freundcloud

Landing Zones in Public Clouds

A Landing Zone is a pre-configured, secure, and scalable cloud environment that provides a baseline for deploying workloads. It includes essential resources, policies, and guardrails to ensure compliance, security, and operational efficiency from day one.

Why Use Landing Zones?

  • Accelerate cloud adoption with ready-to-use environments
  • Enforce security, compliance, and governance standards
  • Standardize networking, identity, and resource organization
  • Enable multi-account/subscription management

Landing Zone Definitions by Cloud Provider

Azure: Azure Landing Zone

  • Definition: A set of guidelines, reference architectures, and automation (often via Azure Blueprints, ARM/Bicep, or Terraform) to deploy a secure, governed Azure environment.
  • Key Features:
    • Management groups and subscriptions
    • Azure Policy for compliance
    • Role-Based Access Control (RBAC)
    • Hub-and-spoke networking
    • Integration with Azure Security Center
  • Reference: Azure Landing Zones Documentation

AWS: AWS Landing Zone / Control Tower

  • Definition: An automated solution (AWS Control Tower or custom IaC) to set up a secure, multi-account AWS environment with best practices for identity, logging, and networking.
  • Key Features:
    • Multi-account structure (using AWS Organizations)
    • Centralized logging (CloudTrail, S3)
    • Service Control Policies (SCPs)
    • VPC baseline networking
    • Guardrails for compliance
  • Reference: AWS Landing Zone Solution AWS Control Tower

GCP: Google Cloud Landing Zone (Foundation)

  • Definition: A set of Terraform modules and best practices to create a secure, scalable GCP environment, often called the “foundation” or “landing zone”.
  • Key Features:
    • Hierarchical resource organization (folders, projects)
    • Identity and Access Management (IAM)
    • Shared VPC and networking
    • Audit logging
    • Security Command Center integration
  • Reference: GCP Landing Zone Foundation

Key Differences Between Cloud Landing Zones

Feature Azure AWS GCP
Resource Hierarchy Management Groups, Subs Organizations, Accounts Folders, Projects
Automation Tools Blueprints, ARM, Bicep, TF Control Tower, CloudFormation, TF Terraform, Deployment Manager
Policy/Guardrails Azure Policy, RBAC SCPs, IAM, Guardrails IAM, Org Policy
Networking Hub-Spoke, VNet VPC, Subnets Shared VPC
Logging & Auditing Azure Monitor, Log Analytics CloudTrail, CloudWatch Cloud Audit Logs
Security Integration Security Center, Defender Security Hub, GuardDuty Security Command Center

Best Practices

  • Use Infrastructure as Code (Terraform, Bicep, CloudFormation) for repeatability
  • Start with the official landing zone reference architectures
  • Customize guardrails and policies for your organization
  • Automate account/subscription/project creation
  • Integrate with CI/CD for continuous compliance

Landing Zone Joke

Why did the cloud architect refuse to land in an unprepared environment?

Because there was no landing zone—he didn’t want to crash the deployment!

For more details, always refer to the official documentation and cloud adoption frameworks for each provider.