Disciplines · 02 · Infrastructure

The landing zone is the work.

Most of what goes wrong in Azure goes wrong before any workload is deployed. A landing zone built as the apps land — a VNet bolted on here, a public endpoint left there, RBAC figured out later — is one that has to be rebuilt later at a cost the business did not plan to absorb. The cheapest landing zone is the one done properly the first time.

The diagnostic

The conversation changes with who's in the room.

Cloud conversations fail when the framing doesn't match the audience. Three rooms, three different things we most often have to un-teach before anything useful happens.

For infra teams

"It's someone else's datacenter."

The usual objection is that the cloud is inherently less secure. In almost every case it isn't — it's just a datacenter you don't have to walk into. The controls are different, not absent. Once the metaphor clicks, the conversation gets productive.

For developers

"Your code running isn't proof."

If the app responds, the job feels done — and then someone walks away. We point out that a working endpoint doesn't prove the platform underneath it is set up right. The work still ahead is the platform, not the code.

For execs

"Doing it twice costs more."

The question that matters financially is whether it's cheaper to do the landing zone right up front or to go back in two years and unwind what's been built on top of the wrong foundation. It almost never is.

What wrong looks like

When there's no platform underneath.

We see the same pattern so often it has a shape to it. No virtual network. Disparate applications wired up to "backend" resources — Azure SQL, storage accounts — over public endpoints. Nothing on a private IP. Nothing that resembles a topology. The team has organized the mess into resource groups and believes that is, in some sense, networking.

It isn't. It's a tag structure. Azure will happily let you run this way for years, and the bill will grow, and the risk will grow with it, because each service is reaching the others the same way your mother's laptop reaches them — over the internet.

The shortest version Resource groups aren't networking. They're folders. If there's no VNet and nothing is on a private endpoint, there is no platform — just resources, priced by the minute, facing the open internet.
What right looks like

The six that hold the rest up.

There's a lot that could be in a landing zone. These are the six we insist on — the ones that make the rest of the architecture possible and that are painful to add later once workloads depend on them.

  • Private networking, done firstPrivate endpoints on PaaS. NAT gateway where egress needs deterministic addressing. Nothing important on a public IP.
  • Hub-and-spoke topologyA shared hub for gateway, firewall, and cross-cutting services; spokes per workload or environment. The shape most things assume you have.
  • RBAC, not point-and-clickAccess granted to Entra groups, not individuals. Role assignments documented, reviewed, and scoped to the smallest surface that works.
  • Identity integration with EntraManaged identities on anything that can use one. No shared service principals passed around in connection strings. Admin access gated through the identity story, not around it.
  • Policy baseline — when it earns itAzure Policy gets layered in where the governance story calls for it, not stamped on by default. Enforced where the business needs guarantees; reporting-only where it doesn't yet.
  • Environment separation at the subscriptionOperations, development, production in separate subscriptions. Blast radius matters more than convenience when a deploy goes wrong.
The signature visual

The same picture, made readable.

Microsoft's Cloud Adoption Framework landing zone diagram is an honest attempt at a complete picture — and for most SMBs it's unreadable. Too many boxes, too much terminology, too little sense of which pieces matter for you. A good engagement ends with that same diagram on a page the client can actually read.

As it arrives

The daunting picture

A busy grid representing the dense Microsoft CAF landing zone diagram

Every CAF module, every reference architecture, every governance control shown at once. Technically complete. Not something you can build a plan from.

What you walk out with

The readable version

A simplified landing zone: a management group framing a hub VNet and three environment subscriptions, with the six opinionated pillars as a labeled grid beneath MANAGEMENT GROUP Prod · sub Dev · sub Hub VNet Ops · sub THE OPINIONATED SIX 01 Private networking Endpoints · NAT 02 Hub-spoke topology Hub, spokes per env 03 RBAC Entra groups, scoped 04 Identity Managed IDs, Entra-first 05 Policy baseline Where it earns it 06 Environment separation By subscription

The same picture, trimmed to what matters for a business this size. One management group, one hub, three environment subscriptions — and the six pillars that hold it up, labelled. Something you can actually explain to a board.

How it usually starts

The three moments infrastructure comes up.

Nobody calls about a landing zone for its own sake. Infrastructure conversations are almost always downstream of a business decision, a failed attempt, or a quiet suspicion that the current setup isn't where it should be.

Moment 01

The translation moment

"We want to modernize, but the way we're set up on-prem doesn't translate to the cloud — or doesn't work in the cloud at all." The realization that a lift-and-shift isn't going to get them where they want to be. This is almost always where Infrastructure comes first and Migration comes after.

Moment 02

The dev-shop moment

A development team has been spinning up App Services and VMs as the apps need them. They've organized everything into resource groups and believe the environment is structured. It isn't. Someone senior has started asking questions, and nobody on the team has good answers.

Moment 03

The second-opinion moment

An IT team has put some resources into Azure, the business wants to be more cloud-forward, and they want us to look at what's there and say honestly whether they're on the right track — before more gets built on top.

What you walk out with

The design, plus the shared language to run it.

Every engagement wraps with a set of artefacts designed to outlive the project — and, for teams newer to Azure, the shared vocabulary to maintain what they've been handed.

  • Target landing zone designThe "readable" version of the CAF picture, tuned to your business and signed off
  • Topology diagramHub-and-spoke, IP addressing, peering, routing, egress — the network on one page
  • RBAC modelEntra groups, role assignments, scope boundaries — documented, not tribal
  • Azure Policy baselineWhen the governance story calls for it — with clear notes on what's enforced vs. reporting-only
  • Mental-model translationFor teams newer to Azure: parallels to what they already know — App Services are the Windows server with IIS, App Service Plans are the box it runs on, subscriptions are the container the environment lives in
  • Phased rolloutAn order of operations for getting existing workloads onto the landing zone without tearing the business down in the process
"Resource groups aren't networking. They're folders. A room full of folders isn't an office — and a subscription full of resources talking to each other over the public internet isn't a platform." Why the foundation matters

Connected to

05 · Migration

Migration at the cutover

You don't migrate into a mess. The landing zone comes first.

 10 · Strategic Direction

Three-year direction

The landing zone is strategy expressed in infrastructure. The roadmap is where both get written.

 04 · Security

Posture & incident response

Private networking is the first security control, not the last.

 12 · Budgeting

IT budgeting

The shape of the landing zone is the shape of the cloud bill.

Book a call

Azure estate drifting?

If you've been building in Azure and the nagging feeling is that it's not quite right — or you're about to start and want to make sure the first decisions are the right ones — that's the conversation to have before more workloads land on top.

Book a discovery call

Or reach us directly: info@fouronesixit.ca · (647) 371-0400