Architecture Diagrams

Visual diagrams of the landing zone architecture

Landing Zone Overview

Entra ID Tenant

⚖ mg-yourcompany Policies Applied Budget Alerts

sub-nonprod

rg-<co>-nonprod-monitoring rg-<co>-nonprod-networking

vnet-<co>-nonprod10.1.0.0/16

snet-aks /20 snet-app /22 snet-data /22 snet-shared /24

sub-prod

rg-<co>-prod-monitoring rg-<co>-prod-networking

vnet-<co>-prod10.0.0.0/16

snet-aks /20 snet-app /22 snet-data /22 snet-shared /24

Azure Policies MCSB (audit) + Tags + Locations

Budget Alerts 50% / 80% / 100% thresholds

Monitoring Log Analytics + Defender for Cloud

Graduation Path

✓

Starter 1 MG, 2 Subs No Hub

MG Hierarchy Multi-level groups

Hub + Firewall Centralized egress

Management Sub Dedicated ops

Policy Hardening Deny-mode policies

Identity Hardening PIM, Access Reviews

★

Full ALZ Enterprise-ready

↗ Trigger: 50+ engineers, multi-region, or regulatory compliance requirements

Networking Architecture

☁ Internet HTTPS (443)

NSG: snet-aks Deny all inbound (default) Allow AzureLoadBalancer Allow VNet internal

NSG: snet-app Deny all inbound (default)

NSG: snet-data Deny all inbound (default) Allow snet-aks, snet-app only

vnet-<co>-prod10.0.0.0/16

snet-shared10.0.24.0/24

251 IPs

Azure Bastion VPN Gateway (if needed)

snet-aks10.0.0.0/20

4,091 IPs

AKS Nodes + Pods Azure CNI assigns pod IPs here

snet-app10.0.16.0/22

1,019 IPs

App Services Container Apps (VNet-integrated)

snet-data10.0.20.0/22

1,019 IPs

SQL, Cosmos, Redis Storage, Key Vault

🔗 Private Endpoints connect snet-aks and snet-app to data services in snet-data

Note: All subnets have a default deny-all-inbound NSG rule. The /20 AKS subnet is intentionally large because Azure CNI allocates one IP per pod.

Security Model

👤 Identity

Global Admin Break-glass account MFA enforced, no PIM Emergency only

sg-azure-admins Owner on mg-yourcompany

sg-azure-developers Contributor on sub-nonprod Reader on sub-prod

↓

🛡 Security Tooling

CSPM Free (always)

Servers P2 (prod) / Free

Databases On (prod)

Containers On (if AKS)

Key Vault On

ARM On (always)

↓

⚖ Governance

MCSB Baseline Audit mode

Required Tags environment, team

Allowed Locations eastus2, centralus

↓

🔒 Access Control

Managed Identities App → Key Vault Secrets User AKS → AcrPull No passwords

Key Vault RBAC authorization No access policies