Azure Landing Zone Kit
Azure Bicep/ARM templates for enterprise landing zones with governance, networking, and identity management.
📄 Product Preview
Try the interactive reader and demo tools below, or get the full product with all content unlocked.
📖 Interactive Reader (Free Preview) ⚙ Try Demo Tools 📦 Download Free Sample📁 File Structure 24 files
📖 Documentation Preview README excerpt
Azure Landing Zone Kit
Enterprise-grade Bicep templates for Azure Landing Zone deployment — governance, networking, identity, and platform services following the Cloud Adoption Framework.
Built by Cloud Architecture Pro — premium reference architectures for senior cloud engineers.
Overview
This kit provides a complete set of Bicep templates to deploy an Azure enterprise landing zone aligned with the Microsoft Cloud Adoption Framework (CAF). Instead of spending weeks translating CAF documentation into IaC, deploy a production-ready landing zone with governance guardrails, hub-spoke networking, identity integration, and centralized logging in hours.
Every template is modular — deploy the full kit or pick individual components for existing environments.
What's Included
Bicep Templates (7 templates)
| Template | Purpose |
|---|---|
bicep/main-landing-zone.bicep | Orchestrator that deploys the full landing zone |
bicep/management-groups.bicep | Management group hierarchy for governance |
bicep/hub-network.bicep | Hub VNet with Azure Firewall, Bastion, and VPN Gateway |
bicep/spoke-network.bicep | Spoke VNet with peering to hub and NSG rules |
bicep/policy-assignments.bicep | Azure Policy for compliance enforcement |
bicep/log-analytics-workspace.bicep | Centralized monitoring and diagnostics |
bicep/identity-baseline.bicep | RBAC role assignments and managed identities |
Documentation
| Document | Description |
|---|---|
docs/architecture.md | Reference architecture diagram and component breakdown |
docs/governance-guide.md | Azure Policy strategy and management group design |
docs/networking-guide.md | Hub-spoke topology, firewall rules, and DNS design |
docs/security-considerations.md | Security baseline, RBAC, and compliance mapping |
docs/deployment-guide.md | Step-by-step deployment with az CLI |
Scripts & Examples
| File | Description |
|---|---|
scripts/landing_zone_validator.py | Validate deployment readiness and prerequisites |
scripts/policy_compliance_report.py | Generate policy compliance summary from JSON export |
examples/params-enterprise.json | Enterprise deployment parameters |
examples/params-sandbox.json | Sandbox/dev deployment parameters |
Prerequisites
- Azure CLI 2.50+ (
az --version) - Bicep CLI 0.22+ (
az bicep version) - Azure subscription with Owner role (or User Access Administrator + Contributor)
- Azure AD tenant with Global Administrator (for management groups)
- For management groups: Tenant Root Group access enabled
Quick Start
# 1. Login and set subscription
az login
*... continues with setup instructions, usage examples, and more.*