WEBVTT

00:00:01.200 --> 00:00:05.200
Hello and welcome, thank you for your interest in learning more about

00:00:05.200 --> 00:00:09.200
Microsoft Azure. In this video, we’ll discuss the design areas

00:00:09.200 --> 00:00:13.200
and considerations for your landing zone in Azure.

00:00:13.200 --> 00:00:17.200
My name is Charles Pluta, and I’m a senior engineer in FastTrack for Azure,

00:00:17.200 --> 00:00:21.200
on a team that focuses on helping software vendors and

00:00:21.200 --> 00:00:25.200
technology partners deploy their applications.

00:00:25.200 --> 00:00:27.966
Lets get started on Azure landing zones!

00:00:27.966 --> 00:00:27.999


00:00:28.366 --> 00:00:33.566
First, what exacting is a landing zone? There are some other names

00:00:33.566 --> 00:00:37.566
or jargon that you might hear like green zone, or green field.

00:00:37.566 --> 00:00:41.566
It can be helpful to think of Azure landing zones as being like city plans.

00:00:41.566 --> 00:00:45.566
The architectures of workloads deployed

00:00:45.566 --> 00:00:49.566
into a landing zone are like plans for buildings in a city.

00:00:49.566 --> 00:00:53.566
A city's water, gas, electricity,

00:00:53.566 --> 00:00:57.566
and transport systems all must be

00:00:57.566 --> 00:01:01.566
be in place before buildings can be constructed.

00:01:01.566 --> 00:01:05.566
Similarly, an Azure landing zone's components,

00:01:05.566 --> 00:01:09.566
including management groups, policies, subscriptions,

00:01:09.566 --> 00:01:12.899
and role-based access control (RBAC), all must be in place

00:01:12.900 --> 00:01:15.966
before any production workloads can be deployed.

00:01:15.966 --> 00:01:16.032


00:01:17.433 --> 00:01:20.166
To get started, lets look at the

00:01:20.166 --> 00:01:22.966
guiding design principles of a landing zone.

00:01:22.966 --> 00:01:22.999


00:01:24.100 --> 00:01:28.066
The Azure landing zones are aspirational concepts that

00:01:28.066 --> 00:01:32.066
should be considered before deploying your application.

00:01:32.066 --> 00:01:36.066


00:01:36.066 --> 00:01:40.066
These principles, and the design areas that we will discuss,

00:01:40.066 --> 00:01:44.066
achieve an optimal design to help you benefit from what the cloud offers today,

00:01:44.066 --> 00:01:48.066
and in the future as your organization grows and scales.

00:01:48.066 --> 00:01:52.066
The first design principle is subscription democratization.

00:01:52.066 --> 00:01:56.066
Individual subscriptions are not like physical servers or datacenter footprints,

00:01:56.066 --> 00:02:00.066
where they require a lot of work to get started.

00:02:00.066 --> 00:02:04.066
Subscriptions can be aligned with applications,

00:02:04.066 --> 00:02:08.066
business owners, or departments within your organization.

00:02:08.066 --> 00:02:12.066
This means that, in addition to core support subscriptions,

00:02:12.066 --> 00:02:16.066
each application or business owner can create

00:02:16.066 --> 00:02:20.066
and manage their own subscriptions.

00:02:20.066 --> 00:02:24.066
Large enterprises might have hundreds of even thousands of individual subscriptions

00:02:24.066 --> 00:02:28.066
– and that’s OK.

00:02:28.066 --> 00:02:32.066
With management groups and policy-driven governance,

00:02:32.066 --> 00:02:36.066
the cloud enables and can manage this level of scale.

00:02:36.066 --> 00:02:41.999
Speaking of policy-driven governance, that is the second design principle.

00:02:42.000 --> 00:02:44.066
Azure Policy allows you to create guardrails

00:02:44.066 --> 00:02:48.066
and can ensure compliance with your business

00:02:48.066 --> 00:02:52.066
or regulatory needs for the resources that are deployed.

