What is Landing Zone in Azure? How to implement it via Terraform

March 16, 2023 Architecture, Architectures, Azure, Azure Kubernetes Service(AKS), Azure Solution Architect Expert, Best Practices, Cloud Computing, Emerging Technologies, Kubernetes, Microsoft, Software/System Design, Terraform No comments

In Azure, a landing zone is a pre-configured environment that provides a baseline for hosting workloads. It helps organizations establish a secure, scalable, and well-managed environment for their applications and services. A landing zone typically includes a set of Azure resources such as networks, storage accounts, virtual machines, and security controls.

Implementing a landing zone in Azure can be a complex task, but it can be simplified by using Infrastructure as Code (IaC) tools like Terraform. Terraform allows you to define and manage infrastructure as code, making it easier to create, modify, and maintain your landing zone.

Here are the steps to implement a landing zone in Azure using Terraform:

  1. Define your landing zone architecture: Decide on the resources you need to include in your landing zone, such as virtual networks, storage accounts, and virtual machines. Create a Terraform module for each resource, and define the parameters and variables for each module.
  2. Create a Terraform configuration file: Create a file and define the Terraform modules you want to use. Use the Azure provider to specify your subscription and authentication details.
  3. Initialize your Terraform environment: Run the ‘terraform init’ command to initialize your Terraform environment and download any necessary plugins.
  4. Plan your deployment: Run the ‘terraform plan’ command to see a preview of the changes that will be made to your Azure environment.
  5. Apply your Terraform configuration: Run the ‘terraform apply’ command to deploy your landing zone resources to Azure.

By implementing a landing zone in Azure using Terraform, you can ensure that your environment is consistent, repeatable, and secure. Terraform makes it easier to manage your infrastructure as code, so you can focus on developing and deploying your applications and services.

Once the landing zone architecture is defined, it can be implemented using various automation tools such as Azure Resource Manager (ARM) templates, Azure Blueprints, or Terraform. In this blog, we will focus on implementing a landing zone using Terraform.

Terraform is a widely used infrastructure-as-code tool that allows us to define and manage our infrastructure as code. It provides a declarative language that allows us to define our desired state, and then it takes care of creating and managing resources to meet that state.

To implement a landing zone using Terraform, we can follow these steps:

  1. Define the landing zone architecture: As discussed earlier, we need to define the architecture for our landing zone. This includes defining the network topology, security controls, governance policies, and management tools.
  2. Create a Terraform project: Once the landing zone architecture is defined, we can create a Terraform project to manage the infrastructure. This involves creating Terraform configuration files that define the resources to be provisioned.
  3. Define the Terraform modules: We can define Terraform modules to create reusable components of infrastructure. These modules can be used across multiple projects to ensure consistency and standardization.
  4. Configure Terraform backend: We need to configure the Terraform backend to store the state of our infrastructure. Terraform uses this state to understand the current state of our infrastructure and to make necessary changes to achieve the desired state.
  5. Initialize and apply Terraform configuration: We can initialize the Terraform configuration by running the terraform init command. This command downloads the necessary provider plugins and sets up the backend. Once initialized, we can apply the Terraform configuration using the terraform apply command. This command creates or updates the resources to match the desired state.

By implementing a landing zone using Terraform, we can ensure that our infrastructure is consistent, compliant, and repeatable. We can easily provision new environments, applications, or services using the same architecture and governance policies. This can reduce the time and effort required to manage infrastructure and improve the reliability and security of our applications.

Implementing Azure Landing Zone using Terraform and Reference Architecture

Below I provide general guidance on the steps involved in implementing an Azure Landing Zone using Terraform and the Azure Reference Architecture.

