Deploying an Azure Landing Zone Using Terraform: A Real-World Enterprise Deployment Guide
Organizations adopting Microsoft Azure often begin with small deployments that grow organically over time. While this approach may work temporarily, it eventually leads to inconsistent governance, security gaps, and operational complexity. To address this challenge, enterprises implement Azure Landing Zones, which provide a standardized, scalable, and secure cloud foundation.
In real-world enterprise environments, Infrastructure as Code (IaC) has become the preferred method for deploying landing zones. Terraform, developed by HashiCorp, is widely used for this purpose due to its platform independence, declarative syntax, and strong Azure integration.
This article explains how to deploy an Azure Landing Zone using Terraform in a real-world enterprise environment, including architecture design, governance structure, deployment workflow, and practical implementation strategies used by large organizations.
1.) Understanding Azure Landing Zones
An Azure Landing Zone is a preconfigured environment that follows the Microsoft Cloud Adoption Framework and Enterprise-Scale architecture guidelines. It provides the foundational building blocks needed to host workloads securely and consistently in Azure.
A typical landing zone includes identity management, network topology, governance policies, logging, security controls, and subscription organization.
Key objectives of a landing zone include:
Establishing centralized governance
Enforcing security and compliance policies
Providing standardized networking architecture
Enabling scalable workload deployment
Supporting DevOps and Infrastructure as Code
Landing zones are not designed for a single application. Instead, they provide a platform where multiple workloads can be deployed in a controlled and governed environment.
2.) Real-World Enterprise Architecture
In production environments, Azure Landing Zones are implemented using a hierarchical structure of Management Groups and subscriptions.
Typical enterprise structure:
Tenant Root Group
Platform Management Group
Identity Subscription
Management Subscription
Connectivity Subscription
Landing Zones Management Group
Production Subscriptions
Non-Production Subscriptions
Sandbox Management Group
Developer Subscriptions
Identity Subscription
This subscription hosts identity services such as Microsoft Entra Domain Services or domain controllers when hybrid identity is required.
Management Subscription
This subscription hosts centralized services including:
Azure Monitor
Log Analytics
Azure Automation
Microsoft Defender for Cloud
Azure Sentinel (Microsoft Sentinel)
Connectivity Subscription
This subscription hosts networking infrastructure such as:
Hub Virtual Network
Azure Firewall
VPN Gateway
ExpressRoute Gateway
DNS services
Landing Zone Subscriptions
These subscriptions host application workloads and follow standardized policies and security configurations inherited from management groups.
3.) Why Terraform for Landing Zones
Terraform is commonly used in enterprise landing zone deployments because it offers several advantages:
Declarative Infrastructure
Infrastructure is described in code rather than executed through manual scripts.
Idempotent Deployments
Terraform ensures infrastructure reaches the desired state even after repeated executions.
Version Control
All infrastructure definitions can be stored in Git repositories for traceability.
Modular Architecture
Reusable modules allow standardized deployment across multiple environments.
Multi-Environment Support
The same Terraform codebase can deploy development, testing, and production environments.
4.) Terraform Architecture for Landing Zones
In real-world implementations, Terraform code is structured into modules that represent major Azure components.
Typical Terraform module layout:
terraform-azure-landing-zone
modules
management-groups
policy
networking
monitoring
identity
security
subscriptions
environments
production
nonproduction
sandbox
Each module encapsulates a specific capability such as networking, policy enforcement, or monitoring configuration.
The environment folder contains environment-specific variables and configuration.
5.) Prerequisites
Before deploying a landing zone using Terraform, several prerequisites must be prepared.
Azure prerequisites:
Azure tenant with Owner permissions
Azure subscriptions
Service Principal or Managed Identity for Terraform
Azure CLI installed
Terraform prerequisites:
Terraform version 1.5 or later
Backend storage for Terraform state (Azure Storage Account)
Git repository for source control
6.) Configuring Terraform Backend
Enterprise deployments store Terraform state remotely to enable collaboration and avoid conflicts.
Example backend configuration:
terraform {
backend "azurerm" {
resource_group_name = "rg-tfstate-prod"
storage_account_name = "tfstatelandingzone"
container_name = "terraform"
key = "landingzone.tfstate"
}
}
The storage account must have versioning and soft delete enabled to protect the state file.
7.) Provider Configuration
Terraform must authenticate to Azure using the AzureRM provider.
provider "azurerm" {
features {}
}
Authentication is typically handled using a service principal.
Example login:
az login
or
az login --service-principal \
-u <appId> \
-p <password> \
--tenant <tenantId>
8.) Deploying Management Groups
Management groups form the governance hierarchy.
Example Terraform configuration:
resource "azurerm_management_group" "platform" {
display_name = "Platform"
}
resource "azurerm_management_group" "landingzones" {
display_name = "LandingZones"
}
These groups will later host policy assignments and subscription associations.
9.) Subscription Placement
Subscriptions are assigned to management groups.
Example:
resource "azurerm_management_group_subscription_association" "prod_sub" {
management_group_id = azurerm_management_group.landingzones.id
subscription_id = var.production_subscription
}
This ensures policies and governance automatically apply to workloads.
