Our organization is planning a massive transition from on-premise data centers to the cloud. I am looking for advice on setting up an Azure Landing Zone that follows the Cloud Adoption Framework (CAF). How do we ensure that our subscription democratization and policy-driven governance are robust enough to handle over 500+ workloads without becoming a management nightmare?
3 answers
For a migration of this scale, you should strictly follow the Enterprise-Scale architecture. Start by defining your management group hierarchy to allow for global policies. You need to automate the environment using Infrastructure as Code (IaC), preferably Terraform or Bicep, to ensure consistency across regions like West US and North Europe. Focus on "Subscription Democratization" to give application teams autonomy while maintaining guardrails through Azure Policy. This prevents "shadow IT" while ensuring that networking and security standards are inherited automatically.
Are you planning to use a Hub-and-Spoke network topology for this, and how are you handling centralized logging across all those subscriptions?
Automation is your best friend here. If you don't use CI/CD pipelines for your landing zone deployment, you'll struggle with configuration drift very quickly
I totally agree. Sarah, using Azure DevOps or GitHub Actions to deploy your ARM templates or Terraform modules is the only way to keep 500+ workloads in sync.
Most enterprises use Azure Virtual WAN for the hub to simplify large-scale connectivity. For logging, you must route all diagnostic data to a centralized Log Analytics Workspace. This allows your security team to monitor the entire footprint from a single pane of glass using Microsoft Sentinel, which is vital for compliance.