00:02:52.066 --> 00:02:56.066
This allows the subscription owners in your organization

00:02:56.066 --> 00:03:00.066
to deploy and manage resources knowing

00:03:00.066 --> 00:03:03.566
that they already comply with the standards that the business has set.

00:03:03.566 --> 00:03:07.599
The next design area is the single control

00:03:07.600 --> 00:03:12.066
and management plane that Azure provides.

00:03:12.066 --> 00:03:16.066
This reduces overall complexity and avoids dependency

00:03:16.066 --> 00:03:20.066
or abstraction layers, such as custom portals or tooling.

00:03:20.066 --> 00:03:24.066
Finally, there is the application-centric service model.

00:03:24.066 --> 00:03:28.066
Design choices should not be between

00:03:28.066 --> 00:03:32.066
old or new apps or IaaS vs PaaS.

00:03:32.066 --> 00:03:36.066
Design a secure environment and tailor

00:03:36.066 --> 00:03:40.066
the services that are needed specifically for the application.

00:03:40.066 --> 00:03:44.066
Adhering to these design principles will help you achieve success

00:03:44.066 --> 00:03:48.066
with you deployment or migration,

00:03:48.066 --> 00:03:51.399
 and give you the foundation for successful scale.

00:03:52.500 --> 00:03:57.166
Now that we have covered the guiding principles,

00:03:57.166 --> 00:04:01.166
lets take a look at the specific design areas that a landing zone includes.,

00:04:01.166 --> 00:04:01.199


00:04:02.800 --> 00:04:06.766
As we look at the design areas that are included in a landing zone,

00:04:06.766 --> 00:04:10.766
it can be a little intimidating to think of the number of considerations,

00:04:10.766 --> 00:04:12.932
across these different areas.

00:04:12.933 --> 00:04:18.766
It can be tempting to just start deploying resources in a subscription to get your application up and running.

00:04:18.766 --> 00:04:22.766
And while that might be OK for a development environment,

00:04:22.766 --> 00:04:26.766
you should be more methodical for your production resources.

00:04:26.766 --> 00:04:30.032
Lets take a closer look at each of these areas.

00:04:31.500 --> 00:04:35.466
The Azure billing and your Active Directory tenant are two of the most critical

00:04:35.466 --> 00:04:39.466
design areas when planning out your environment.

00:04:39.466 --> 00:04:43.466
On the billing side, there are a variety of

00:04:43.466 --> 00:04:47.466
subscription types that meet different customer needs.

00:04:47.466 --> 00:04:51.466
If you are a large enterprise that needs a single contract across the Microsoft cloud,

00:04:51.466 --> 00:04:55.466
then an enterprise agreement fits best.

00:04:55.466 --> 00:04:59.466
For a scalable billing foundation directly with Azure,

00:04:59.466 --> 00:05:02.166
there is the Microsoft Customer Agreement.

00:05:02.166 --> 00:05:07.466
If you plan to resell Azure services and be the point of contact for your customers,

00:05:07.466 --> 00:05:09.866
you can become a Cloud Solution Provider.

00:05:09.866 --> 00:05:15.899
Finally, the most generic is a simple pay as you go which bills to a credit card.

00:05:15.900 --> 00:05:17.466


00:05:17.466 --> 00:05:19.466
Most software vendors and technology partners

00:05:19.466 --> 00:05:23.466
would benefit from using a Microsoft Customer Agreement.

00:05:23.466 --> 00:05:27.466
These agreements can be managed in the Azure Portal and

00:05:27.466 --> 00:05:31.466
enables you to create billing profiles and invoice sections.

00:05:31.466 --> 00:05:35.466
One of the reasons that the subscriptions and Active Directory tenant are important

00:05:35.466 --> 00:05:40.632
is because a subscription gets associated with one specific tenant.

