Frontrow Technology
← All insights & guides
Guide

Azure — Landing Zone

Azure Landing Zone: the practical Australian mid-market rollout

What an Azure Landing Zone actually is in 2026, the Microsoft Cloud Adoption Framework reference architecture, the AU mid-market scope decisions, and a 12-week pragmatic rollout plan.

Daniel Brown · Last reviewed 23 May 2026 · 9 min read

Azure Landing Zone is the Microsoft reference architecture for a production Azure tenant — the subscription structure, identity and access foundations, networking, governance guardrails, and operational baseline that workload teams land on top of. The terminology causes confusion because Microsoft uses 'Landing Zone' to mean both the reference architecture and the specific subscription a workload runs in. For practical purposes, the Landing Zone work in an Australian mid-market tenant is a 10-16 week project to put the platform foundations in place before workload teams build on Azure. The cost of not doing it is usually visible 12 months in, when an unplanned tenant has accumulated workload subscriptions, shared service rats-nests and security debt.

What the reference architecture includes

  • Management group hierarchy — typically Tenant Root → Platform / Landing Zones / Decommissioned / Sandbox, with policy inheritance.
  • Platform subscriptions — Identity (Entra Domain Services if needed), Management (Azure Monitor, Log Analytics, Sentinel), Connectivity (hub virtual network, firewall, ExpressRoute or VPN gateway).
  • Landing Zone subscriptions — workload-aligned, typically one or two per business line; spoke vnets peered to the hub.
  • Azure Policy assignments — guardrails (deny public IPs without exception, require encryption at rest, require tagging) and audit policies (Defender for Cloud, log diagnostics).
  • Defender for Cloud — at the management group level for the cloud security posture baseline.

AU mid-market scope decisions

  1. 1Hub-and-spoke vs Virtual WAN — for fewer than 10 spoke vnets and a single Australian region, hub-and-spoke is fine. Above that, Virtual WAN reduces operational overhead.
  2. 2Azure Firewall Standard vs Premium — Premium adds TLS inspection, IDPS and URL filtering. AU mid-market typically lands on Standard for cost reasons, with TLS inspection deferred unless a specific control requires it.
  3. 3ExpressRoute vs Site-to-Site VPN — ExpressRoute is the right answer for any production workload above 100 Mbps sustained; for smaller footprints, S2S VPN over the internet is the pragmatic start.
  4. 4Region pair — Australia East (Sydney) primary, Australia Southeast (Melbourne) DR; or Australia Central pair (Canberra) for ASD-aligned workloads. The PROTECTED-classified scenarios push to Australia Central.
  5. 5Defender for Cloud plan mix — Foundational CSPM (free) baseline, paid Defender for Servers, Defender for Storage if file-share PII is in scope.

The 12-week pragmatic rollout

  1. 1Weeks 1-2 — Design workshop, management group hierarchy, naming and tagging standards, subscription splits.
  2. 2Weeks 3-4 — Identity foundations (Entra hybrid topology if applicable, Conditional Access baseline for Azure portal), platform subscription provisioning.
  3. 3Weeks 5-6 — Connectivity (hub vnet, Azure Firewall Standard or third-party NVA, vnet peering pattern, DNS).
  4. 4Weeks 7-8 — Management (Log Analytics workspace, Azure Monitor baseline, Sentinel onboarding, Defender for Cloud baseline).
  5. 5Weeks 9-10 — Policy guardrails (the AU mid-market Azure Policy set: encryption-at-rest, no public IPs, tag enforcement, allowed regions).
  6. 6Weeks 11-12 — Workload migration of the first spoke (a representative dev/test workload), runbook validation, handover to the platform team.

Common AU mid-market pitfalls

  • Trying to retrofit Landing Zones after 12 months of unplanned workloads — usually the harder project than greenfield. Plan for a 6-month gradual migration.
  • Buying Azure Firewall Premium because the slideware promised TLS inspection, then never enabling TLS inspection because the operational overhead is significant. Start with Standard.
  • Treating the Landing Zone as a one-off project rather than a platform team responsibility — the reference architecture evolves, and the team that owns guardrails ages with it.
  • Underestimating identity. Most Landing Zone projects underestimate the time required for Entra Connect cleanup, group governance, and Conditional Access baselining.

Try it

Score your Landing Zone maturity

Use the Landing Zone Maturity scorer to see how close your existing Azure footprint is to the reference architecture.

12 questions · 4 domains

Azure Landing Zone Maturity Checker

Score your Azure estate against the Microsoft Cloud Adoption Framework reference landing zone. Pick the option closest to your current state.

Domain 1

Identity & access management

Entra ID integration, management group hierarchy, RBAC at scale, and privileged identity management for Azure roles.

  • How are management groups structured?

    Source: Microsoft Learn: Management group hierarchy — Azure Landing Zone design.

  • How is RBAC applied?

    Source: Microsoft Learn: Azure RBAC best practices; CAF identity guidance.

  • Is PIM used for privileged Azure roles?

    Source: Microsoft Learn: Privileged Identity Management for Azure resources.

Domain 2

Network topology & connectivity

Hub-and-spoke or virtual WAN, Azure Firewall vs NVA, private endpoints, DNS, and ExpressRoute or VPN connectivity.

  • What's the network topology?

    Source: Microsoft Learn: Hub-spoke network topology — Azure Landing Zone.

  • Are Azure PaaS services accessed via private endpoints?

    Source: Microsoft Learn: Azure Private Link; CAF network security.

  • How is DNS resolution handled across VNets?

    Source: Microsoft Learn: Private DNS in hub-spoke topologies.

Domain 3

Governance, policy & cost

Azure Policy assignments, tag taxonomy, naming convention, Cost Management budgets, and FinOps cadence.

  • How is Azure Policy used?

    Source: Microsoft Learn: Azure Policy — design guidance for landing zones.

  • Is there a tagging taxonomy applied consistently?

    Source: Microsoft Learn: Resource naming and tagging — CAF.

  • How is cost managed?

    Source: Microsoft Learn: Azure Cost Management; FinOps Foundation framework.

Domain 4

Security baseline & operations

Defender for Cloud plans, Sentinel coverage, Azure Monitor + Log Analytics, security baselines, and incident response.

  • What Defender for Cloud plans are enabled?

    Source: Microsoft Learn: Defender for Cloud — landing zone configuration.

  • How is Microsoft Sentinel deployed?

    Source: Microsoft Learn: Microsoft Sentinel deployment best practices.

  • How is the landing zone deployed and maintained?

    Source: Microsoft Learn: Azure Landing Zones Bicep / Terraform accelerator.

Indicative self-assessment only. For a verified result Frontrow Technology runs an in-tenant Azure Landing Zone audit using Azure Resource Graph, Azure Policy compliance reports, and architecture review against the CAF reference.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466