Here are the general steps:

  1. Create an Azure Active Directory (AD) tenant and register an application in the tenant.
  2. Create a Terraform module for the initial deployment of the Azure Landing Zone. This module should include the following:
    • A virtual network with subnets and network security groups.
    • A jumpbox virtual machine for accessing the Azure environment.
    • A storage account for storing Terraform state files.
    • An Azure Key Vault for storing secrets.
    • A set of Resource Groups that organize resources for management, data, networking, and security.
    • An Azure Policy that enforces resource compliance with standards.
  3. Implement the Reference Architecture for Azure Landing Zone using Terraform modules.
  4. Create a Terraform workspace for each environment (dev, test, prod) and deploy the Landing Zone.
  5. Set up and configure additional services in the environment using Terraform modules, such as Azure Kubernetes Service (AKS), Azure SQL Database, and Azure App Service.


Implementing an Azure Landing Zone using Terraform can be a powerful way to manage your cloud infrastructure. By automating the deployment of foundational resources and configuring policies and governance, you can ensure consistency, security, repeatable, and compliance across all of your Azure resources. Terraform’s infrastructure as code approach also makes it easy to maintain and update your Landing Zone as your needs evolve. This can help us reduce the time and effort required to manage our infrastructure and improve the reliability and security of our applications.

Whether you’re just getting started with Azure or looking to improve your existing cloud infrastructure, implementing an Azure Landing Zone with Terraform is definitely worth considering. With the right planning, tooling, and expertise, you can create a secure, scalable, and resilient cloud environment that meets your business needs.


Example Code

  1. Implementing Azure Landing Zone using Terraform :

Here’s an example Terraform code snippet that creates an Azure Landing Zone with a virtual network, subnets, and a network security group:

  • Define the subscription and resource group using Terraform:
#hcl coderesource "azurerm_resource_group" "landing_zone_rg" {
  name     = "landing-zone-rg"
  location = var.location

resource "azurerm_virtual_network" "landing_zone_vnet" {
  name                = "landing-zone-vnet"
  address_space       = [""]
  location            = var.location
  resource_group_name =

  subnet {
    name           = "web-subnet"
    address_prefix = ""

  subnet {
    name           = "db-subnet"
    address_prefix = ""
resource "azurerm_network_security_group" "landing_zone_nsg" {
  name                = "landing-zone-nsg"
  location            = var.location
  resource_group_name =

  security_rule {
    name                       = "http"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "80"
    source_address_prefix      = "*"
    destination_address_prefix = "*"

  security_rule {
    name                       = "ssh"
    priority                   = 200
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
resource "azurerm_network_security_group" "nsg-web" {
  name                = "nsg-web-dev"
  location            = azurerm_resource_group.resource_group.location
  resource_group_name =

resource "azurerm_network_security_group" "nsg-db" {
  name                = "nsg-db-dev"
  location            = azurerm_resource_group.resource_group.location
  resource_group_name =

resource "azurerm_subnet_network_security_group_association" "web-nsg" {
  subnet_id                 =
  network_security_group_id =

resource "azurerm_subnet_network_security_group_association" "db-nsg" {
  subnet_id                 =
  network_security_group_id =

This Terraform code creates a resource group, a virtual network, a subnet, and two additional subnet for web-frontend, db-backend , associated network security groups, and associates the subnet with the network security group. The network security group allows inbound traffic on port 22 (SSH) and port 80 (HTTP). This is just an example, and the security rules can be customized as per the organization’s security policies.

  • Create an Azure Kubernetes Service (AKS) cluster:
#hcl code
resource "azurerm_kubernetes_cluster" "aks" {
  name                = "aks-dev"
  location            = azurerm_resource_group.resource_group.location
  resource_group_name =
  dns_prefix          = "aks-dev"

  default_node_pool {
    name            = "default"
    node_count      = 1
    vm_size         = "Standard_D2s_v3"
    os_disk_size_gb = 30

2. Implementing Azure Landing Zone using Terraform and Cloud Adoption Framework:

Cloud Adoption Framework for Azure provides a set of recommended practices for building and managing cloud-based applications. You can use Terraform to implement these best practices in your Azure environment.

