Azure landing zones – Bicep modules design considerations

This article discusses the design considerations of the modularized Azure Landing Zones (ALZ) – Bicep solution you can use to deploy and manage the core platform capabilities of the Azure landing zone conceptual architecture as detailed in the Cloud Adoption Framework (CAF).

Bicep is a domain-specific language (DSL) that uses declarative syntax to deploy Azure resources. It has concise syntax, reliable type safety, and support for code reuse.

An implementation of this architecture is available on GitHub: Azure Landing Zones (ALZ) – Bicep Implementation. You can use it as a starting point and configure it as per your needs.

Design

The architecture takes advantage of the modular nature of Azure Bicep and is composed of number of modules. Each module encapsulates a core capability of the Azure Landing Zones conceptual architecture. The modules can be deployed individually, but there are dependencies to be aware of.

The architecture proposes the inclusion of orchestrator modules to simplify the deployment experience. The orchestrator modules could be used to automate the deployment of the modules and to encapsulate differing deployment topologies.

Modules

A core concept in Bicep is the use of modules. Modules enable you to organize deployments into logical groupings. With modules, you improve the readability of your Bicep files by encapsulating complex details of your deployment. You can also easily reuse modules for different deployments.

The ability to re-use modules offers a real benefit when defining and deploying landing zones. It enables repeatable, consistent environments in code while reducing the effort required to deploy at scale.

Layers and staging

In addition to modules, the Bicep landing zone architecture is structured using a concept of layers. Layers are groups of Bicep modules that are intended to be deployed together. Those groups form logical stages of the implementation.

A benefit of this layered approach is the ability to add to your environment incrementally over time. For example, you can start with a small number of the layers. You can add the remaining layers at a subsequent stage when you’re ready.

Module descriptions

This section provides a high-level overview of the core modules in this architecture.

Layer	Module	Description	Useful Links
Core	Management Groups	Management groups are the highest level resources in an Azure tenant. Management groups allow you to more easily manage your resources. You can apply policy at the management group level and lower level resources will inherit that policy. Specifically, you can apply the following items at the management group level that will be inherited by subscriptions under the management group: Azure Policies Azure Role Based Access Controls (RBAC) role assignments Cost controls This module deploys the management group hierarchy as defined in the Azure landing zone conceptual architecture.
Core	Custom Policy Definitions	DeployIfNotExists (DINE) or Modify policies help ensure the subscriptions and resources that make up landing zones are compliant. The policies also ease the burden of management of landing zones. This module deploys custom policy definitions to management groups. Not all customers are able to use DINE or Modify policies. If that is the case for you, CAF guidance on custom policies provides guidance.
Core	Custom Role Definitions	Role-based access control (RBAC) simplifies the management of user rights within a system. Instead of managing the rights of individuals, you determine the rights required for different roles in your system. Azure RBAC has several built-in roles. Custom role definitions allow you to create custom roles for your environment. SaleBestseller No. 1 HP Elite Desktop PC Computer Intel Core i5 3.1-GHz, 8 gb Ram, 1 TB Hard Drive, DVDRW, 19 Inch LCD Monitor, Keyboard, Mouse, Wireless WiFi, Windows 10 (Renewed) This Certified Refurbished product is tested and... HP Elite 6200 Small Form Factor Desktop PC, Intel... Includes: USB Keyboard & Mouse, WiFi Adapter,... Ports: USB 2.0, DisplayPort, VGA, PS/2 keyboard,... Operating System: Windows 10 64 Bit –... $122.00 Buy on Amazon Last update on 2024-04-25 SaleBestseller No. 2 HP 2022 Newest All-in-One Desktop, 21.5" FHD Display, Intel Celeron J4025 Processor, 16GB RAM, 512GB PCIe SSD, Webcam, HDMI, RJ-45, Wired Keyboard&Mouse, WiFi, Windows 11 Home, White 【High Speed RAM And Enormous Space】16GB DDR4... 【Processor】Intel Celeron J4025 processor (2... 【Display】21.5" diagonal FHD VA ZBD anti-glare... 【Tech Specs】2 x SuperSpeed USB Type-A 5Gbps... 【Authorized KKE Mousepad】Include KKE Mousepad $440.00 Buy on Amazon Last update on 2024-04-25 This module deploys custom role definitions. The module should follow CAF guidance on Azure role-based access control.
Management	Logging, Automation & Sentinel	Azure Monitor, Azure Automation and Microsoft Sentinel allow you monitor and manage your infrastructure and workloads. Azure Monitor is a solution that allows you to collect, analyze and act on telemetry from your environment. Microsoft Sentinel is a cloud-native security information and event management (SIEM). It allows you to: Collect – Collect data across your entire infrastructure Detect – Detect threats that were previously undetected Respond – Respond to legitimate threats with built-in orchestration Investigate – Investigate threats with artificial intelligence Azure Automation is a cloud-based automation system. It includes: Configuration management – Inventory and track changes for Linux and Windows virtual machines and manage desired state configuration Update management – Assess Windows and Linux system compliance and create scheduled deployments to meet compliance Process automation – Automate management tasks This module deploys the tools necessary to monitor, manage and access threats to your environment. These tools should include Azure Monitor, Azure Automation and Microsoft Sentinel.
Connectivity	Networking	Network topology is a key consideration in Azure landing zone deployments. CAF focuses on 2 core networking approaches: Topologies based on Azure Virtual WAN Traditional topologies These modules deploy the network topology that you choose.
Identity	Role Assignments	Identity and access management (IAM) is the key security boundary in cloud computing. Azure RBAC allows you to perform role assignments of built-in roles or custom role definitions to security principals. This module deploys role assignments to Service Principals, Managed Identities or security groups across management groups and subscriptions. The module should follow CAF guidance on Azure identity and access management.
Core	Subscription Placement	Subscriptions that are assigned to a management group inherit: Azure Policies Azure Role Based Access Controls (RBAC) role assignments Cost controls This module moves subscriptions under the appropriate management group.
Core	Built-In and Custom Policy Assignments	This module deploys the default Azure landing zone Azure Policy assignments to management groups. It also creates role assignments for system-assigned Managed Identities created by policies.
Management	Orchestrator Modules	Orchestrator modules can greatly improve the deployment experience. These modules encapsulate the deployment of multiple modules in a single module. This hides the complexity from the end user.

Customizing the Bicep implementation

The Azure landing zone implementations provided as part of the Cloud Adoption Framework suit a wide variety of requirements and use cases. However, there are often scenarios where customization is required to meet specific business needs.

The Bicep Azure landing zone implementation can be used as the basis of your customized deployment. It provides you a way to accelerate your implementation by removing the need to start from scratch because of a specific required change that rules a ready-made option out.

Information on customizing the modules is available in the GitHub repo wiki GitHub: Azure Landing Zones (ALZ) Bicep – Wiki- Consumer Guide. You can use it as a starting point and configure it as per your needs.