How to build a Landing Zone in Azure with our construction-kit

All beginnings are difficult. This is particularly true for your first cloud project. The sheer amount of settings, in order to provide a safe, compliant and productive environment for your organization, is almost overwhelming.

To turn your cloud journey from “zero to hero”, we equip you with our cloud superpowers: our Landing Zone construction-kit enables Enterprise Architects and Platform Engineers to deploy a Landing Zone from scratch.

Exploit the full potential of the cloud

In this blog post we want to show you how you can build a ready to use Landing Zone with our Landing Zone construction-kit and become the hero your company needs!

But before we are getting into the demo, let’s see how Landing Zones help your organization getting started on their cloud journey and how you can exploit the full potential of the cloud.

By enabling the DevOps teams in your company to build scalable applications without compromising security or compliance, Landing Zones are perfect for any greenfield cloud project.

Landing zone Heroes

Benefits of using Landing Zones

  • Ensuring security & compliance
  • Preventing misconfiguration of cloud environments
  • Supporting cloud-native services
  • Saving platform engineering resources
  • Ruling the huge surface area of cloud services

Do you really need it? Test yourself!

If you're not convinced whether Landing Zones are what you need, then you might check if you find yourself in one of the following scenarios:

  • If you are uncertain what a good base security configuration is…
  • If your application teams are hesitant when it comes to the cloud, as they are not familiar with the services…
  • If you are in lack of resources for the implementation of automation and security assets...

… then Landing Zones are what you and your organization need. Now, after seeing what superpowers our Landing Zone construction-kit holds for you, let’s get down to business and create a ready to use Landing Zone in Azure.

How to: Building a Landing Zone in Azure

meshcloud has developed a lightning fast way to build an out-of-the-box Landing Zone with a Landing Zone-Kit. Keep on reading or check our video to see how to get a working Landing Zone in Azure with all basic resources that are typically included.

Azure Landing Zones Terraform Module

Building a Landing Zone in Azure can be a daunting task, especially since Microsoft provides various options to pursue, from Azure resource manager (ARM) templates to Terraform modules. If you’d like to see how the different ways compare, check out our Azure Landing Zone Comparison. In the end, any approach will implement the Azure Landing Zone conceptual architecture (also called enterprise scale in other contexts), or part of it.

Azure Landing Zone conceptual architecture

That already seems like a lot, doesn’t it? Certainly not something that a solo Platform Engineer or an Enterprise Architect will find easy to do. But that’s fine, since Azure already has a ready-to-use Terraform module that will create the baseline of that architecture (image below).

Azure Landing Zone conceptual architecture (Azure enterprise-scale Terraform Module)
Azure Landing Zone conceptual architecture (Azure enterprise-scale Terraform Module)

There are many good reasons to start out with Azure Landing Zones Terraform module:

  • Microsoft recommends it for most organizations.
  • It is lightweight, and quick to deploy.
  • Their repository includes a Wiki with detailed examples to use.
  • It paves your way to adopting GitOps from the get go.
  • It prepares your Landing Zones setup for scale.

There are some remaining questions which are not answered by using this module:

  • How can I store the terraform state of this module?
  • How can I restrict access to the terraform state file to specific users?
  • As a Platform Engineer or an Enterprise Architect, I have other resources I want to include to my cloud foundation that are not covered by this module, how can I do that?

These questions are answered by the previously mentioned Landing Zone Construction-Kit. In the next section, we will explain how to use this tool to become the new superhero by setting up a new Landing Zone with only a few quick commands.

In one hour, you will have ready-to-use Landing Zones to start your compliant and secure Cloud Journey.

How to: Using the Landing Zone construction-kit to build Landing Zones in Azure

We will utilize the collie command line tool. We are using collie because it gives you a fully automated deployment process and requires very few manual steps from your side. Let’s jump in.

Prerequisites

Before building Landing Zones we will need to have the following:

  • An Azure Active Directory (AAD) Tenant
  • An Azure subscription
  • A high privileged user (With Global Administrator role and User Access Admin on the root management group)

Preparation

Follow collie-cli installation guidelines to install collie-cli. After that, we will check that collie works properly.

  1. collie -V

We see that collie is installed, and is also checking if all dependencies are installed.

After installing collie and its required dependencies, login with az cli to the AAD tenant where you will deploy your landing zones.

  1. az login --tenant <aadTenantPrimaryDomain>

Configuration
At the beginning you will want to create a new cloud foundation with collie which makes it super simple to organize your code and later manage multiple of them.

  1. mkdir cloudfoundation && cd cloudfoundation
  2. collie init
  3. collie foundation new tutorial

When creating your new tutorial foundation you will go into interactive mode and be prompted to add a new cloud platform and configure it for your foundation.

Save and exit
Save and exit

As you can see from the screenshots above, first select add cloud platform, then choose Azure as your new platform, and finally configure your cloud platform and the Azure subscription that you will create all resources in.

Once you’re done, select save and exit.

Bootstrapping Action

Now, in order to actually build a Landing Zone, we simply make use of the Azure Landing Zones Terraform Module and include it in the Landing Zone construction-kit framework.

Let’s execute the following:

  1. collie kit bundle tutorialbundle
Selecting the KitBundle for Azure Enterprise Scale Modules
Selecting the KitBundle for Azure Enterprise Scale Modules
Configuring the KitBundle
Configuring the KitBundle

What this does is the following:

  1. Downloads the required kits (bootstrap and base)
  2. Queries basic information required to configure the inputs of your foundation. These are inputs that will be passed to the downloaded kits.
  3. Bootstraps your foundation; by creating an Azure object storage to store Terraform state and creating a service principal with required permissions to deploy your Landing Zones. This will also reconfigure the Terraform backend, and prompt you to migrate the Terraform state to the newly created storage!
Bootstraping at work: Terraform asks to migrate its state to the new remote storage
Bootstraping at work: Terraform asks to migrate its state to the new remote storage

Rolling out the Landing Zone

Now all you need to do is to deploy your Landing Zones with this command:

  1. collie foundation deploy tutorial --module base
Collie instructs Terraform to rollout Azure Enterprise Scale-Kit
Collie instructs Terraform to rollout Azure Enterprise Scale-Kit

This uses the previously configured inputs to deploy the Azure Zanding Zone Terraform module. It will take roughly 30 minutes to create all the cloud resources.

That's it!

Now you have deployed your Landing Zones with our bootstrap module and Azure Enterprise Scale module

  • You have your Terraform state managed in your new object storage
  • Access to that storage is restricted to specific users (those included in the foundation platform engineers group).
  • Your foundation has everything defined as code and you can utilize the Landing Zone Construction Kit to update your Zanding Zones.

How great is that? Almost no work starting from nothing to deploying your first Landing Zones that can otherwise take days, weeks or even longer! And the best thing is that everything is kept open and modular, so you can adopt the Landing Zone to your wishes and make it your own. But you have been kick-started with all the best practices recommended and developed by Azure.

What's next?

You have seen how easy it is now to set up a working Azure Landing Zone that follows Azure’s best practices. Now, you have everything at hand to go from “zero to hero”. Deploying Landing Zones, that is day 1 of Cloud Landing Zones lifecycle, is already a huge step towards a smooth cloud journey. But what about operating them (i.e. day 2)?

On a larger scale, when deploying multiple Landing Zones, their management becomes essential. Upgrading your Landing Zones when new functionalities arrive, when a fix is needed, or when a new security vulnerability is identified should be as fast and effortless as possible. This is where meshcloud’s meshStack comes into play.

Book a demo now!