Azure Landing Zone in Terraform-Complete CAF IaC Solution

What is an Azure Landing Zone ?

Azure landing zones are the output of a multisubscription Azure environment that accounts for scale, security governance, networking, and identity. Azure landing zones enable application migration, modernization, and innovation at enterprise-scale in Azure. These zones consider all platform resources that are required to support the customer’s application portfolio and don’t differentiate between infrastructure as a service or platform as a service.

Features of Azure Landing Zone

  1. Scalable
  1. Modular

Azure landing zone conceptual architecture

For many organizations, the Azure landing zone conceptual architecture below represents the destination in their cloud adoption journey. It’s a mature, scaled-out target architecture intended to help organizations operate successful cloud environments that drive their business while maintaining best practices for security and governance.

What is Cloud Adoption Framework ?

The Cloud Adoption Framework (CAF Framework) is a collection of documentation, implementation guidance, best practices, and tools that are proven guidance from Microsoft designed to accelerate your cloud adoption journey. There are six stages to the CAF framework, and each stage has been crafted to help you accelerate your cloud adoption journey. Think of the CAF framework as your guide to making the most of your Azure investment.

What are the six stages of the Cloud Adoption Framework?

  1. Strategy

Going through the Terraform code

The Terraform project is configured to work on the following principle

  • The main.tf creates all the Resource Groups, and calls the module from modules directory.
  • The landingzone.auto.tfvars contains values of all the variables. You need to exchange “” with your values.

Some code examples

The provider config for backend. You need to replace “” with your own values.

backend "azurerm" {
resource_group_name = "<Your Value here>"
storage_account_name = "<Your Value here>"
container_name = "<Your Value here>"
key = "<Your Value here>"
}
resource "azurerm_resource_group" "alz-rg" {
name = var.alz_rg_name
location = var.alz_rg_location
tags = var.tags
}
resource "azurerm_resource_group" "dev-rg" {
name = var.dev_rg_name
location = var.dev_rg_location
tags = var.tags
}
resource "azurerm_resource_group" "prod-rg" {
name = var.prod_rg_name
location = var.prod_rg_location
tags = var.tags
}
resource "azurerm_resource_group" "remote-rg" {
name = var.remote_rg_name
location = var.remote_rg_location
tags = var.tags
}
module "alz" {
source = "./modules/alz"
alz_vn_name = var.alz_vn_name
alz_vn_address = var.alz_vn_address
alz_rg_name = azurerm_resource_group.alz-rg.name
alz_rg_location = azurerm_resource_group.alz-rg.location
alz_vn_subnet_name = var.alz_vn_subnet_name
alz_vn_subnet_address = var.alz_vn_subnet_address
alz_firewall_subnet_address = var.alz_firewall_subnet_address
alz_vn_gateway_subnet_address = var.alz_vn_gateway_subnet_address
alz_vn_bastion_subnet_address = var.alz_vn_bastion_subnet_address
alz_prod_vn_peering_name = var.alz_prod_vn_peering_name
prod_vn_id = module.prod.prod-vn-id
alz_dev_vn_peering_name = var.alz_dev_vn_peering_name
dev_vn_id = module.dev.dev-vn-id
alz_sa_name = var.alz_sa_name
alz_sa_tier = var.alz_sa_tier
alz_sa_replication_type = var.alz_sa_replication_type
alz_sa_container_name = var.alz_sa_container_name
alz_sa_container_access_type = var.alz_sa_container_access_type
alz_firewall_pip_name = var.alz_firewall_pip_name
alz_firewall_name = var.alz_firewall_name
alz_firewall_deny_ssh_rule_name = var.alz_firewall_deny_ssh_rule_name
alz_vpn_pip_name = var.alz_vpn_pip_name
alz_vn_gateway_name = var.alz_vn_gateway_name
alz_remote_connection_name = var.alz_remote_connection_name
vn_gateway_shared_key = var.vn_gateway_shared_key
remote_vn_gateway_id = module.remote.remote-vn-gateway-id
alz_law_name = var.alz_law_name
alz_law_sku = var.alz_law_sku
alz_bastion_pip_name = var.alz_bastion_pip_name
alz_bastion_name = var.alz_bastion_name
tags = var.tags
}
// ALZ variable values
alz_vn_name = "alz-vn"
alz_vn_address = ["10.0.0.0/16"]
alz_vn_subnet_name = "alz-subnet"
alz_vn_subnet_address = ["10.0.1.0/24"]
alz_firewall_subnet_address = ["10.0.2.0/24"]
alz_vn_gateway_subnet_address = ["10.0.3.0/24"]
alz_vn_bastion_subnet_address = ["10.0.4.0/24"]
alz_sa_name = "<Your Value Here>"
alz_sa_tier = "Standard"
alz_sa_replication_type = "LRS"
alz_sa_container_name = "alz-container"
alz_sa_container_access_type = "private"
alz_prod_vn_peering_name = "alz-prod-vn-peering"
alz_dev_vn_peering_name = "alz-dev-vn-peering"
alz_firewall_pip_name = "alz-firewall-pip"
alz_firewall_name = "alz-firewall"
alz_firewall_deny_ssh_rule_name = "alz-firewall-deny-ssh-rule"
alz_vpn_pip_name = "alz-vpn-pip"
alz_vn_gateway_name = "alz-vn-gateway"
alz_remote_connection_name = "alz-remote-vpn"
alz_law_name = "prod-law"
alz_law_sku = "PerGB2018"
alz_bastion_pip_name = "alz-bastion-pip"
alz_bastion_name = "alz-bastion"

Resources that are created

The list of resources created by this Bicep Project are as follows : -

  1. General
  • Azure Policy to Allow only specific regions
  • Resource Group
  • Virtual Network, Subnets and Peering to Non-Prod Zone and Prod Zone
  • Azure Firewall with sample rules
  • Azure Bastian Host
  • Network Security Group with sample rules
  • Azure Storage Account
  • VPN Connection to Remote Site Zone
  • Resource Group
  • Virtual Network, Subnets and Peering to Landing Zone
  • Network Security Group with Sample rules
  • Azure Virtual Machine
  • Azure SQL Database
  • Azure Storage Account
  • Resource Group
  • Virtual Network, Subnets and Peering to Landing Zone
  • Network Security Group with Sample rules
  • Azure Virtual Machine
  • Azure SQL Database
  • Sample App Service
  • Log Analytics Workspace
  • Azure Storage Account
  • Resource Group
  • Virtual Network. Subnets
  • VPN Connection to Landing Zone

Diagram

Here’s a rough diagram of the resources it creates

Run the code

Authenticate Azure CLI

Hit the command az login from Comamnd Prompt or Terminal depending upon your OS. More details can be found here

Trigger Manually

Fire the below command to create the resources using Bicep script

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store