The Platform Engineer's Guide to Landing Zones
How to implement Azure Cloud Adoption Framework landing zones without a 12-month consulting engagement.
Microsoft's Cloud Adoption Framework documentation is excellent but overwhelming. Here's the practical playbook I used to implement a full CAF landing zone at a Fortune 500 company — without the Big 4 consulting price tag.
Start With Management Groups
The hierarchy is non-negotiable. Root → Platform (Identity, Management, Connectivity) → Landing Zones (Corp, Online) → Sandboxes → Decommissioned. Get this right first because everything else inherits from it.
Policy Before Permissions
Azure Policy is your enforcement layer. Deploy policies at the management group level before anyone creates a subscription. Key policies: allowed regions, required tags, deny public endpoints, audit encryption, enforce diagnostics settings.
Subscription Vending
Automate subscription creation via Terraform. Every new workload gets its own subscription with pre-configured networking (spoke vnet peered to hub), diagnostic settings, budget alerts, and RBAC assignments. No portal clicking.
Network Topology
Hub-spoke with Azure Firewall or NVA (I used Fortinet, managed entirely via Terraform). Private DNS zones in the hub, delegated to spokes. ExpressRoute for on-premises connectivity.
The Political Challenge
The hardest part isn't technical — it's convincing leadership that shared subscriptions with contributor access for everyone is a liability. Frame it as risk reduction and audit readiness, not "we're taking away access."