Please enable JavaScript.
Coggle requires JavaScript to display documents.
Azure Landing Zone Deployment - Coggle Diagram
Azure Landing Zone Deployment
Deployment Settings
Management
Select cloud environment
Microsoft Entra ID Tenant
Primary Region
Azure Core Setup
Resource organization
Resource Prefix (Root ID)
Management group prefix
Platform subscription options
Subscriptions (Dedicated/Single)
Deploy in a secondary region
Prevent the deployment of classic resources
Prevent the deployment of virtual machines and virtual machine scale sets with unmanaged disks
Telemetry Tracking
Customer Usage Selection Options
Enforce subnets should be private
ALZ Subscription List
Azure billing offers and Microsoft Entra ID tenants
Identity Subscription
Connectivity Subscription
Management Subscription
Corp landing zone subscriptions (Optional)
Online landing zone subscriptions (Optional)
Sandbox Subscription
Platform management, security, and governance
Governance
Enforce Key Vault recommended guardrails
Enforce Backup and Recovery recommended guardrails
Deploy Log Analytics workspace and enable monitoring for your platform and resources
Log Analytics Data Retention (days)
Deploy Microsoft Sentinel (configuration required to activate)
Log Analytics workspace
Governance
Management Subscription
Deploy VM Insights
Deploy Azure Update Manager
Deploy Change Tracking
Defender for Cloud
Security
Deploy Microsoft Defender for Cloud and enable security monitoring for your platform and resources
Defender for Cloud Email Contact
Enable Defender for Cloud for servers
Enable Microsoft Defender for Cloud for servers vulnerability assessments
Choose the Microsoft Defender for Cloud for servers vulnerability assessments provider
Enable Microsoft Defender for Cloud for open-source relational databases
Enable Microsoft Defender for Cloud for Cosmos DB
Enable Microsoft Defender for Cloud for AppServices
Enable Microsoft Defender for Cloud for Storage
Enable Microsoft Defender for Cloud for Azure SQL Database
Enable Microsoft Defender for Cloud for SQL servers on machines
Enable Microsoft Defender for Cloud for Key Vault
Enable Microsoft Defender for Cloud for Azure Resource Manager
Enable Microsoft Defender for Cloud for APIs
Enable Microsoft Defender CSPM
Enable Microsoft Defender for Cloud for DNS
Enable Microsoft Defender for Cloud for Containers (Kubernetes and Container Registries)
Deploy Microsoft Defender for Endpoints
Baseline Alerts and Monitoring
Monitoring & Alerting
Deploy Service Health Alerts
Deploy one or more Azure Monitor Baseline Alerts
Enable Azure Monitor Baseline Alerts for Connectivity
Enable Azure Monitor Baseline Alerts for Identity
Enable Azure Monitor Baseline Alerts for Management
Enable AMBA for Azure Arc-enabled Servers
Enable AMBA for Key Management Services
Enable AMBA for Load Balancing Services
Enable AMBA for alterations in Network Routing and Security
Enable AMBA for Recovery Services
Enable AMBA for Storage Services
Enable AMBA for Azure Virtual Machines
Enable AMBA for Web Services
Resource group for baseline alerts
User Assigned Managed Identity Name
Email contact for action group notifications
Web Hook URI for action group notifications
ARM Roles for action group notifications
Network topology and connectivity
Hub and spoke with Azure Firewall
Hub and spoke with your own third-party NVA
Network topology and connectivity
Deploy networking topology
Address space (required for hub virtual network)
Region for the first networking hub
Enable DDoS Network Protection
Create Private DNS Zones for Azure PaaS services
Select Private DNS Zones to create
Deploy VPN Gateway
Deploy ExpressRoute Gateway
Deploy zone redundant or regional VPN/ExpressRoute Gateway
Deploy VPN Gateway in Active/Active mode
VPN Gateway SKU
ExpressRoute Gateway SKU
Subnet for VPN/ExpressRoute Gateways
Deploy Azure Firewall
Select Azure Firewall tier
Availability Zones for Azure Firewall
Subnet for Azure Firewall
Secondary Region Networking
Region to extend networking
Address space for your second hub virtual network(required for hub virtual network)
Deploy VPN Gateway in your second region
Deploy VPN Gateway in Active/Active mode in your second region
Select the VPN Gateway SKU for your second region
Subnet for VPN/ExpressRoute Gateways in your second region
Deploy ExpressRoute Gateway in your second region
Select the ExpressRoute Gateway SKU for your second region