00:05:40.633 --> 00:05:43.466
This tenant is then the foundation for identity

00:05:43.466 --> 00:05:47.466
and access management across both the tenant itself

00:05:47.466 --> 00:05:51.466
and the subscriptions that get associated with it.

00:05:51.466 --> 00:05:55.466
The cloud native version is Azure Active Directory, but services

00:05:55.466 --> 00:05:59.466
and features can be extended by using either self-managed

00:05:59.466 --> 00:06:03.099
or platform-managed Active Directory Domain Services.

00:06:03.100 --> 00:06:03.133


00:06:05.666 --> 00:06:10.532
The identity and access management design area is the foundation

00:06:10.533 --> 00:06:14.966
of authentication and authorization, role-based access control,

00:06:14.966 --> 00:06:18.532
and using managed identities in your environment.

00:06:18.533 --> 00:06:22.766
Having a centralized identity solution that allows you to authenticate

00:06:22.766 --> 00:06:27.966
user accounts and applications, then assign appropriate access to those resources

00:06:27.966 --> 00:06:32.199
gives you the foundation that you need to build a zero trust environment.

00:06:32.200 --> 00:06:34.000


00:06:34.000 --> 00:06:39.166
You can start by implementing role-based access control to provide separation of duties.

00:06:39.166 --> 00:06:41.999
There are dozens of built-in role definitions to start with

00:06:42.000 --> 00:06:46.700
and can be fine-tuned using custom roles.

00:06:46.700 --> 00:06:50.000
Another component in this area are managed identities,

00:06:50.000 --> 00:06:54.000
which allow you to register resources and applications within

00:06:54.000 --> 00:06:58.000
the same Azure Active Directory environment and establish

00:06:58.000 --> 00:07:03.933
secure authentication between applications and to your azure resources.

00:07:03.933 --> 00:07:05.799


00:07:05.800 --> 00:07:10.000
The network topology and connectivity models that you design

00:07:10.000 --> 00:07:14.000
are critical components of how your resources and services will communicate in the cloud,

00:07:14.000 --> 00:07:19.033
as well as in hybrid and multi-cloud environments.

00:07:19.033 --> 00:07:21.999
At the network topology level, you have the option

00:07:22.000 --> 00:07:26.000
 to go with more traditional models, like hub and spoke.

00:07:26.000 --> 00:07:30.000
Or for large scale environments, choose to centralize

00:07:30.000 --> 00:07:34.000
the network management with Azure Virtual WAN.

00:07:34.000 --> 00:07:38.000
Regardless of which model that you choose, you need to plan

00:07:38.000 --> 00:07:42.000
well in advance for IP address management to avoid overlaps

00:07:42.000 --> 00:07:46.500
and between Azure virtual networks and on-premises locations.

00:07:46.500 --> 00:07:50.000
You then build on the network topology

00:07:50.000 --> 00:07:54.000
and implement the required connectivity for your resources.

00:07:54.000 --> 00:07:58.000
Consider using Private Link and private endpoints

00:07:58.000 --> 00:08:02.000
to help with security and compliance goals.

00:08:02.000 --> 00:08:06.000
In addition to your cloud connectivity,

00:08:06.000 --> 00:08:10.000
there might be requirements for hybrid connections to on-premises

00:08:10.000 --> 00:08:14.000
with VPNs or ExpressRoute, or to other cloud providers.

00:08:14.000 --> 00:08:18.000
Finally, when implementing both the topology and the desired connectivity models,

00:08:18.000 --> 00:08:22.000
consider the resources available to perform packet inspection ands

00:08:22.000 --> 00:08:27.833
network filtering from Layer 3 up to Layer 7.

00:08:27.833 --> 00:08:29.199


00:08:29.200 --> 00:08:34.000
Aim to achieve a zero trust network implementation by segmenting the network,

00:08:34.000 --> 00:08:39.733
and ensuring all communication between resources and services is encrypted.

