Azure Landing Zone

Small Enterprise Example

Deploy Enterprise Landing Zone
Enterprise-Scale/README.md at main · Azure/Enterprise-Scale (github.com)
Platform Management, Security &
Governance
• Deploy Log Analytics workspace.
• Log Analytics Data Retention (days)
• Select which Azure Monitor solutions you will enable for your Log Analytics workspace
• Deploy Agent Health solution
• Deploy Change Tracking solution
• Deploy Update Management solution
• Deploy Activity Log solution
• Deploy VM Insights solution
• Deploy Antimalware solution
• Deploy Service Map solution
• Deploy SQL Assessment solution
• Select which Azure Security solutions you will enable.
• Deploy Azure Security Center and enable security monitoring for your platform and resources
• Azure Security Center Email Contact
• Deploy Azure Sentinel
Network Topology and connectivity
• Requirements for the Hub/Spoke
• Address Space for the Virtual Hub (/20 por ejemplo)
• Region for the Virtual Hub
• DDoS Protection Standard
• Private DNS Zones for Azure PaaS
• Deploy VPN Gateway
• VPN Type: Route/Policy
• Subnet for the Gateways (/29)
• Deploy ExpressRoute Gateway
• Deploy Azure Firewall
Landing Zone Configuration
• Which policies Will be enaled:
• Prevent usage of Public Endpoints for PaaS services in the corp connected landing
zones
• Ensure encryption in transit is enabled for PaaS services
• Ensure Azure VMs (Windows & Linux) are being monitored
• Ensure Azure VMs (Windows & Linux) are enabled for Azure Backup
• Prevent inbound RDP from internet
• Ensure subnets are associated with NSG
• Prevent IP forwarding
• Ensure Azure SQL is enabled with transparent data encryption
• Ensure auditing is enabled on Azure SQL
• Ensure secure connections (HTTPS) to storage accounts