Deploy Azure Firewall in your second region
Select Azure Firewall tier for your second region
Subnet for Azure Firewall in your second region
Enable Azure Firewall as a DNS proxy
Virtual WAN
Network topology and connectivity
Address space (required for vWAN hub)
Region for the first networking hub
Enable DDoS Network Protection
Deploy VPN Gateway
Select the VPN Gateway scale unit
Deploy ExpressRoute Gateway
Deploy Azure Firewall
Select Azure Firewall tier
Availability Zones for Azure Firewall
Enable Azure Firewall as a DNS proxy
Enable vWAN Routing Intent
Hub Routing Preference
Virtual Hub Capacity
Secondary Region Networking
Region to extend networking
Address space for your second virtual hub (required for vWAN hub)
Deploy VPN Gateway in your second region
Select the VPN Gateway scale unit for your second region
Deploy ExpressRoute Gateway in your second region
Select the ExpressRoute Gateway scale unit for your second region
Deploy Azure Firewall in your second region
Select Azure Firewall tier for your second region
Enable Azure Firewall as a DNS proxy in your second region
Enable vWAN Routing Intent in your second
Hub Routing Preference for secondary region
Address space for your second virtual hub (required for vWAN hub)
Virtual Hub Capacity in second region
Identity
Identity and access management
Assign recommended policies to govern identity and domain controllers
Prevent inbound management ports from internet
Ensure subnets are associated with NSG
Prevent usage of public IP
Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup
Create virtual network and connect to the connectivity hub (optional)?
Virtual network address space for vnet Identity subscription
Secondary Region Identity
Create virtual network and connect to the connectivity hub in your secondary region (optional)?
Landing Zones Configuration
Network topology and connectivity
Enable DDoS Network Protection
Ensure private endpoints to Azure PaaS services are integrated with Azure Private DNS Zones in the corp connected landing zones
Ensure HTTPS ingress is enforced in Kubernetes clusters
Prevent inbound management ports from internet
Ensure subnets are associated with NSG
Prevent IP forwarding
Ensure secure connections (HTTPS) to storage accounts
Audit WAF enabled on Application Gateways
Security
Ensure encryption in transit is enabled for PaaS services
Prevent privileged containers in Kubernetes clusters
Prevent privileged escalation in Kubernetes clusters
Ensure Azure SQL is enabled with transparent data encryption
Ensure Azure SQL Threat Detection is enabled
Governance
Ensure Azure VMs (Windows & Linux) and Azure Arc-enabled servers are being monitored
Ensure Azure VMSS (Windows & Linux) are being monitored
Enable Kubernetes (AKS) for Azure Policy
Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup
Ensure auditing is enabled on Azure SQL
Enforce Key Vault recommended guardrails
Enable Azure Compute Security Baseline compliance auditing
Corp Management Group
Network topology and connectivity
Connect corp landing zones to the connectivity hub (optional)?
Subscription
Governance
Prevent usage of Public Endpoints for Azure PaaS services in the corp connected landing zones
Prevent usage of NICs with public IP(s) in the corp connected landing zones
Deny the deployment of vWAN/VPN/ERs, including Gateways, to Subscriptions in the Corp Management Group
Audit the deployment of Private Link Private DNS Zones in the Corp Management Group
Workload Specific Compliance
Governance
Customer Managed Keys
AI Bot Service
API Management
App Services
Automation Accounts
Cognitive Services/AI Search
Compute
Container Apps
Container Instance
Container Registry
Cosmos DB
Data Explorer
Data Factory
Event Grid
Event Hub
Key Vault - Supplementary
Kubernetes
Machine Learning
MySQL
Azure OpenAI/Open AI
PostgreSQL
Service Bus
SQL
Storage
Synapse
Virtual Desktop
Decommissioned Management Group
Governance
Enforce ALZ Recommended policy controls on the Decommissioned Management Group?
Sandbox Management Group
Governance
Enforce ALZ recommended policy controls on the Sandbox Management Group?
Regulatory Compliance
Governance
Do you wish to assign additional Regulatory Compliance Policy Initiatives to your Azure Landing Zones Management Groups hierarchy?
Do you wish to assign additional Regulatory Compliance Policy Initiatives to your Azure Landing Zones Management Groups hierarchy?