

· Unrestricted cloud scalability

· Application FQDN filtering rules

· Network traffic filtering rules

· FQDN tags

· Service tags

· Threat intelligence

· Outbound SNAT support

· Inbound DNAT support

· Multiple public IP addresses

· Azure Monitor logging

· Forced tunnelling

· Web categories (preview)

· Certifications

• Network rules allow or deny network traffic based on source and destination IP address, port, and protocol. As mentioned above the Azure Firewall is fully stateful.

• NAT Rules allow outbound VNets traffic to be translated into firewall public IPs (SNAT) while inbound traffic is translated into firewall public IP to private VNet IPs (DNAT).

• Application rule allows traffic filtering based on domain names and also supports wildcard.

• The threat intelligence feature blocks attacks from malicious IPs and domains as sourced from Microsoft’s threat intelligence feed.

• Azure firewall can be fully integrated with Azure monitor for logging and analytics.

• Rules can be applied on multiple Subnets and also requires a route table to route traffic through firewall.

VPN Gateway

Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office, it is specific type of virtual network gateway that is used to send encrypted traffic over the public Internet. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Key Features

• Azure VPN Gateway supports both policy-based and route-based connection.

• Route-based connection supports multiple site connections to a single Azure VPN Gateway (and is a dynamic – routing gateway).

• Policy-based connection supports on one connection per VPN Gateway (and is Static – routing gateway).

Azure VPN Gateway supports

1. Site-to-Site

2. Point-to-Site

3. VNet-to-VNet

4. Multi-Site

5. Microsoft Azure Express Route connections.

• This requires a separate subnet and must be named as GatewaySubnet.

• Spoke VNet can connect to on-premise network via HUB VNet by enabling peering and allowing gateway transit feature.

Application Gateway

• Azure Application Gateway is a web traffic load balancer that enables you to manage and secure inbound traffic to your web applications.

• Application gateway supports SSL/TLS termination at the gateway, after which traffic typically flows unencrypted to the backend servers.

• Path-based routing allows you to distribute web traffic based on URL to different web server backends.

• URL redirection feature can forward traffic between ports like from HTTP to HTTPS or to an entirely different URL.

• SSL offloading offloads SSL on application gateway to eliminate the SSL encryption/decryption burden on web server. End-to-end SSL also can be configured.

• Application Gateway Standard_v2 supports autoscaling and can scale up or down based on changing traffic load patterns.

• A Standard_v2 Application Gateway can span multiple Availability Zones, offering better fault resiliency and removing the need to provision separate Application Gateways in each zone

• WAF firewall works as firewall for sites based on OWASP standards. Custom rules also can be created.

Azure Bastion

Azure Bastion is a Platform as a Service (PaaS) service of Microsoft Azure that allows you connect to an Azure virtual machine using your browser and provides secure and seamless RDP/SSH connectivity directly from the Azure portal over TLS. In a typical RDP connection, a virtual machine needs to configure a public IP that is exposed to the world and a client machine uses that IP and login credentials to connect and login to the virtual machine. When you connect via Azure Bastion, your virtual machines does not need a public IP address, agent, or special client software.

Bastion provides secure RDP and SSH connectivity to all of the VMs in the virtual network in which it is provisioned. Using Azure Bastion protects your virtual machines from exposing RDP/SSH ports to the outside world, while still providing secure access using RDP/SSH.

Landing Zones Considerations

The fundamental choices you will need to make in your Landing Zone will differ for each workload and for each organization. For example if you are going to use Azure Compute, ensure you are maximizing your efforts in automating the management and administration of these systems.

Governance

The fundamental choices you will need to make in your Landing Zone will differ for each workload and for each organization. For example if you are going to use Azure Compute, ensure you are maximizing your efforts in automating the management and administration of these systems.

Infrastructure as a Code (IaC)

The Azure Portal is a great graphical interface when you are still learning how to use Azure. It offers great insights into the different options and how they relate to each other. Landing Zones however can be using created in code such as Azure Resource Manager ARM Templates. Azure Resource Manager allows you to provision your applications using a declarative template. In a single template, you can deploy multiple services along with their dependencies. Other Alternatives would be Terraform which is agnostic and an open-source infrastructure as code (IaC) software tool that enables you to safely and predictably create, change, and improve infrastructure.

Summary

As you can see, there are a lot of choices to be made. Therefore always determine the scope and purpose of your Landing Zone first. No single solution fits all technical environments. A few Azure landing zone implementation options can help you meet the deployment and operations needs of your growing cloud portfolio.

• Scalable: All Azure landing zones support cloud adoption at scale by providing repeatable environments, with consistent configuration and controls, regardless of the workloads or Azure resources deployed to each landing zone instance.

• Modular: All Azure landing zones provide a modular approach to building out your environment, based on a common set of design areas. Each design area can be easily extended to support the distinct needs of various technology platforms like SQL, Azure Kubernetes Service (AKS), Azure Virtual Desktop (AVD), etc.