00:08:39.733 --> 00:08:42.233


00:08:42.233 --> 00:08:47.699
Resource organization might be one of the more simple design areas

00:08:47.700 --> 00:08:53.166
but can have a significant impact over time for administrative

00:08:53.166 --> 00:08:57.632
overhead in managing your resources as you scale.

00:08:57.633 --> 00:09:01.366
On the individual resource side, consider implementing naming conventions,

00:09:01.366 --> 00:09:05.266
using tagging to report and identify resources,

00:09:05.266 --> 00:09:08.499
and using resource locks to protect them

00:09:08.500 --> 00:09:13.700
from changes and accidental deletion.

00:09:13.700 --> 00:09:16.100


00:09:16.100 --> 00:09:18.000
The subscription level should be considered

00:09:18.000 --> 00:09:23.133
for application and billing segmentation.

00:09:23.133 --> 00:09:25.999
In addition, individual subscriptions have service limits and quotas

00:09:26.000 --> 00:09:30.000
that you should be aware of

00:09:30.000 --> 00:09:34.000
that might limit the resources in the future as you scale.

00:09:34.000 --> 00:09:38.000
Then above subscriptions are management groups

00:09:38.000 --> 00:09:42.000
to organize and provide a hierarchy for your subscriptions.

00:09:42.000 --> 00:09:46.000
This allows you to aggregate Azure Policies and apply .

00:09:46.000 --> 00:09:50.433
role-based access control across multiple subscriptions.

00:09:50.433 --> 00:09:50.899


00:09:52.733 --> 00:09:56.466
Security is a core consideration for an environment.

00:09:56.466 --> 00:10:02.332
to protect applications, data, and the trust of your customers.

00:10:02.333 --> 00:10:03.833


00:10:03.833 --> 00:10:07.833
The Azure Security Benchmark can be used to measure

00:10:07.833 --> 00:10:12.899
your environment against a list of best practices for resource configuration and security controls.

00:10:12.900 --> 00:10:15.833
It can provide recommendations

00:10:15.833 --> 00:10:19.833
based on your environment and how to remediate

00:10:19.833 --> 00:10:23.833
resources it finds unhealthy.

00:10:23.833 --> 00:10:27.833
This can give you customized guidance for the services that you have configured.

00:10:27.833 --> 00:10:31.833
Managing the operational security is

00:10:31.833 --> 00:10:35.833
another important aspect, which includes having a procedure

00:10:35.833 --> 00:10:39.833
for managing logs and alerts, performing vulnerability assessments for your resources,

00:10:39.833 --> 00:10:43.833
and ensuring that your encryption keys and other keys

00:10:43.833 --> 00:10:49.433
that might be used are secured in a service like Azure Key Vault.

00:10:49.433 --> 00:10:51.833
Last, but certainly not least in Security,

00:10:51.833 --> 00:10:56.766
is to implement a zero trust approach to identity.

00:10:56.766 --> 00:10:59.832
Limiting the number of accounts that have high privilege roles,

00:10:59.833 --> 00:11:03.833
like Global Administrator,

00:11:03.833 --> 00:11:07.833
and requiring access approvals, justification, and access reviews

00:11:07.833 --> 00:11:11.833
when using those roles.

00:11:11.833 --> 00:11:15.833
This also includes having a notification system

00:11:15.833 --> 00:11:20.066
when these roles are activated and performing an audit of the access history.

00:11:20.066 --> 00:11:22.832


00:11:22.833 --> 00:11:27.833
The management areas defines how you are going to

00:11:27.833 --> 00:11:31.833
manage your day to day resources to ensure a stable cloud environment.

00:11:31.833 --> 00:11:35.833
You should have the tools and services in place

00:11:35.833 --> 00:11:39.833
to identify an inventory and have visibility to your resources,

00:11:39.833 --> 00:11:43.833
from initial deployment to ongoing monitoring and logging of the resources.

