Azure Landing Zone in Terraform-Complete CAF IaC Solution

What is an Azure Landing Zone ?

Features of Azure Landing Zone

  1. Scalable
  1. Modular

Azure landing zone conceptual architecture

What is Cloud Adoption Framework ?

What are the six stages of the Cloud Adoption Framework?

  1. Strategy

Going through the Terraform code

  • The creates all the Resource Groups, and calls the module from modules directory.
  • The contains values of all the variables. You need to exchange “” with your values.

Some code examples

backend "azurerm" {
resource_group_name = "<Your Value here>"
storage_account_name = "<Your Value here>"
container_name = "<Your Value here>"
key = "<Your Value here>"
resource "azurerm_resource_group" "alz-rg" {
name = var.alz_rg_name
location = var.alz_rg_location
tags = var.tags
resource "azurerm_resource_group" "dev-rg" {
name = var.dev_rg_name
location = var.dev_rg_location
tags = var.tags
resource "azurerm_resource_group" "prod-rg" {
name = var.prod_rg_name
location = var.prod_rg_location
tags = var.tags
resource "azurerm_resource_group" "remote-rg" {
name = var.remote_rg_name
location = var.remote_rg_location
tags = var.tags
module "alz" {
source = "./modules/alz"
alz_vn_name = var.alz_vn_name
alz_vn_address = var.alz_vn_address
alz_rg_name =
alz_rg_location = azurerm_resource_group.alz-rg.location
alz_vn_subnet_name = var.alz_vn_subnet_name
alz_vn_subnet_address = var.alz_vn_subnet_address
alz_firewall_subnet_address = var.alz_firewall_subnet_address
alz_vn_gateway_subnet_address = var.alz_vn_gateway_subnet_address
alz_vn_bastion_subnet_address = var.alz_vn_bastion_subnet_address
alz_prod_vn_peering_name = var.alz_prod_vn_peering_name
prod_vn_id =
alz_dev_vn_peering_name = var.alz_dev_vn_peering_name
dev_vn_id =
alz_sa_name = var.alz_sa_name
alz_sa_tier = var.alz_sa_tier
alz_sa_replication_type = var.alz_sa_replication_type
alz_sa_container_name = var.alz_sa_container_name
alz_sa_container_access_type = var.alz_sa_container_access_type
alz_firewall_pip_name = var.alz_firewall_pip_name
alz_firewall_name = var.alz_firewall_name
alz_firewall_deny_ssh_rule_name = var.alz_firewall_deny_ssh_rule_name
alz_vpn_pip_name = var.alz_vpn_pip_name
alz_vn_gateway_name = var.alz_vn_gateway_name
alz_remote_connection_name = var.alz_remote_connection_name
vn_gateway_shared_key = var.vn_gateway_shared_key
remote_vn_gateway_id = module.remote.remote-vn-gateway-id
alz_law_name = var.alz_law_name
alz_law_sku = var.alz_law_sku
alz_bastion_pip_name = var.alz_bastion_pip_name
alz_bastion_name = var.alz_bastion_name
tags = var.tags
// ALZ variable values
alz_vn_name = "alz-vn"
alz_vn_address = [""]
alz_vn_subnet_name = "alz-subnet"
alz_vn_subnet_address = [""]
alz_firewall_subnet_address = [""]
alz_vn_gateway_subnet_address = [""]
alz_vn_bastion_subnet_address = [""]
alz_sa_name = "<Your Value Here>"
alz_sa_tier = "Standard"
alz_sa_replication_type = "LRS"
alz_sa_container_name = "alz-container"
alz_sa_container_access_type = "private"
alz_prod_vn_peering_name = "alz-prod-vn-peering"
alz_dev_vn_peering_name = "alz-dev-vn-peering"
alz_firewall_pip_name = "alz-firewall-pip"
alz_firewall_name = "alz-firewall"
alz_firewall_deny_ssh_rule_name = "alz-firewall-deny-ssh-rule"
alz_vpn_pip_name = "alz-vpn-pip"
alz_vn_gateway_name = "alz-vn-gateway"
alz_remote_connection_name = "alz-remote-vpn"
alz_law_name = "prod-law"
alz_law_sku = "PerGB2018"
alz_bastion_pip_name = "alz-bastion-pip"
alz_bastion_name = "alz-bastion"

Resources that are created

  1. General
  • Azure Policy to Allow only specific regions
  • Resource Group
  • Virtual Network, Subnets and Peering to Non-Prod Zone and Prod Zone
  • Azure Firewall with sample rules
  • Azure Bastian Host
  • Network Security Group with sample rules
  • Azure Storage Account
  • VPN Connection to Remote Site Zone
  • Resource Group
  • Virtual Network, Subnets and Peering to Landing Zone
  • Network Security Group with Sample rules
  • Azure Virtual Machine
  • Azure SQL Database
  • Azure Storage Account
  • Resource Group
  • Virtual Network, Subnets and Peering to Landing Zone
  • Network Security Group with Sample rules
  • Azure Virtual Machine
  • Azure SQL Database
  • Sample App Service
  • Log Analytics Workspace
  • Azure Storage Account
  • Resource Group
  • Virtual Network. Subnets
  • VPN Connection to Landing Zone


Run the code

Authenticate Azure CLI

Trigger Manually




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Great Free Resources to Start your Data Science Studies

Docker: Your First PostgreSQL Connection in 10 mins

Customize your VSCode for Web Development

Additional Django Tutorial Needed

Leetcode 1452: People Whose List of Favorite Companies Is Not a Subset of Another List

The Influence of Maven Principle on Modern Application Architecture

Building BBC Sounds in the API

I had tried to come up with a lame excuse or fib my way out of it, I would have probably just…

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Arlan Nugara

Arlan Nugara

More from Medium

Policy as Code (PoC): Deploying and Managing Azure Policy in Terraform

The length of the Azure function app name

Managing Azure Roles & Permissions

Terraform CLI Cheat Sheet