Using landing zones when migrating to the cloud

/ 03 May, 2022

If you are considering a migration to Azure, using the Cloud Adaption Framework (CAF) is one of the paved roads you could follow. The CAF helps you to define and implement a cloud strategy. It contains documentation, tools, and best practices. It also describes a cloud adaption lifecycle that contains eight phases. One of them is the ‘Ready’ phase and this is the phase in which the cloud environment is prepared for the planned implementation. One way to do this is to implement a Landing Zone.

Imagine a company called FreeBirds. They have been running their software in a datacenter in the Netherlands for over ten years. However, their business is growing rapidly, in terms of the number of customers but it’s also been long since all their customers came only from the Netherlands. FreeBirds decided to move their applications to the Azure cloud. One of the reasons for this decision is reducing costs by fully leveraging the elasticity of the cloud. Another reason is to be able to run their applications across the globe and thereby increasing the speed of the application as well as its resiliency and scalability. Building a Landing Zone on Azure using a Hub and Spoke architecture is ideal for this type of scenario.

Ready-made foundation

When explaining the concepts of the Azure Landing Zone it is useful to do this in the analogy of building a home. If you want to build a new home you could choose to do everything yourself: dig the foundations, lay the bricks and do all the plumbing. The same goes for the Azure cloud. You could start to build the infrastructure manually yourself. As with the house, you might find that this is very time-consuming and there would be the risk of making a lot of mistakes. It would be much easier to use ready-made foundations and a blueprint that show you exactly how to do things and implement best practices. You could still customize the structure to personal needs, but the building would be architecturally sound, safe, and faster to build. An Azure Landing Zone is exactly like that. It will cover a network architecture, security, identity, and governance, allowing DevOps teams to start building right away on a perfectly laid out foundation.

Architecture

Landing Zones are often implemented using a Hub and Spoke architecture. In this type of architecture, you have a central hub. The network in the hub acts as a central point of connectivity to on-premises resources for many spoke virtual networks as shown in the image below. You often find other resources in the hub that are shared among spokes Azure Firewall or a Log Analytics workspace for central log management

Hub and spoke architecture

The middle part of the image above shows the hub virtual network. It contains the resources needed to provide connectivity to the on-premises network on the left. That connection is often established using a VPN Gateway or an Azure Express Route. The connection in the hub network can then be used by multiple spokes as shown on the right. Each spoke virtual network holds one workload, and the spokes allow you to isolate your workloads from those of other teams. For example, you can use spokes to run Virtual Machines (VM), Azure Web Apps, or databases.

In the scenario of FreeBirds, this would be a perfect fit. A central team, often called a platform team or something similar, can build and manage this Hub with all the central services. Each DevOps team that builds and delivers applications end-to-end becomes one or more spokes. This central team can ensure a safe adaption of the cloud, for example by forcing all traffic to the internet to go through a firewall. They can also use Azure Policies to set guardrails for the DevOps teams ensuring that they cannot deploy, for example, a database in an unsecure way or forcing a daily backup. It is essential to ensure that these central teams do not become a bottleneck for other DevOps teams. This means that the platform team must go full in on delivering their services in a self-service and automated manner as much as possible.

Valuable scenario

A Landing Zone is not only useful in a scenario like that of FreeBirds, i.e. a company moving away from their on-premises datacenter. It will also fit in hybrid scenarios and even fully cloud-native environments that do not contain any on-premises connectivity. All the benefits such as easy onboarding on the cloud, security, identity, and governance remain. The Hub is also often used to provide central services to all teams that would otherwise be too expensive or complex. A nice example of such an expensive and complex offering is API Management, a service to expose APIs to the outside world. When run in a production-ready way, it easily costs over 3000 euro’s a month. This is too much for each DevOps team to run on their own and thus it is often managed centrally. A service like Kubernetes, AKS on Azure, is another service that is often managed centrally. Besides being expensive, it’s also a complex service to operate. Bringing that to a central team allows the other DevOps teams to focus on their business value instead of having to operate their infrastructure.