Here’s an example of implementing a landing zone for a development environment using Terraform and the Cloud Adoption Framework modules:

security groups using the Azure Cloud Adoption Framework (CAF) Terraform modules:

#hcl code
provider "azurerm" {
  features {}

module "caf" {
  source  = "aztfmod/caf/azurerm"
  version = "5.3.0"

  naming_prefix               = "myproject"
  naming_suffix               = "dev"
  resource_group_location     = "eastus"
  resource_group_name         = "rg-networking-dev"
  diagnostics_log_analytics   = false
  diagnostics_event_hub       = false
  diagnostics_storage_account = false

  custom_tags = {
    Environment = "Dev"

  # Define the virtual network
  virtual_networks = {
    my_vnet = {
      address_space = [""]
      dns_servers   = ["", ""]

      subnets = {
        frontend = {
          cidr           = ""
          enforce_public = true
        backend = {
          cidr = ""

      nsgs = {
        frontend = {
          rules = [
              name                       = "HTTP"
              priority                   = 100
              direction                  = "Inbound"
              access                     = "Allow"
              protocol                   = "Tcp"
              source_port_range          = "*"
              destination_port_range     = "80"
              source_address_prefix      = "*"
              destination_address_prefix = "*"

In this example, the aztfmod/caf/azurerm module is used to create a virtual network with two subnets (frontend and backend) and a network security group (NSG) applied to the frontend subnet. The NSG has an inbound rule allowing HTTP traffic on port 80.

Note that the naming_prefix and naming_suffix variables are used to generate names for the resources created by the module. The custom_tags variable is used to apply custom tags to the resources.

This is just one example of how the Azure Cloud Adoption Framework Terraform modules can be used to create a landing zone. There are many other modules available for creating other types of resources, such as virtual machines, storage accounts, and more.

Due to the complexity and length of the example code for implementing Azure Landing Zone using Terraform and Reference Architecture, it is not possible to provide it within a blog article.

However, here are the high-level steps and an overview of the code structure:

  1. Define the variables and providers for Azure and Terraform.
  2. Create the Resource Group for the Landing Zone and networking resources.
  3. Create the Virtual Network and Subnets with the appropriate address spaces.
  4. Create the Network Security Groups and associate them with the appropriate Subnets.
  5. Create the Bastion Host for remote access to the Virtual Machines.
  6. Create the Azure Firewall to protect the Landing Zone resources.
  7. Create the Storage Account for Terraform state files.
  8. Create the Key Vault for storing secrets and keys.
  9. Create the Log Analytics Workspace for monitoring and logging.
  10. Create the Azure Policy Definitions and Assignments for enforcing governance.

The code structure follows the Cloud Adoption Framework (CAF) for Azure landing zones and is organized into the following directories:

  • variables: Contains the variables used by the Terraform code.
  • providers: Contains the provider configuration for Azure and Terraform.
  • resource-groups: Contains the code for creating the Resource Group and networking resources.
  • virtual-networks: Contains the code for creating the Virtual Network and Subnets.
  • network-security-groups: Contains the code for creating the Network Security Groups and associating them with the Subnets.
  • bastion: Contains the code for creating the Bastion Host.
  • firewall: Contains the code for creating the Azure Firewall.
  • storage-account: Contains the code for creating the Storage Account for Terraform state files.
  • key-vault: Contains the code for creating the Key Vault for secrets and keys.
  • log-analytics: Contains the code for creating the Log Analytics Workspace.
  • policy: Contains the code for creating the Azure Policy Definitions and Assignments.

Each directory contains a file with the Terraform code, as well as any necessary supporting files such as variables and modules.

Overall, implementing an Azure Landing Zone using Terraform and Reference Architecture requires a significant amount of planning and configuration. However, the end result is a well-architected, secure, and scalable environment that can serve as a foundation for your cloud-based workloads.

It’s important to note that the specific code required for this process will depend on your organization’s specific needs and requirements. Additionally, implementing an Azure Landing Zone can be a complex process and may require assistance from experienced Azure and Terraform professionals.

Enterprise Architecture

August 12, 2018 Architectures, Software/System Design, TOGAF No comments

What is an Enterprise Architecture?

In this modern world there is lots of confusion about enterprise architecture, in that sense I would write a short scribble about enterprise architecture or called as EA in short.

