A while back, someone pointed me to the Azure Landing Zones concept as an excellent way to organize an Enterprise Cloud environment in Azure.
Classic enterprise networks
In a classic enterprise network, you will find network segments like a DMZ for the front-end applications, another segment for back-end systems, and so on. Your enterprise network might look somewhat different, but you get the idea.
The segments also tend to be relatively static (i.e., don’t change much over time). Giving access to third parties outside the company is often a big no-no. And if it can be done, it is often complicated to set up.
We need a new way for the cloud
However, in the cloud, you often want to quickly integrate third-party SaaS solutions. You also need to give restricted (but convenient) access to parts of your cloud infrastructure to allow third parties to develop and install applications. “Restricted” is the keyword here because you don’t want the third-party developer to change anything to your firewalls, routing tables, or any other security-sensitive component. Still, you may want them to be able to spin up virtual machines or deploy containers.
Subscriptions, lots of subscriptions
That’s where the Landing Zone comes in. You organize your applications and resources by “grouping” them into Subscriptions. You can then regulate the access to these applications and resources based on the Subscriptions the user has access to. The picture below is a blueprint for such a setup. At the bottom-right, you’ll see a box for “Sandbox Subscriptions.” Those can be opened to third parties to develop innovative applications within the confines of your cloud. Since they don’t have access to -say- the Connectivity subscriptions, they won’t be able to modify the firewall configurations, for instance.
Make sure to set up your enterprise’s cloud using the concept of Landing Zones right from the start. Implementing it afterward is always possible, but you’ll have some migrations on your hand.