00:11:43.833 --> 00:11:47.833
You will also have to determine how long

00:11:47.833 --> 00:11:51.833
to retain that information that is being collected.

00:11:51.833 --> 00:11:55.833
Those day to day operations include how to ensure

00:11:55.833 --> 00:11:59.833
 your resources meet the baseline that you establish when you deployed them.

00:11:59.833 --> 00:12:03.833
How should changes in configuration be made

00:12:03.833 --> 00:12:07.833
going forward to avoid configuration drift,

00:12:07.833 --> 00:12:11.833
but still ensure that you are right-sizing those resources,

00:12:11.833 --> 00:12:15.833
and managing any required updates or patches.

00:12:15.833 --> 00:12:19.833
Then, we must protect and be able to recover these resources

00:12:19.833 --> 00:12:23.833
from backups or perform disaster recovery.

00:12:23.833 --> 00:12:27.833
Consider the recovery time and point objectives that might be required for your application.

00:12:27.833 --> 00:12:27.866


00:12:29.166 --> 00:12:33.132
The governance design area is meant to provide reviews

00:12:33.133 --> 00:12:37.133
for the decision making process for many of the resources

00:12:37.133 --> 00:12:39.733
we’ve discussed for far.

00:12:39.733 --> 00:12:45.133
That includes the cost management tools that provide reporting

00:12:45.133 --> 00:12:49.133
on what resources cost what amount,

00:12:49.133 --> 00:12:53.133
budgets to help alert you if you go over your baseline,

00:12:53.133 --> 00:12:57.133
and Azure Reservations to lower the cost of long-term planned resources.

00:12:57.133 --> 00:13:01.133
Combine that with resource consistency to help reduce

00:13:01.133 --> 00:13:04.833
administrative overhead from learning, securing, and managing

00:13:04.833 --> 00:13:08.366
various resource types, and provide a common set managing

00:13:08.366 --> 00:13:11.966
of resources for configuration and access management.

00:13:11.966 --> 00:13:12.032


00:13:14.400 --> 00:13:19.866
Platform automation and DevOps are the core of what help us modernize

00:13:19.866 --> 00:13:24.266
our applications, and help us provide scale, agility,

00:13:24.266 --> 00:13:28.732
and flexibility in the cloud.

00:13:28.733 --> 00:13:31.499
Whether it is with CI CD pipelines

00:13:31.500 --> 00:13:35.500
and other integration components,

00:13:35.500 --> 00:13:39.500
this automation reduces error and provides a consistent and repeatable deployment.

00:13:39.500 --> 00:13:44.833
These operations aren’t just limited to development code, either.

00:13:44.833 --> 00:13:50.399
We can automate the infrastructure, platform, security and more.

00:13:50.400 --> 00:13:52.333


00:13:52.333 --> 00:13:56.333
As a summary, these design areas encourage organizations

00:13:56.333 --> 00:14:01.633
to have a conceptual architecture to strive for with their Azure environment.

00:14:01.633 --> 00:14:05.166
These design areas represent the common

00:14:05.166 --> 00:14:10.732
needs of an architecture regardless of industry, region, or organization size.

00:14:10.733 --> 00:14:11.499


00:14:11.500 --> 00:14:15.500
Keeping these areas in mind, and planning for them before

00:14:15.500 --> 00:14:19.500
deploying an application will help set yourself up for success

00:14:19.500 --> 00:14:23.233
when deploying new or scaling existing applications.

00:14:23.233 --> 00:14:24.433


00:14:24.433 --> 00:14:28.399
Thank you for taking the time to learn about Azure landing zones.

00:14:28.400 --> 00:14:32.833
For more information on the landing zone templates that are available,

00:14:32.833 --> 00:14:36.366
sign up for notifications for when the next video is published.

00:14:36.366 --> 00:14:36.399