Cloud Landing Zone Design: Enterprise Blueprint

A landing zone is the foundational architecture that every workload in your cloud sits on top of. Get it wrong and you’ll spend years patching security holes, fighting network conflicts, and untangling account sprawl. Get it right and every new project deploys into a secure, compliant, well-governed environment from Day 1.

The biggest mistake: treating the landing zone as a one-time project. It’s a living platform that evolves with your organization. Plan for change from the start, or you’ll rewrite it within 18 months.

---

Core Components

Landing Zone
├── Account/Subscription Structure (isolation)
├── Identity & Access Management (who can do what)
├── Network Architecture (connectivity & segmentation)
├── Security Guardrails (preventive & detective controls)
├── Logging & Monitoring (centralized observability)
├── Cost Management (budgets, tagging, alerts)
└── CI/CD & Automation (self-service provisioning)

---

Account Structure

AWS (Organization + Accounts)

Management Account (billing, org policies)
├── Security OU
│   ├── Log Archive Account (centralized CloudTrail, VPC Flow Logs)
│   └── Security Tooling Account (GuardDuty, Security Hub)
├── Infrastructure OU
│   ├── Network Hub Account (Transit Gateway, DNS)
│   └── Shared Services Account (CI/CD, artifact registry)
├── Workloads OU
│   ├── Production OU
│   │   ├── App-A Prod Account
│   │   └── App-B Prod Account
│   └── Non-Production OU
│       ├── App-A Dev Account
│       └── App-B Staging Account
└── Sandbox OU
    └── Developer Sandbox Accounts (auto-nuke after 30 days)

Azure (Management Groups + Subscriptions)

Tenant Root Group
├── Platform
│   ├── Identity (Entra ID, Privileged Identity Management)
│   ├── Management (Log Analytics, Azure Monitor)
│   └── Connectivity (Hub VNet, ExpressRoute, Firewall)
├── Landing Zones
│   ├── Production
│   │   ├── App-A Subscription
│   │   └── App-B Subscription
│   └── Non-Production
│       ├── Dev Subscription
│       └── Staging Subscription
├── Sandbox
│   └── Developer Sandboxes (budget-capped)
└── Decommissioned

Account Isolation Decision Framework

Question	Yes →	No →
Does the workload have different compliance requirements?	Separate account/subscription	Same account, different VPC/RG
Do teams need independent billing?	Separate account	Same account, cost allocation tags
Could a blast radius impact other workloads?	Separate account	Same account, network segmentation
Does the workload need production-level SLA?	Production OU/MG	Non-production OU/MG

---

Network Architecture

Hub-and-Spoke (Most Common)

                    Internet
                       │
                  ┌────┴────┐
                  │ Firewall │
                  └────┬────┘
                       │
              ┌────────┴────────┐
              │    Hub VNet     │
              │  10.0.0.0/16   │
              │ (DNS, NVA, VPN)│
              └──┬───┬───┬───┬─┘
                 │   │   │   │
    ┌────────┐ ┌─┴──┐ ┌┴───┐ ┌──┴───┐
    │Dev Spoke│ │Stg │ │Prod│ │Shared│
    │10.1/16 │ │10.2│ │10.3│ │10.4  │
    └────────┘ └────┘ └────┘ └──────┘

IP Addressing Plan

Environment	CIDR	Usable IPs	Notes
Hub	10.0.0.0/16	65,534	Firewall, DNS, VPN gateways
Production	10.1.0.0/16	65,534	Production workloads
Staging	10.2.0.0/16	65,534	Pre-production testing
Development	10.3.0.0/16	65,534	Developer environments
Shared Services	10.4.0.0/16	65,534	CI/CD, monitoring, tooling
On-premises	172.16.0.0/12	Reserved	Corporate network (no overlap!)

Critical: Plan for 10x your current needs. Re-IPing is painful. A /16 per environment gives you room to grow.

Network Connectivity Options

Connectivity Type	AWS Service	Azure Service	Use Case
Site-to-site VPN	Site-to-Site VPN	VPN Gateway	Quick connectivity, backup link
Dedicated connection	Direct Connect	ExpressRoute	Production workloads, low latency
Spoke-to-spoke	Transit Gateway	VNet Peering + Hub	Cross-environment communication
Internet egress	NAT Gateway	NAT Gateway / Azure Firewall	Outbound internet for private subnets
DNS resolution	Route 53 Resolver	Azure Private DNS	Hybrid name resolution

Subnet Strategy (Per Spoke)

Spoke VNet: 10.1.0.0/16
├── /24: Web tier (public-facing, behind LB)
├── /24: App tier (private, no direct internet)
├── /24: Data tier (private, no internet)
├── /24: Management (bastion, monitoring agents)
└── /28: Reserved (gateway subnet, firewall subnet)

---

Security Guardrails

Preventive Controls (SCPs / Azure Policy)

// AWS SCP: Deny all actions outside approved regions
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
      "StringNotEquals": {
        "aws:RequestedRegion": ["us-east-1", "us-west-2", "eu-west-1"]
      }
    }
  }]
}

