Azure Citadel
  • Blogs
  • ARM
  • Azure Arc
    • Overview
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • Prereqs
    • Day 1
      • Azure Baristas
      • Day 1 Challenge
    • Day 2
      • Example
      • Day 2 Challenge
    • Day 3
      • Day 3 Challenge
    • Useful Links
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Azure Stack HCI
    • Overview
    • Useful Links
    • Updates from Microsoft Ignite 2022
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
    • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner
    • Lighthouse and Partner Admin Link
      • Microsoft Cloud Partner Program
      • Combining Lighthouse and PAL
      • Minimal Lighthouse definition
      • Using service principals
      • Privileged Identity Management
    • Useful Links
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Working Environments for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Azure Landing Zones
  3. Day 2
  4. Example

Table of Contents

  • Introduction
  • EA enrolment and AAD tenants
  • Identity and access management
  • Management Group Structure
  • Network topology
  • Management and monitoring
  • Business continuity and disaster recovery
  • Security, governance and compliance
  • Platform automation and DevOps

Example

There is no 100% right answer to the scenario, but here is an example solution.

Introduction

There are a number of requirements in the Azure Barista’s scenario that force you to deviate a little from the default management group structure, as defined by Azure Landing Zones. You will also need to create some additional custom policies to meet the customer’s specific needs. This is a very common thing to do after you have run through a design workshop.

On this page we will run through an example structure and explain the reasons why these decisions have been made.

EA enrolment and AAD tenants

The EA Structure should look similar to the below:

Azure Baristas EA Structure

Identity and access management

  • The existing Azure AD Tenant of: azurebaristas.onmicrosoft.com will be used as:
    • Already synced with the On-Premise Active Directory Domain: azbaristas.local via Azure AD Connect with Password Hash Sync & SSO configured
    • Used already for Office/Microsoft 365 services across the organisation
  • A single Azure AD Tenant is recommended as part of Azure Landing Zones & CAF Security best practices
  • Relevant RBAC role/custom roles defined and applied as per RBAC requirements on the Day 2 Challenge Page & Day 1 Azure Baristas Intro

Management Group Structure

The Management Group structure should look similar to the below example:

Azure Baristas Management Group Structure

Network topology

  • Azure Virtual WAN should have been chosen as the networking technology
    • Due to the desire for moving towards SD-WAN
      • Also Citrix skills within the networking team and Citrix being an Azure Virtual WAN partner
  • Also due to a lot of branch sites (Coffee Shops) required and the flexibility and speed Azure Virtual WAN will give Azure Baristas
  • A Azure Virtual WAN Hub per Azure Region to be deployed in the Connectivity Subscription in a single Resource Group:
    • UK South
    • South East Asia
    • Germany West Central
    • UAE North
    • East US

Azure Baristas' Virtual WAN diagram

Management and monitoring

  • All logs will be sent to a single Log Analytics Workspace deployed in the Management Subscription

Business continuity and disaster recovery

  • Azure Policies (whether built-in, custom, or imported from Azure Landing Zone) in place as per backup requirements listed on the Day 2 Challenge Page & Day 1 Azure Baristas Intro

Security, governance and compliance

  • Azure Policies (whether built-in, custom, or imported from Azure Landing Zone) in place as per all other requirements listed on the Day 2 Challenge Page & Day 1 Azure Baristas Intro

Platform automation and DevOps

Not currently in scope for the Azure Baristas scenario.

Previous Example Day 2 Challenge