Azure Landing Zone in Bicep-Complete CAF IaC Solution

What is an Azure Landing Zone ?

Azure landing zones are the output of a multisubscription Azure environment that accounts for scale, security governance, networking, and identity. Azure landing zones enable application migration, modernization, and innovation at enterprise-scale in Azure. These zones consider all platform resources that are required to support the customer’s application portfolio and don’t differentiate between infrastructure as a service or platform as a service.

Features of Azure Landing Zone

  1. Scalable
  1. Modular

Azure landing zone conceptual architecture

For many organizations, the Azure landing zone conceptual architecture below represents the destination in their cloud adoption journey. It’s a mature, scaled-out target architecture intended to help organizations operate successful cloud environments that drive their business while maintaining best practices for security and governance.

What is Cloud Adoption Framework ?

The Cloud Adoption Framework (CAF Framework) is a collection of documentation, implementation guidance, best practices, and tools that are proven guidance from Microsoft designed to accelerate your cloud adoption journey. There are six stages to the CAF framework, and each stage has been crafted to help you accelerate your cloud adoption journey. Think of the CAF framework as your guide to making the most of your Azure investment.

What are the six stages of the Cloud Adoption Framework?

  1. Strategy

Going through the Bicep code

The Bicep project is configured to work on the following principle

  • The main.bicep creates all the Resource Groups, DDOS Plan and call the resourcezone.bicep file. Later it creates the VNET Peering and VPN Gateway
  • The resourcezone.bicep in returns calls the modules in modules directory and creates the resources.
  • The main.parameters.json file is passed to the command which contains all the key value pair of names of the resources. You need to exchange “” with your values.

Some code examples

The main.bicep file starts with a targetScope variable which defines the deployment scope of the code.

targetScope = 'subscription'
param resourceArray array
param vpnGatewayConnectionArray array
param vnetPeeringArray array
param DDoSProtectionPlan object
resource rgs 'Microsoft.Resources/resourceGroups@2021-04-01' = [for (res, i) in resourceArray: {
name: res.rgName
location: res.rgLocation
tags: res.tags
}]
module vnetpeeringM 'modules/vnetpeering.bicep' = [for (vnetpeer, i) in vnetPeeringArray: {
name: '${vnetpeer.fromRgName}-VNETPEERING-Module-${i}'
scope: resourceGroup(vnetpeer.fromRgName)
dependsOn: [
reszoneM
]
params: {
vnetpeeringdata: vnetpeer
}
}]
var appgw_id = resourceId('Microsoft.Network/applicationGateways', appGWData.name)
{
................... Truncated ...................
"vNetArray": [
{
"vNetName": "<Your Value here>",
"tags": {
"Created By": "<Your Value here>",
"Customer": "<Your Value here>",
"Env": "<Your Value here>",
"Region": "<Your Value here>",
"App": "<Your Value here>",
"Cost Center": "<Your Value here>",
"Department": "<Your Value here>",
"Owner": "<Your Value here>",
"Policy": "<Your Value here>",
"Product": "<Your Value here>",
"SalesforceCSTID": "<Your Value here>",
"SLASeverity": "<Your Value here>",
"Stakeholders": "<Your Value here>",
"Tier": "T<Your Value here>1"
},
"DDoSProtectionPlanName": "<Your Value here>",
"DDoSProtectionRGName": "<Your Value here>",
"vNetAddressSpace": "<Your Value here>",
"logAnalytics": {
"workspaceRGName": "<Your Value here>",
"logStorageAccountName": "<Your Value here>",
"logWorkSpaceName": "<Your Value here>"
},
"subnets": [
{
"vNetName": "<Your Value here>",
"subnetName": "<Your Value here>",
"SubnetAddressSpace": "<Your Value here>",
"networkSecurityGroupName": "<Your Value here>",
"routeTableName": "<Your Value here>"
},
{
"vNetName": "<Your Value here>",
"subnetName": "AzureBastionSubnet",
"SubnetAddressSpace": "<Your Value here>",
"networkSecurityGroupName": "",
"routeTableName": ""
},
{
"vNetName": "<Your Value here>",
"subnetName": "AzureFirewallSubnet",
"SubnetAddressSpace": "<Your Value here>",
"networkSecurityGroupName": "",
"routeTableName": "<Your Value here>"
},
{
"vNetName": "<Your Value here>",
"subnetName": "GatewaySubnet",
"SubnetAddressSpace": "<Your Value here>",
"networkSecurityGroupName": "",
"routeTableName": ""
}
]
}
]
.................. Truncated ................

Resources that are created

The list of resources created by this Bicep Project are as follows : -

  1. General
  • Azure Policy to Allow only specific regions
  • Resource Group
  • Virtual Network, Subnets and Peering to Non-Prod Zone and Prod Zone
  • Azure Firewall with sample rules
  • Azure Bastian Host
  • Network Security Group with sample rules
  • Azure Storage Account
  • VPN Connection to Remote Site Zone
  • Resource Group
  • Virtual Network, Subnets and Peering to Landing Zone
  • Network Security Group with Sample rules
  • Azure Virtual Machine
  • Azure SQL Database
  • Azure Storage Account
  • Resource Group
  • Virtual Network, Subnets and Peering to Landing Zone
  • Network Security Group with Sample rules
  • Azure Virtual Machine
  • Azure SQL Database
  • Sample App Service
  • Log Analytics Workspace
  • Azure Storage Account
  • Resource Group
  • Virtual Network. Subnets
  • VPN Connection to Landing Zone

Diagram

Here’s a rough diagram of the resources it creates

Run the code

Authenticate Azure CLI

Hit the command az login from Comamnd Prompt or Terminal depending upon your OS. More details can be found here

Trigger Manually

Fire the below command to create the resources using Bicep script

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store