Enterprise Scale Architecture

This Visio file contains multiple Azure landing zone architectures, please
use the page selector to choose which architecture you’d like to view.
If you don’t know which one, we suggest you start with either
“ALZ Hub & Spoke” or “ALZ VWAN”.
Enterprise enrollment
Enrollment
Department
Account Subscription
Identity and access management

Privileged Identity
Azure Active On-premises
• Approval workflow
• Notifications Management Directory Active
• MFA • App/DevOps • Service principal(s) Directory
• Access reviews • Security group(s)
• Subscription manager
• Audit reports • Users
• Other custom roles
Management group and subscription organization
Identity Tenant root group Platform

subscription Management group
DevOps team
Resource group(s) Contoso
DevOps
Azure Platform Landing zones Decommissioned Sandbox Deployment
Git Repository Boards
Key Vault pipeline(s)
DC1 DC2
Identity Management Connectivity SAP Corp Online Wiki
Recovery...
• Subscription provisioning
• Role definitions
Cost Azure • Role provisioning
• PolicySet definitions
management Monitor • Policy deployment
• Policy definitions
Identity Management Connectivity Landing zone Decommissioned Sandbox • Platform deployment
subscription subscription subscription A1 subscription subscription subscription 1 • Role assignments
• Policy assignments
Landing zone Sandbox • Resource templates
Role Policy Network Defender A2 subscription subscription 2
assignment assignment Watcher for Cloud Subscriptions
Management Connectivity Landing zone A2 Sandbox

subscription subscription subscription subscription
Dashboards (Azure portal) Azure

Hub VNet Virtual Applications Applications
DDoS Region 1 DNS UDR(s) NSG/ASG(s)
• Change tracking Standard VNet network
Automation
account(s)
• Inventory management peering Applications
• Update management • Azure Firewall Resource groups(s)
Azure DNS
• ExpressRoute Azure Application
• Dashboards • VPN (P25/S2S)
Log analytics Key Vault Application
• Queries
workspace
• Alerting File Share Application Cost Role Policy Network Defender
management assignment assignment Watcher for Cloud
Recovery...
Subset Cost Role Policy Network Defender Cost Role Policy Network Defender
management assignment assignment Watcher for Cloud management assignment assignment Watcher for Cloud Dashboards Recovery Services Shared
(Azure portal) vault(s) services
On-premises systems
Cost Role Policy Network Defender
VM SKU(s)
• Access credentials
• In-guest policies/DSC
• Backup policy
• Extensions
Compliant • Tagging
VM templates
Enterprise enrollment
Enrollment
Department
Account Subscription
Identity and access management

Privileged Identity
Azure Active On-premises
• Approval workflow
• Notifications Management Directory Active
• MFA • App/DevOps • Service principal(s) Directory
• Access reviews • Security group(s)
• Subscription manager
• Audit reports • Users
• Other custom roles
Identity Tenant root group Platform

subscription Management group
DevOps team
Resource group(s) Contoso
DevOps
Azure Platform Landing zones Decommissioned Sandbox Deployment
Git Repository Boards
Key Vault pipeline(s)
DC1 DC2
Identity Management Connectivity SAP Corp Online Wiki
Recovery...
• Subscription provisioning
• Role definitions
Cost Azure • Role provisioning
• PolicySet definitions
management Monitor • Policy deployment
• Policy definitions
Identity Management Connectivity Landing zone Decommissioned Sandbox • Platform deployment
subscription subscription subscription A1 subscription subscription subscription 1 • Role assignments
• Policy assignments
Landing zone Sandbox • Resource templates
Role Policy Network Defender A2 subscription subscription 2
assignment assignment Watcher for Cloud Subscriptions
Management Connectivity Landing zone A2 Sandbox

subscription subscription subscription subscription
Dashboards (Azure portal) Azure

VWAN Hub Virtual Applications Applications
DDoS DNS UDR(s) NSG/ASG(s)
• Change tracking Standard
Region 1 VNet network
Automation
account(s)
• Inventory management peering Applications
• Update management • Azure Firewall Resource groups(s)
Azure DNS
• ExpressRoute Application
Azure
• Dashboards • VPN (P25/S2S) Key Vault
Log analytics
• Queries Application
workspace • Virtual WAN
• Alerting File Share Application Cost Role Policy Network Defender
Recovery...
Subset Cost Role Policy Network Defender Cost Role Policy Network Defender
management assignment assignment Watcher for Cloud management assignment assignment Watcher for Cloud Dashboards Recovery Services Shared
On-premises systems
Cost Role Policy Network Defender
VM SKU(s)
• Access credentials
• In-guest policies/DSC
• Backup policy
• Extensions
Compliant • Tagging
VM templates
Azure Active
Directory
• Service principal(s) Azure AD
• Security group(s) Connect
• Users Synchronization
Tenant root group On-premises

