-
Notifications
You must be signed in to change notification settings - Fork 981
ALZ Deploy landing zones
It is now time to turn the lights ON 💡
At this point you have the necessary platform setup configured to support one or many Landing Zone(s) with the required definitions (Roles, Policies and PolicySet) and assignments (Roles and Policies).
Provisioning Landing Zone(s) will mean either creating a new subscription or moving an existing subscription to the desired Management Group and the platform will do the rest. In large environments with 10s and 100s of Landing Zones, the platform team can also delegate Landing Zone(s) to the respective business units and/or application portfolio owners while being confident that security, compliance and monitoring requirements are being met. Furthermore, the platform team may also delegate the necessary access permissions such as:
- IAM roles to create new subscriptions
- Place subscriptions in the appropriate Management Groups for business units and/or application portfolio owners to provide self-service access to create their own Landing Zone(s).
Depending upon the reference implementation that's deployed, navigate to the appropriate Management Group under the "Landing Zones" Management Group and create or move an existing subscription. This can be done via the Azure Portal or PowerShell/CLI.
Business units and/or application portfolio owners can use their preferred tool chain - ARM, PowerShell, Terraform, Portal, CLI etc. for subsequent resource deployments within their respective Landing Zone(s).
- In the Azure portal, navigate to Subscriptions
- Click 'Add', and complete the required steps in order to create a new subscription.
- When the subscription has been created, go to Management Groups and move the subscription into the Landing zones > Corp or Online Management Group
- Assign RBAC permissions for the application team/user(s) who will be deploying resources in to the newly created subscription
- In the Azure portal, navigate to Management Groups
- Locate the subscription you want to move, and move it in to the Landing zones > Corp or Online Management Group
- Assign RBAC permissions for the application team/user(s) who will be deploying resources in to the subscription
The following deployment experiences can be leveraged to create multiple landing zones (subscriptions) and target individual Management Groups (e.g., 'online', 'corp' etc.).
To use the ARM templates below to create new subscriptions, you must have Management Group Contributor or Owner permissions on the Management Group where you will invoke the deployment and also on the targeted Management Groups for the new subscriptions, as well as subscription write permissions on the billing account.
Agreement types | ARM Template | Description |
---|---|---|
Enterprise Agreement (EA) | Create 'N' number of subscriptions into multiple Management Groups | |
Enterprise Agreement (EA) | Create a subscription with RBAC for SPN |
- What's New?
- Community Calls
- Frequently Asked Questions (FAQ)
- Known issues
- What is Enterprise-Scale
- How it Works
- Deploying Enterprise-Scale
- Pre-requisites
- ALZ Resource Providers Guidance
- Configure Microsoft Entra permissions
- Configure Azure permissions
- Deploy landing zones
- Deploy reference implementations
- Telemetry Tracking Using Customer Usage Attribution (PID)
- Deploy without hybrid connectivity to on-premises
- Deploy with a hub and spoke based network topology
- Deploy with a hub and spoke based network topology with Zero Trust principles
- Deploy with an Azure Virtual WAN based network topology
- Deploy for Small Enterprises
- Operating the Azure platform using AzOps (Infrastructure as Code with GitHub Actions)
- Deploy workloads
- Create landing zones (subscriptions) via Subscription Vending
- Azure Landing Zones Deprecated Services
- Azure Landing Zone (ALZ) Policies
- Policies included in Azure landing zones reference implementations
- Policies included but not assigned by default and Workload Specific Compliance initiatives
- Policies FAQ & Tips
- Policies Testing Framework
- Migrate Azure landing zones custom policies to Azure built-in policies
- Updating Azure landing zones custom policies to latest
- MMA Deprecation Guidance
- Contributing