Search
  • Nathan

Azure Cloud Adoption Framework, Landing Zones, and the Well-Architected Framework

Getting started in Azure can be quite a daunting task. Building an Azure environment from scratch requires you to make many different decisions that have long-term effects on your future architecture. Doing a Google search for Azure architecture best practices will result in a huge amount of results. How do you sift through all of that to find the best information in order to begin your cloud adoption? Well, hopefully this article will help. This is a very large subject. So, as usual for most of my articles, I will try my best to summarize at a high level and to provide relevant links and info so that you can continue the deeper research on your own.


Any search on this subject is bound to return a lot of results around 3 common areas/technologies: the Azure Cloud Adoption Framework (CAF), Azure Landing Zones, and the Azure Well-Architected Framework. Those are the 3 things I will be focusing on in this article.

Azure Cloud Adoption Framework

The CAF is a set of tools, documentation, and best practices that you can use at every stage of your cloud adoption journey. These best practices come from the combined knowledge of Microsoft employees, partners, and customers.


The CAF is a full-lifecycle framework, with multiple phases / methodologies, as outlined in the following diagram. For each methodology, CAF provides tools such as trackers, templates, assessments, checklists, etc.

You should use the CAF from the very start of your journey, and continue to use the CAF throughout your entire journey.


CAF is a massive subject. My recommendation would be to start digging through the documentation and videos that Microsoft has created. Also, here's a helpful link where you can find all of the tools and templates from all of the methodologies in one helpful location.

Azure Landing Zones

As you may have noticed in the picture above, Landing Zones are actually a part of the Cloud Adoption Framework, specifically the Ready methodology.


Landing Zones allow you to easily build new cloud environments from scratch. There are multiple different options for Landing Zones, and they fall under two main categories: small scale and enterprise scale. There are also scenario-specific enterprise scale Landing Zones, such as AKS, SAP, Virtual Desktop, etc.


Depending on which option you pick, Landing Zones will be easily provisioned using either ARM Templates or Azure Blueprints. Once the Landing Zone is ready you can then begin to put your cloud workloads on top of them.


Here is an example Enterprise Scale Landing Zone that uses Hub and Spoke networking:


Design Principles

Enterprise-scale Landing Zones are built upon 5 core Design Principles:

  1. Subscription Democratization: Subscriptions should be used as a unit of management and scale. Subscriptions should be aligned with business needs and priorities.

  2. Policy Driven Governance: Azure Policy should be used to provide guardrails and ensure continued compliance with your organization's platform.

  3. Single Control and Management Plane: Provide a consistent experience for both AppOps (centrally managed operation teams) and DevOps (dedicated application operation teams).

  4. Application Centric and Archetype-Neutral: Focus on migrations specific to your applications, as opposed to lift-and-shift migrations. Your architecture shouldn't differentiate between old and new apps, IaaS or PaaS. It should provide a safe and secure foundation for all types of apps to be deployed onto your Azure platform.

  5. Azure Native Design and Platform Roadmap Alignment: Advocate using Azure-native platform services whenever possible.

Design Areas

You must also pay attention to the 8 key Design Areas of Landing Zones. These Design Areas should be considered prior to deploying a Landing Zone. As you go through each one of these, also make sure to keep in mind the 5 core Design Principles above.

  1. Enterprise Agreement enrollment and AzureAD tenants: Proper tenant creation, enrollment, and billing setup are important early steps.

  2. Identity and Access Management (IAM): IAM is a primary security boundary in the public cloud. It's the foundation for any secure and fully compliant architecture.

  3. Management Groups and Subscriptions: Considerations for Subscription design and Management Group hierarchy have an impact on governance, operations management, and adoption patterns.

  4. Network Topology and Connectivity: Networking and connectivity decisions are an equally important foundational aspect of any cloud architecture.

  5. Management and Monitoring: For stable, ongoing operations in the cloud, a management baseline is required to provide visibility, operations compliance, and protect and recover capabilities.

  6. Business Continuity and Disaster Recovery: You must architect around each application's specific Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Disaster Recovery (DR) requirements.

  7. Security, Governance, and Compliance: This is a big area that covers encryption, key management, governance, security monitoring, audit policies, and platform security.

  8. Platform Automation and DevOps: You should use a DevOps approach for both application and central teams.

You can implement these Design Areas over time, or you can start with an opinionated, defined position on each area.

Azure Well-Architected Framework

The Well-Architected Framework is a set of 5 guiding pillars that can be used to improve the quality of your existing workload. The key word here being existing.


The 5 Pillars of the Well-Architected Framework

  1. Cost Optimization: Managing costs to maximize the value delivered.

  2. Operational Excellence: Operations processes that keep a system running in production.

  3. Performance Efficiency: The ability of a system to adapt to changes in load.

  4. Reliability: The ability of a system to recover from failures and continue to function.

  5. Security: Protecting applications and data from threats.

There are also a few tools provided by Microsoft that will help you:

  • Well-Architected Review: This is a self-guided review where you must answer multiple questions about your current workloads in Azure. The questions are broken up into categories based on the 5 Pillars. At the end you are given a rating (critical, moderate, excellent) and you are also given recommended actions, documentation, and videos to help you improve your score.

  • Azure Advisor: Advisor is a tool native to Azure. It will scan your environment and give you best practices recommendations based on each of the 5 Pillars. Advisor also gives you an Advisor Score, which is an overall score for your environment. However, you can further break down that score into individual scores for each of the 5 Pillars.

As usual, Microsoft has great documentation and videos on this subject, the Well-Architected Framework.

To summarize:

  • Cloud Adoption Framework is a set of tools, documentation, and best practices. The CAF helps you make sure that your Azure environment is configured properly and securely from the very start. The CAF should be referenced throughout your entire cloud adoption journey.

  • Landing Zones are pre-packaged artifacts (ARM Templates or Azure Blueprints) that can be used to easily stand up new environments in Azure. They come in two main flavors, either small scale or enterprise scale. They adhere to 5 Design Principles, and they take into consideration 8 key Design Areas.

  • Well-Architected Framework is a set of 5 Pillars that can be used to help optimize your Azure environment. A few different tools exist to guide you in comparing your existing environment to the ideal baselines across all 5 Pillars.

102 views