10.) Deploying Hub Networking
A hub-and-spoke network architecture is standard in enterprise environments.
Hub VNet example:
resource "azurerm_virtual_network" "hub_vnet" {
name = "hub-vnet"
location = var.location
resource_group_name = azurerm_resource_group.network_rg.name
address_space = ["10.0.0.0/16"]
}
Subnets typically include:
AzureFirewallSubnet
GatewaySubnet
ManagementSubnet
Spoke VNets are deployed for application workloads.
11.) Implementing Governance with Azure Policy
Policies enforce compliance across all subscriptions.
Example policy assignment:
resource "azurerm_policy_assignment" "allowed_locations" {
name = "allowed-locations"
policy_definition_id = data.azurerm_policy_definition.allowed_locations.id
scope = azurerm_management_group.platform.id
}
Common landing zone policies include:
Allowed regions
Mandatory tagging
Enforced encryption
Restricted public IP usage
Approved VM sizes
12.) Monitoring and Logging
Centralized monitoring is critical for operational visibility.
Typical components include:
Log Analytics Workspace
Azure Monitor
Diagnostic settings
Activity logs
Example Log Analytics deployment:
resource "azurerm_log_analytics_workspace" "monitoring" {
name = "log-landingzone"
location = var.location
resource_group_name = "rg-monitoring"
sku = "PerGB2018"
}
Diagnostic settings are applied to resources and subscriptions.
13.) Security Integration
Enterprise landing zones integrate multiple security services.
Typical components include:
Microsoft Defender for Cloud
Microsoft Sentinel
Azure Key Vault
Private Endpoints
Managed identities
Terraform example enabling Defender:
resource "azurerm_security_center_subscription_pricing" "defender_vm" {
tier = "Standard"
resource_type = "VirtualMachines"
}
14.) CI/CD Deployment Pipeline
In real-world environments, Terraform deployments are executed through CI/CD pipelines rather than manual execution.
Common pipeline platforms include:
GitHub Actions
Azure DevOps
GitLab CI
Typical pipeline workflow
Developer commits Terraform code
Pull request triggers validation
Terraform plan is executed
Security scanning occurs
Terraform apply deploys infrastructure
xample Pipeline Stages:
Initialize
Validate
Plan
Approval
Apply
15.) Operational Best Practices
Large organizations follow strict operational guidelines when deploying landing zones.
State Management
Always store Terraform state remotely and enable locking.
Module Versioning
Version Terraform modules to ensure consistent deployments.
Policy-First Approach
Apply governance policies before workloads are deployed.
Network Segmentation
Use hub-and-spoke architecture with centralized security inspection.
Least Privilege Access
Use role-based access control with minimal required permissions.
Automation
All infrastructure deployments should occur through CI/CD pipelines.
16.) Common Deployment Pitfalls
Many organizations encounter similar challenges when deploying landing zones.
Overly Complex Design
Starting with an overly complicated architecture slows adoption.
Manual Resource Creation
Manual deployments create drift between Terraform and Azure.
Poor State Management
State file corruption can break deployments.
Lack of Policy Governance
Without policies, workloads can violate security standards.
17.) Real-World Deployment Example
A typical enterprise rollout may follow these phases.
Phase 1 Foundation
Deploy management groups
Deploy platform subscriptions
Deploy hub networking
Phase 2 Governance
Deploy Azure policies
Deploy role-based access control
Configure monitoring
Phase 3 Security
Enable Defender for Cloud
Deploy Key Vault infrastructure
Configure private networking
Phase 4 Workload Onboarding
Deploy application landing zones
Deploy spoke networks
Connect to hub network
18.) Benefits of Terraform-Based Landing Zones
Organizations that implement landing zones using Terraform gain several benefits.
Consistency
Every environment follows identical standards.
Repeatability
Infrastructure can be recreated quickly.
Auditability
Infrastructure changes are tracked in Git.
Scalability
New subscriptions and workloads can be deployed rapidly.
Security
Policies and governance are enforced automatically.
Conclusion
Deploying an Azure Landing Zone using Terraform provides enterprises with a scalable, secure, and automated cloud foundation. By combining Azure governance capabilities with Infrastructure as Code practices, organizations can ensure consistent deployments, reduce operational risk, and accelerate cloud adoption.
A well-designed landing zone not only simplifies infrastructure management but also enables teams to focus on delivering business value rather than managing cloud complexity.
As Azure environments grow, Terraform-based landing zones become a critical component of enterprise cloud strategy, ensuring that governance, security, networking, and operational practices are implemented consistently across the entire cloud platform.
If you would like to explore this topic in greater depth, see my book Mastering Azure Landing Zone Framework Enterprise Architecture, where the subject is covered in much greater detail. The guide expands on the concepts discussed in this article with deeper architectural explanations, service capabilities, and step-by-step implementation using Azure Portal, Azure CLI, Terraform, and Bicep. It also includes real-world deployment, configuration, and troubleshooting scenarios designed for IT professionals, administrators, and cloud architects. All of my books include detailed architectural diagrams and practical deployment examples using PowerShell, Azure CLI, Terraform, and Bicep.
0 comments