This post was co-authored by Sarah Lean, Senior Content Engineer at Azure

In the last few blog posts we followed Tailwind Traders1 on their cloud journey and how the IT team wants to introduce Azure as part of their IT strategy. After researching what to do to get their workloads running on Azure, they started using Microsoft Cloud Adoption Framework for Azure and Azure landing zones. This blog explains the Tailwind Traders IT team and how they use enterprise-scale reference implementations for the cloud environment they created.

The enterprise-scale landing zone architecture provides a strategic design path and technical target state for your Azure environment, including corporate registration, identity, network topology, resource organization, governance, operations, business continuity and disaster recovery (BCDR), and deployment options. These landing zones follow the design principles in the critical design areas for a company’s Azure environment and are aligned with the Azure platform roadmaps to ensure that new functionality can be incorporated.

Tailwind Traders uses the mandated guidance along with best practices for your Azure control plane using the enterprise scale architecture.

Enterprise-scale cloud adoption framework landing zone architecture

The Enterprise Landing Zone architecture offers a modular structure that not only simplifies the deployment of existing and new applications, but also enables Tailwind Traders to begin with an easier implementation and scaling of deployment that depends on their business needs.

This architecture takes into account several design areas:

To make the implementation of the landing zone architecture on a corporate scale a straightforward process, Enterprise-Scale offers reference implementations. The reference implementations can be deployed as code (IaC) using the Azure portal or the Azure infrastructure to set up and configure your environment. This enables the use of automation and Azure Resource Manager templates or Terraform easy deployment and management of enterprise-scale implementation.

Enterprise-Scale currently offers three different ones Reference implementationsall of which can be scaled without refactoring as requirements change over time.

Enterprise-scale foundation

The enterprise-scale Foundation reference architecture enables organizations to get started with Azure landing zones. Companies like Tailwind Traders can start on demand and scale up later based on business needs. This reference implementation is great for companies that want to start with landing zones in Azure and don’t need hybrid connectivity to their on-premises infrastructure to get started. However, the enterprise-scale modular structure allows the customer to add hybrid connectivity at a later date as business needs change without redesigning the Azure environment design.

Figure 1: Start-up architecture on a corporate scale

This architecture includes and implements:

  • A scalable management group hierarchy that aligns with the core capabilities of the platform and enables you to operate at scale using the Azure Centrally Managed Role-Based Access Control (RBAC) and Azure Policy, which clearly separates the platform and workloads.
  • Azure policies to allow autonomy for the platform and landing zones.
  • An Azure subscription for management that enables scalable core platform functionality using Azure policies such as Log Analytics, Automation Account, Azure Security Center, and Azure Sentinel.
  • A landing zone subscription for native Azure applications and resources with internet access and specific Azure workload policies.

Corporate-scale hub and spoke

The enterprise-scale hub and spoke reference architecture encompasses the enterprise-scale foundation and provides hybrid connectivity with Azure ExpressRoute or Virtual Private Network (VPN) and a network architecture based on the traditional hub and spoke network topology. This allows tailwind traders to take advantage of the basic landing zone and connect local data centers and branch offices using a traditional hub-and-spoke network architecture.

Enterprise scale with hub-and-spoke architecture

Figure 2: Enterprise scale with hub and spoke architecture

This architecture encompasses the enterprise foundation and also provides:

  • An Azure subscription for connectivity, the central Azure network resources such as a virtual hub network, an Azure firewall (optional), an Azure ExpressRoute gateway (optional), a VPN gateway (optional) and DNS zones (private domain Name System) for Azure provides private link.
  • An Azure subscription for identity in case your organization needs to have Azure Active Directory Domain Controllers in a dedicated subscription (optional).
  • Landing area management group for corporate-connected applications that require connection to local, other landing areas, or the Internet through shared services provided on the virtual hub network.
  • Landing area management group for online, Internet-connected applications where a virtual network is optional and does not require hybrid connectivity.
  • Landing zone subscriptions to native and internet connected online applications and resources from Azure.
  • Landing zone subscriptions for enterprise-connected applications and resources, including a virtual network that connects to the hub using VNet peering.
  • Azure guidelines for landing areas with online and corporate connections.

Enterprise-scale virtual WAN

The reference implementation for a virtual wide area network (WAN) on an enterprise scale includes the foundation as well as Azure Virtual WAN, Azure ExpressRoute and VPN. In this way, tailwind traders and other organizations can add hybrid connectivity to their local data center, branch office, factory, retail store or other peripheral locations and benefit from a global transit network.

Enterprise-scale virtual WAN architecture

Figure 3: Enterprise-scale virtual WAN architecture

This architecture encompasses the enterprise foundation and also provides:

  • An Azure subscription for connectivity that provides core network resources like Azure Virtual WAN, Azure Firewall and Policies, etc.
  • An Azure subscription to identity where customers can provision the Azure Active Directory domain controllers required for their environment.
  • Landing area management group for corporate-connected applications that require hybrid connectivity. This is where you create your subscriptions that host your enterprise-related workloads.
  • Landing area management group for online applications that are connected to the Internet and do not require hybrid connectivity. This is where you create your subscriptions that host your online workloads.

Learn more

For more blog posts, check out our Tailwind Traders Cloud Adoption Series, which is based on the Cloud Adoption Framework for Azure and Azure Landing Zones.

Thank you for joining us as we explored Tailwind Traders and their cloud adoption journey. To learn more about enterprise-scale landing zones, join Sarah Lean and me on April 7, 2021 at 8:00 a.m. (local time) or 3:00 p.m. (GMT) LearnTV Here we will provide questions and answers and provide a corporate-scale landing zone live.

1Tailwind Traders is a fictional company that we refer to in this blog post to illustrate how companies can leverage the Cloud Adoption Framework in real world scenarios.


Source link

Leave a Reply