I will start with a definition by Architecture and Governance Magazine, Issue 9-4, November (2013) :

Enterprise architecture (EA) is “a well-defined practice for conducting enterprise analysis, design, planning, and implementation, using a comprehensive approach at all times, for the successful development and execution of strategy.

Enterprise architecture applies architecture principles and practices to guide organizations through the business, information, process, and technology changes necessary to execute their strategies.

These practices utilize the various aspects of an enterprise to identify, motivate, and achieve these changes.”

Now that sums up as EA is putting together a practice for translating business goals and strategy into practical enterprise to  Business Process + Information Systems (Data and Applications)  and Technologies within an “Enterprise”.  This also conclude a desired state of the enterprise and facilitate towards its change.

How do you achieve that? Answer is short, through Architecture Governance through a selection of desired Architecture Framework. That makes EA an essential practice that at any organizational level to have all the systems functioning as desired.

Goals of enterprise architecture are:

  1. Effectiveness
  2. Efficiency
  3. Agility
  4. Durability.

Subsets/Layers of enterprise architecture or Architecture domain:

There are four kinds of “architecture” that are commonly accepted as subsets of a well defined Enterprise Architecture system:

  1. Business Architecture:
  2. Data Architecture:
  3. Application Architecture:
  4. Technology Architecture:


NIST Enterprise Architecture Model initiated in 1989, one of the earliest frameworks for enterprise architecture. (Courtesy: Wikipedia.)

What is an Enterprise Architecture Framework?

An enterprise architecture framework (EA framework) defines how to create and use an enterprise architecture.

As per Wikipedia there are countless EA frameworks and some of them are categorized as below: (Courtesy: Wikipedia.)

Consortia-developed frameworks:
  • ARCON – A Reference Architecture for Collaborative Networks – not focused on a single enterprise but rather on networks of enterprises.
  • Generalised Enterprise Reference Architecture and Methodology (GERAM)
  • RM-ODP – the Reference Model of Open Distributed Processing (ITU-T Rec. X.901-X.904 | ISO/IEC 10746) defines an enterprise architecture framework for structuring the specifications of open distributed systems.
  • IDEAS Group – a four-nation effort to develop a common ontology for architecture interoperability
  • ISO 19439 Framework for enterprise modelling
  • TOGAF – The Open Group Architecture Framework – a widely used framework including an architectural Development Method and standards for describing various types of architecture.

Defence industry frameworks:

  • AGATE – the France DGA Architecture Framework
  • DNDAF – the DND/CF Architecture Framework (CAN)
  • DoDAF – the US Department of Defense Architecture Framework
  • MODAF – the UK Ministry of Defence Architecture Framework
  • NAF – the NATO Architecture Framework

Government frameworks:

  • European Space Agency Architectural Framework (ESAAF) – a framework for European space-based Systems of Systems
  • Government Enterprise Architecture (GEA) – a common framework legislated for use by departments of the Queensland Government
  • FDIC Enterprise Architecture Framework
  • Federal Enterprise Architecture Framework (FEAF) – a framework produced in 1999 by the US Federal CIO Council for use within the US Government (not to be confused with the 2002 Federal Enterprise Architecture (FEA) guidance on categorizing and grouping IT investments, issued by the US Federal Office of Management and Budget)
  • Nederlandse Overheid Referential Architecture (NORA) – a reference framework from the Dutch Government E-overhead NORA
  • NIST Enterprise Architecture Model
  • Treasury Enterprise Architecture Framework (TEAF) – a framework for treasury, published by the US Department of the Treasury in July 2000.

Open-source frameworks:

Enterprise architecture frameworks that are released as open source:

  • MEGAF is an infrastructure for realizing architecture frameworks that conform to the definition of architecture framework provided in ISO/IEC/IEEE 42010.
  • Praxeme, an open enterprise methodology, contains an enterprise architecture framework called the Enterprise System Topology (EST)
  • TRAK – a general systems-oriented framework based on MODAF 1.2 and released under GPL/GFDL.
  • SABSA is an open framework and methodology for Enterprise Security Architecture and Service Management, that is risk based and focuses on integrating security into business and IT management.