Management group
Adventure Works
Active
Directory
Platform Landing zones Decommissioned Sandbox
Identity Management Connectivity SAP Corp Online

Applications
Applications
Identity Management Connectivity Landing zone Decommissioned Sandbox Applications

subscription subscription subscription A1 subscription subscription 1
Landing zone Sandbox

A2 subscription 2
Subscriptions
Connectivity
subscription
Azure
DDoS Standard
Hub VNet Region 1 GatewaySubnet Azure DNS
ExpressRoute
AzureFirewallSubnet
Gateway
ExpressRoute Remote P2S VPN Users
VPN Gateway Circuit
Azure Firewall
(S2S & P2S)
Internet VPN
Internet
Identity Landing Zone

Role Policy Network Defender Subscription A1
subscription
VNet peering assignment assignment Watcher for Cloud
VNet peering Application Resource groups(s)
Resource group(s)
Identity VNet Landing Zone VNet A1
Azure Region 1
Key Vault Landing Zone Load Balancer
Subnet Azure
ADDS Subnet Subscription A2
Azure Key Vault
Monitor Application Resource groups(s)
Azure
App Monitor
Recovery DC1 DC2 Landing Zone VNet A2 Subnet UDR
Services Vault UDR Recovery
Load Balancer Services Vault
Subnet Azure
Key Vault DB Subnet
Role Policy Network Defender Azure

App Monitor
assignment assignment Watcher for Cloud Subnet UDR
Recovery
Services Vault Role Policy Network Defender
DB Subnet assingment assignment Watcher for Cloud
Role Policy Network Defender

assignment assignment Watcher for Cloud
Azure Active
Directory
• Service principal(s) Azure AD
• Security group(s) Connect
• Users Synchronization
Tenant root group On-premises

Management group
Adventure Works
Active
Directory

Applications
Applications
Identity Management Connectivity Landing zone Decommissioned Sandbox Applications

subscription subscription subscription A1 subscription subscription 1

A2 subscription 2
Subscriptions
Connectivity
subscription
Azure
DDoS Standard
Hub VNet Region 1 GatewaySubnet Azure DNS
ExpressRoute
AzureFirewallSubnet
Gateway
ExpressRoute Remote P2S VPN Users
VPN Gateway Circuit
Azure Firewall
(S2S & P2S)
Internet VPN
Internet
Identity Landing Zone

Role Policy Network Defender Subscription A1
subscription
VNet peering assignment assignment Watcher for Cloud
VNet peering Application Resource groups(s)
Resource group(s)
Identity VNet Landing Zone VNet A1
Azure Region 1
Key Vault Landing Zone Load Balancer
Subnet Azure
ADDS Subnet Subscription A2
Azure Key Vault
Monitor Application Resource groups(s)
Azure
App Monitor
Recovery DC1 DC2 Landing Zone VNet A2 Subnet UDR
Services Vault UDR Recovery
Load Balancer Services Vault
Subnet Azure
Key Vault DB Subnet
Role Policy Network Defender Azure

App Monitor
assignment assignment Watcher for Cloud Subnet UDR
Recovery
Services Vault Role Policy Network Defender
Traffic Flows Key: DB Subnet assingment assignment Watcher for Cloud
• Spoke <> Internet –
• Spoke <> Spoke –
• Spoke <> On-Premises –
• Remote Users <> Spoke –
Azure AD Tenant – Production
contoso.onmicrosoft.com
Tenant Root Group
Management Groups - Production Management Groups - Canary
Contoso -
Contoso Canary
Platform - Landing Zones Decommissioned - Sandbox -

Platform Landing Zones Decommissioned Sandbox Canary - Canary Canary Canary
Identity - Management Connectivity - SAP - Corp - Online -

Identity Management Connectivity SAP Corp Online Canary - Canary Canary Canary Canary Canary
Canary
Identity Management Connectivity Landing Zone Decommissioned Sandbox Landing Zone Canary
Canary
Subscription Subscription Subscription A1 Subscriptions Subscriptions A1 Sandbox
Management
Subscriptions
Subscription
Landing Zone Canary
A2 Landing Zone
A2
Subscriptions - Production Subscriptions - Canary
Azure AD Tenant – Production
Tenant Root Group
Management Groups - Production
Contoso
Platform Landing Zones Decommissioned Sandbox
Identity Management Connectivity Landing Zone Decommissioned Sandbox

Subscription Subscription Subscription A1 Subscriptions Subscriptions
Landing Zone
A2
Subscriptions - Production
Azure Active
Microsoft 365 Directory Tenant 1
Tenant root group

Management Groups
Contoso
Identity Management Connectivity Corp Online
Identity Management Connectivity Landing zone Decommissioned Sandbox

subscription subscription subscription subscription A1 subscription subscription 1

subscription A2 subscription 2
Subscriptions
Contoso Corporation’s
Azure AD Tenants
Azure Active Azure Active
Microsoft 365 Directory Tenant 1 Microsoft 365 Directory Tenant 2
contoso.onmicrosoft.com fabirkam.onmicrosoft.com
Tenant root group Tenant root group

