Azure Landing Zone Equivalent
Landing Zone like Blueprint in Azure
Is there such a thing as an multi account structure landing zone in Azure? Something like this AWS landing zone (Control Tower)?
This provides a best practices ‘blueprint’ in Azure for upcoming workload migrations, and consists of:
- Deploy an Azure VNET providing an isolated network and subnets for your virtual machine.
- Create an Azure Key Vault instance used to host secrets used for the Certificates, Keys, and Secrets deployed in the shared services environment
- Deploy Log Analytics to ensure all actions and services log to a central location from the moment you start your migration
- Deploy Azure Security Center (standard version) provides threat protection for your migrated workloads.
Azure Best Practices VNET
A VNET in a production / pre production subscription is spun up, following best practices
- Non-overlapping address spaces. VNet address space (CIDR block) should not overlap with your organization’s existing network ranges.
- Subnets should not cover the entire address space of the VNet. Plan ahead and reserve some address space for the future.
- Securing VNet using Network Security Groups (NSGs).
Azure Monitor and Log Analytics
Azure Monitor can collect data from a variety of sources. You can think of monitoring data for your applications in tiers ranging from your application, any operating system and services it relies on, down to the platform itself. Azure Monitor collects data from each of the following tiers:
- Application monitoring data: Data about the performance and functionality of the code you have written, regardless of its platform.
- Guest OS monitoring data: Data about the operating system on which your application is running. This could be running in Azure, another cloud, or on-premises.
- Azure resource monitoring data: Data about the operation of an Azure resource.
- Azure subscription monitoring data: Data about the operation and management of an Azure subscription, as well as data about the health and operation of Azure itself.
- Azure tenant monitoring data: Data about the operation of tenant-level Azure services, such as Azure Active Directory.
As soon as you create an Azure subscription and start adding resources such as virtual machines and web apps, Azure Monitor starts collecting data. Activity Logs record when resources are created or modified. Metrics tell you how the resource is performing and the resources that it’s consuming.
Azure Key Vault
Azure Key Vault helps solve the following problems:
- Secret management: Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
- Key management: Create and control encryption keys that encrypt your data.
- Certificate management: Provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources.
- Store secrets backed by HSMs: Use either software or FIPS 140-2 Level 2 validated HSMs to help protect secrets and keys.
Azure Security Center
Azure Security Center enables you to strengthen your security posture. This means it helps you identify and perform the hardening tasks recommended as security best practices and implement them across your machines, data services, and apps. This includes managing and enforcing your security policies, and making sure your Azure virtual machines, non-Azure servers, and Azure PaaS services are compliant. Security Center provides you with the tools you need to have a bird’s eye view on your workloads, with focused visibility on your network security estate.
This provides a best practices ‘blueprint’ in Azure, similar to AWS Governance based landing zones.
Leave a Reply