Proprietary frameworks:

  • ASSIMPLER Framework – an architecture framework, based on the work of Mandar Vanarse at Wipro in 2002
  • Avancier Methods (AM) Processes and documentation advice for enterprise and solution architects, supported by training and certification.
  • BRM (Build-Run-Manage) Framework – an architecture framework created by Sanjeev “Sunny” Mishra during his early days at IBM in 2000.
  • Capgemini Integrated Architecture Framework (IAF) – from Capgemini company in 1993
  • Dragon1 – An open Visual Enterprise Architecture Method recently recognized by The Open Group as Architecture Framework
  • DYA framework developed by Sogeti since 2004.
  • Dynamic Enterprise Enterprise architecture concept based on Web 2.0 technology
  • Extended Enterprise Architecture Framework – from Institute For Enterprise Architecture Developments in 2003
  • EACOE Framework  – an Enterprise Architecture framework, as an elaboration of the work of John Zachman
  • IBM Information FrameWork (IFW) – conceived by Roger Evernden in 1996
  • Pragmatic Enterprise Architecture Framework (PEAF) – part of Pragmatic Family of Frameworks developed by Kevin Lee Smith, Pragmatic EA, from 2008
  • Purdue Enterprise Reference Architecture developed by Theodore J. Williams at the Purdue University early 1990s.
  • SAP Enterprise Architecture Framework
  • Service-oriented modeling framework (SOMF), based on the work of Michael Bell
  • Solution Architecting Mechanism (SAM) – A coherent architecture framework consisting of a set of integral modules.
  • Zachman Framework – an architecture framework, based on the work of John Zachman at IBM in the 1980s

Hope that covers the initial concepts of Enterprise Architecture. Later sessions I would write more on an interesting and widely used Enterprise Architecture framework called TOGAF – The Open Group Architecture Framework. 

Read about my previous article in the mean time: TOGAF 9.1 Certified


TOGAF 9.1 Certified

January 26, 2015 Announcements, Certification, TOGAF 1 comment

My passion is technology and living with it, and my ultimate goal is to become an Enterprise Architect, as a major step to continue with the path I should be following,  I am TOGAF 9.2 certified as on today.

It was a long due one, finally I am able to accomplish it.  Great experience preparing for this certification examination.










Little summary, for those who haven’t heard about TOGAF:


The Open Group Architecture Framework (TOGAF) is a framework for enterprise architecture which provides an approach for designing, planning, implementing, and governing an enterprise information technology architecture.

To make it  simple:  The Open Group Architecture Framework (TOGAF) is a framework – a detailed method and a set of supporting tools – for developing an enterprise architecture.

TOGAF® is the de facto global standard for Enterprise Architecture. The Open Group Architecture Forum, comprised of more than 200 enterprises, develops and maintains the TOGAF standard and publishes successive versions at regular intervals.

TOGAF is a high level approach to design. It is typically modeled at four levels: Business, Application, Data, and Technology. It relies heavily on modularization, standardization, and already existing, proven technologies and products.

TOGAF ADM [ Image Courtesy @ Wikipedia ]

The TOGAF framework enables organizations to effectively address critical business needs by:

  • Ensuring that everyone speaks the same language.
  • Avoiding lock-in to proprietary solutions by standardizing on open methods for Enterprise Architecture.
  • Saving time and money, and utilize resources more effectively.
  • Achieving demonstrable ROI.

To know more about TOGAF – 

Enterprise Solution Patterns Using Microsoft .NET – Version 2.0

January 9, 2012 .NET, .NET Framework, All, Architectures, ASP.NET, Books I Like, Design Patterns, Enterprise Library, KnowledgeBase, Microsoft, Patterns&Practices, Recommends No comments

This is a little old document. But very useful for people who would like to learn more about “Enterprise Solution Patterns using Microsoft.NET” , by Microsoft Patterns & Practices

This document is very good for referencing for common solution patterns and provides little more focus on ASP.NET based Solution Pattterns.

Nice reference though!!.