DeploymentFlow
This document outlines the prerequisites, dependencies and flow to help orchestrate an end-to-end Azure Landing Zone deployment. The orchestration templates provided with this reference implementation have been pre-configured to follow the dependencies described in this document.
- Azure Active Directory Tenant.
- Minimum 1 subscription. Subscription(s) are required when configuring
Log Analytics Workspace&Hub Networkingservices. Each can be deployed in the same subscription or separate subscriptions based on deployment requirements. - Deployment Identity with
Ownerpermission to the/root management group. Owner permission is required to allow the Service Principal Account to create role-based access control assignments. See configuration instructions below.
*To use with the network topology of your choice. See network topology deployment instructions below.
Modules in this reference implementation must be deployed in the following order to ensure consistency across the environment:
| Order | Module | Description | Prerequisites | Module Documentation |
|---|---|---|---|---|
| 1 | Management Groups | Configures the management group hierarchy to support Azure Landing Zone reference implementation. | Owner role assignment at / root management group. |
infra-as-code/bicep/modules/managementGroups |
| 2 | Custom Policy Definitions | Configures Custom Policy Definitions at the organization management group. |
Management Groups. | infra-as-code/bicep/modules/policy/definitions |
| 3 | Custom Role Definitions | Configures custom roles based on Cloud Adoption Framework's recommendations at the organization management group. |
Management Groups. | infra-as-code/bicep/modules/customRoleDefinitions |
| 4 | Logging & Sentinel | Configures a centrally managed Log Analytics Workspace, Automation Account and Sentinel in the Logging subscription. |
Management Groups & Subscription for Log Analytics and Sentinel. | infra-as-code/bicep/modules/logging |
| 5 | Hub Networking | Azure supports two types of hub-and-spoke design, VNet hub and Virtual WAN hub. Creates resources in the Connectivity subscription. |
Management Groups, Subscription for Hub Networking. | See network topology deployment below |
| 6 | Role Assignments | Creates role assignments using built-in and custom role definitions. | Management Groups & Subscriptions. | infra-as-code/bicep/modules/roleAssignments |
| 7 | Subscription Placement | Moves one or more subscriptions to the target management group. | Management Groups & Subscriptions. | infra-as-code/bicep/modules/subscriptionPlacement |
| 8 | Built-In and Custom Policy Assignments | Creates policy assignments to provide governance at scale. | Management Groups, Log Analytics Workspace & Custom Policy Definitions | infra-as-code/bicep/modules/policy/assignments/alzDefaults |
| 9 | Corp Connected Spoke Network | Creates Spoke networking infrastructure with Virtual Network Peering to support Hub & Spoke network topology. Spoke subscriptions are used for deploying construction sets and workloads. | Management Groups, Hub Networking & Subscription for spoke networking | See network topology deployment below |
You can decide which network topology to implement that meets your requirements. Please review the network topologies here. The following lists examples of network topology deployment based on the recommended enterprise-scale architecture:
- Traditional VNet Hub and Spoke - Supports communication, shared resources and centralized security policy.
- Virtual WAN - Supports large-scale branch-to-branch and branch-to-Azure communications.
When first working with Management Groups, the Azure AD Global Administrator must assign the User Access Administrator role to themselves at the
/scope first before being able to further delegate. See Elevate access to manage all Azure subscriptions and management groups documentation for further information.
A service principal account is required to automate through Azure DevOps or GitHub Workflows. This can be created through the Portal, Azure PowerShell or Azure CLI.
-
Service Principal Name: any name (i.e.
spn-azure-platform-ops) -
RBAC Assignment
- Scope:
/(Root Management Group) - Role Assignment:
Owner
- Scope:
See step-by-step instructions on Azure Docs to configure the role assignment at
/root management group.
-
Azure DevOps: Setup Service Connection
-
GitHub: Connect GitHub Actions to Azure
The ALZ-Bicep modules can be consumed and used in a manner of different ways. For more information see the Consumer Guide