Management Groups Management Groups
Contoso Fabrikam
Platform Landing zones Decommissioned Sandbox Platform Landing zones Decommissioned Sandbox
Identity Management Connectivity Corp Online Identity Management Connectivity Corp Online
Identity Management Connectivity Landing zone Decommissioned Sandbox Identity Management Connectivity Landing zone Decommissioned Sandbox
subscription subscription subscription subscription A1 subscription subscription 1 subscription subscription subscription subscription A1 subscription subscription 1
Landing zone Sandbox Landing zone Sandbox

subscription A2 subscription 2 subscription A2 subscription 2
Subscriptions Subscriptions
Azure Active
tailwind.onmicrosoft.com
Tenant root group

Management Groups
Tailwind Azure Active

Directory Tenant
git 4
contoso365test.onmicrosoft.com

Microsoft 365

Subscriptions
Azure AD Tenants

Contoso Fabrikam

Azure Active
Tenant root group

Management Groups

Directory Tenant
git 4

Microsoft 365 Managed
Identity

Subscriptions
Azure AD Tenants
Azure Active Azure Active Azure Active Azure Active

Directory Tenant 1 Directory Tenant 3 Directory Tenant 2 Directory Tenant 4
Automation Tooling Automation Tooling Automation Tooling Automation Tooling
Platform Automation Tooling
Enterprise Application Enterprise Application
App Registration

Contoso Fabrikam

Azure Active
Enterprise Application
Tenant root group

Management Groups

Directory Tenant
git 4
Enterprise Application
Microsoft 365

Subscriptions
Azure AD Tenants
Platform Team
Automation Tooling
Platform Automation Tooling

Contoso Fabrikam

Landing zone
Connectivity
subscriptions
subscription
Azure Lighthouse Delegation

Virtual Network
Hub VNet Application
Region 1
Azure DNS
Azure Lighthouse Offer/ Application
• Azure Firewall Definition Template
Azure
• ExpressRoute DDoS Network Application
• VPN (P25/S2S) Protection Plan
Private Endpoint Private DNS Zone Group

assignment assignment Watcher for Cloud Dashboards Recovery Services Shared

Azure AD Tenants

Enterprise Scale Architecture

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise Scale Architecture

Uploaded by

Copyright:

Available Formats

This Visio file contains multiple Azure landing zone architectures, please

Identity and access management

Management group and subscription organization

Identity Tenant root group Platform

Management Connectivity Landing zone A2 Sandbox

Dashboards (Azure portal) Azure

Identity and access management

Management group and subscription organization

Identity Tenant root group Platform

Management Connectivity Landing zone A2 Sandbox

Dashboards (Azure portal) Azure

Tenant root group On-premises

Identity Management Connectivity SAP Corp Online

Identity Management Connectivity Landing zone Decommissioned Sandbox Applications

Landing zone Sandbox

Identity Landing Zone

Role Policy Network Defender Azure

Role Policy Network Defender

Tenant root group On-premises

Identity Management Connectivity SAP Corp Online

Identity Management Connectivity Landing zone Decommissioned Sandbox Applications

Landing zone Sandbox

Identity Landing Zone

Role Policy Network Defender Azure

Tenant Root Group

Management Groups - Production Management Groups - Canary

Platform - Landing Zones Decommissioned - Sandbox -

Identity - Management Connectivity - SAP - Corp - Online -

Tenant Root Group

Management Groups - Production

Platform Landing Zones Decommissioned Sandbox

Identity Management Connectivity SAP Corp Online

Identity Management Connectivity Landing Zone Decommissioned Sandbox

Tenant root group

Platform Landing zones Decommissioned Sandbox

Identity Management Connectivity Corp Online

Identity Management Connectivity Landing zone Decommissioned Sandbox

Landing zone Sandbox

Tenant root group Tenant root group

Landing zone Sandbox Landing zone Sandbox

Tenant root group

Tailwind Azure Active

Identity Management Connectivity Corp Online

Identity Management Connectivity Landing zone Decommissioned Sandbox

Tenant root group Tenant root group

Landing zone Sandbox Landing zone Sandbox

Tenant root group

Tailwind Azure Active

Identity Management Connectivity Corp Online

Identity Management Connectivity Landing zone Decommissioned Sandbox

Azure Active Azure Active Azure Active Azure Active

Tenant root group Tenant root group

Landing zone Sandbox Landing zone Sandbox

Tenant root group

Tailwind Azure Active

Identity Management Connectivity Landing zone Decommissioned Sandbox

Tenant root group Tenant root group

Landing zone Sandbox Landing zone Sandbox

Azure Lighthouse Delegation

Role Policy Network Defender

Role Policy Network Defender

You might also like