Skip to content

ondfisk/AzureLandingZonesDemo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

97 Commits
.devcontainer
.devcontainer
 
 
.github
.github
 
 
.vscode
.vscode
 
 
docs
docs
 
 
environments
environments
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Azure Landing Zones Demo

Demonstration of various infrastructure as code and pipeline components to deploy Azure Landing Zones.

The rationale behind this can be found here A simplified Azure Landing Zones alternative.

Azure landing zone conceptual architecture

Azure landing zone conceptual architecture

The conceptual architecture is greatly simplified compared to the official one, as we empower DevOps teams to build and run their own thing.

We do not want to manage network from a centralized perspective. All applications will be deployed as islands with no inter-network connectivity.

We adopt a Zero Trust approach where identity and encryption trumps and often replaced Network Security.

We do not require nor encourage the use of Azure Private Link.

We allow most services to have Public Network Access: Enabled because we rely on enforcing Entra ID authentication and TLS encryption.

Online Landing Zones

These are the most important landing zones - all newer applications should be deployed here - even if data resides on-premises.

Connection to on-premises resources should be managed using zero-trust approaches with resources like:

Corp Landing Zones

Corp landing zones should exclusively be used for lift-and-shift scenarios (and avoided all together if possible). This is reserved for applications which do not support modern authentication and relies on Kerberos (Windows Active Directory).

Policy-driven Governance

The primary focus is on Policy-driven governance.

Code

.
├───.github
│   ├───linters
│   └───workflows
├───docs
├───environments                    # Parameters and variables
│   ├───canary
│   └───prod
└───modules
    ├───management                  # Deploy management subscription resources
    ├───management-groups           # Deploy management group structure
    ├───policies                    # Deploy policies
    │   ├───assignments
    │   ├───initiatives
    │   ├───policies
    │   └───scripts
    └───shared                      # Shared bicep modules

Continuous Deployment

Landing zones are deployed using GitHub Actions.

Notes

  1. To lint repository locally (from WSL) run:

    docker run \
-e DEFAULT_BRANCH=main \
-e RUN_LOCAL=true \
-e VALIDATE_BIOME_FORMAT=true \
-e VALIDATE_BIOME_LINT=true \
-e VALIDATE_CHECKOV=true \
-e VALIDATE_GITHUB_ACTIONS=true \
-e VALIDATE_GITHUB_ACTIONS_ZIZMOR=true \
-e VALIDATE_MARKDOWN_PRETTIER=true \
-e VALIDATE_MARKDOWN=true \
-e VALIDATE_NATURAL_LANGUAGE=true \
-e VALIDATE_POWERSHELL=true \
-e VALIDATE_SHELL_SHFMT=true \
-e VALIDATE_YAML=true \
-e VALIDATE_YAML_PRETTIER=true \
-e FIX_BIOME_FORMAT=true \
-e FIX_BIOME_LINT=true \
-e FIX_GITHUB_ACTIONS_ZIZMOR=true \
-e FIX_MARKDOWN_PRETTIER=true \
-e FIX_MARKDOWN=true \
-e FIX_NATURAL_LANGUAGE=true \
-e FIX_POWERSHELL=true \
-e FIX_SHELL_SHFMT=true \
-e FIX_YAML_PRETTIER=true \
-v .:/tmp/lint \
--rm ghcr.io/super-linter/super-linter:latest

  2. The installed Azure Policy extension for Visual Studio Code is referencing the deprecated Azure Account extension. Ignore for now.

About

Azure Landing Zones Demo

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages