Skip to content

Latest commit

 

History

History
39 lines (24 loc) · 3.88 KB

EnterpriseScale-Deploy-landing-zones.md

File metadata and controls

39 lines (24 loc) · 3.88 KB

Create Landing Zone(s)

It is now time to turn the lights ON 💡

At this point you have necessary platform setup and configured to support one or many Landing Zone(s) with required definitions (Roles, Policies and PolicySet) and assignments (Roles and Policies).

Provisioning Landing Zone(s) will mean either creating new subscription or moving existing subscription to desired management group and platform will do the rest. In large environments with 10s and 100s of Landing Zones, platform team can also delegate Landing Zone(s) to respective business units and/or application portfolio owners while being confident of security, compliance and monitoring. Furthermore, platform team may also delegate necessary access permissions 1) IAM roles to create new subscription and 2) place subscription in the appropriate management groups for business units and/or application portfolio owners to provide self-service access to create their own Landing Zone(s).

Create or move a Subscription under the Landing Zone Management Group

Depending upon reference implementations deployed, navigate to appropriate management group under "Landing Zones" management group and create or move existing subscription. This can be done via Azure Portal or PowerShell/CLI.

Business units and/or application portfolio owners can use their preferred tool chain - ARM, PowerShell, Terraform, Portal, CLI etc. for subsequent resource deployments within their Landing Zone(s).

Create new subscriptions into the Landing zones > Corp or Online management group

  1. In Azure portal, navigate to Subscriptions
  2. Click 'Add', and complete the required steps in order to create a new subscription.
  3. When the subscription has been created, go to Management Groups and move the subscription into the Landing zones > Corp or Online management group
  4. Assign RBAC permissions for the application team/user(s) who will be deploying resources to the newly created subscription

Move existing subscriptions into the Landing zones > Corp or Online management group

  1. In Azure portal, navigate to Management Groups
  2. Locate the subscription you want to move, and move it to the Landing zones > Corp or Online management group
  3. Assign RBAC permissions for the application team/user(s) who will be deploying resources to the subscription

[Preview] Create Enterprise-Scale landing zones using Azure Portal

The following deployment experiences can be leveraged to create multiple landing zones (subscriptions) and target individual management groups (e.g., 'online', 'corp' etc.).

This document outlines the requirements depending on the agreement type you have, and the RBAC permissions needed.

To deploy the ARM templates below to create new subscriptions, you must have Management Group Contributor or Owner permission on the Management Group where you will invoke the deployment and the targeted Management Groups for the new subscriptions.

Agreement types ARM Template
Enterprise Agreement (EA) Deploy To Azure
Microsoft Customer Agreement Coming soon