// Azure Policy: Require encryption on all storage accounts
{
  "if": {
    "allOf": [
      { "field": "type", "equals": "Microsoft.Storage/storageAccounts" },
      { "field": "Microsoft.Storage/storageAccounts/encryption.services.blob.enabled", "notEquals": true }
    ]
  },
  "then": { "effect": "deny" }
}

Essential Guardrails Checklist

Control	Type	AWS Mechanism	Azure Mechanism
Restrict regions	Preventive	SCP	Azure Policy (allowed locations)
Require encryption at rest	Preventive	SCP + AWS Config	Azure Policy (deny unencrypted)
Block public S3/Blob	Preventive	SCP (s3:PutBucketPolicy)	Azure Policy (deny public access)
Require MFA for root/admin	Preventive	IAM policy	Conditional Access
Tag enforcement	Preventive	SCP (deny untagged)	Azure Policy (require tags)
Detect unencrypted resources	Detective	AWS Config Rules	Azure Policy (audit mode)
Detect unused resources	Detective	Trusted Advisor	Azure Advisor
Anomaly detection	Detective	GuardDuty	Microsoft Defender

Detective Controls

Control	AWS Service	Azure Service
Threat detection	GuardDuty	Microsoft Defender
Config compliance	AWS Config	Azure Policy (audit)
Vulnerability scanning	Inspector	Defender for Cloud
Centralized logging	CloudTrail → S3	Activity Log → Log Analytics
Secret scanning	Secrets Manager audit	Key Vault diagnostics

---

Identity & Access Management

Break-Glass Access

Normal Operations:
  Engineers → SSO → Role-based access → Least privilege

Emergency (break-glass):
  On-call engineer → MFA → Break-glass account → Full admin
  └── Automatically logged
  └── Notification to security team
  └── Post-incident review within 24 hours

Break-Glass Rule	Implementation
Separate MFA device	Hardware token stored in secure location
Notification on use	CloudTrail alarm → SNS → PagerDuty
Time-limited	Session expires in 1 hour
Post-incident review	Mandatory writeup within 24 hours
Quarterly testing	Test break-glass process works

---

Logging Architecture

All Accounts/Subscriptions
    │
    ├── CloudTrail / Activity Logs ──→ Central Log Archive
    ├── VPC Flow Logs ──────────────→ Central Log Archive
    ├── Application Logs ───────────→ Central Log Analytics
    ├── DNS Query Logs ─────────────→ Central Log Archive
    └── GuardDuty / Defender ───────→ Security Account + SIEM

Retention Policy

Log Type	Hot Storage	Warm Storage	Archive	Compliance Driver
CloudTrail / Activity	90 days	1 year	7 years	SOC 2, SOX
VPC Flow Logs	30 days	6 months	3 years	PCI DSS
Application logs	30 days	6 months	1 year	Debugging
Security alerts	90 days	1 year	7 years	SOC 2, HIPAA
DNS Query Logs	30 days	6 months	1 year	Threat hunting

---

Tagging Strategy

Every resource must be tagged. Non-negotiable for cost allocation.

Tag Key	Required	Example	Enforcement
Environment	Yes	prod, staging, dev	SCP/Policy: deny untagged
Application	Yes	order-service	SCP/Policy: deny untagged
Owner	Yes	platform-team	SCP/Policy: deny untagged
CostCenter	Yes	CC-1234	SCP/Policy: deny untagged
DataClassification	Yes	confidential, internal, public	SCP/Policy: deny untagged
ManagedBy	Yes	terraform, manual	Advisory (audit mode)
Backup	Conditional	daily, weekly, none	Based on environment

---

Cost Management

Control	Implementation	Alert Threshold
Per-account budget	AWS Budgets / Azure Cost Management	80% of monthly target
Anomaly detection	AWS Cost Anomaly Detection / Azure Anomaly Alerts	> 20% spike vs baseline
Sandbox auto-cleanup	Lambda/Function to delete resources > 30 days	Auto-terminate
Reserved capacity tracking	Monthly utilization report	< 80% utilization
Tag compliance report	Weekly untagged resource report	> 5% untagged

---

Reference Implementations

Cloud	Framework	What It Deploys
AWS	Control Tower	Multi-account, guardrails, SSO
AWS	Landing Zone Accelerator	Networking, security, logging
Azure	Cloud Adoption Framework	Management groups, policies, connectivity
Azure	Enterprise-Scale (ALZ)	Full landing zone via Bicep/Terraform
GCP	Cloud Foundation Toolkit	Org structure, VPC, IAM

---

Checklist

• Account/subscription structure designed with isolation boundaries
• Hub-and-spoke networking deployed with non-overlapping CIDRs
• IP addressing plan reserves 10x current needs
• Subnet strategy defined (web/app/data/management tiers)
• Hybrid connectivity established (VPN or Direct Connect/ExpressRoute)
• Preventive guardrails (SCPs/Policies) blocking dangerous actions
• Detective controls enabled (GuardDuty/Defender, Config/Policy audit)
• Centralized logging flowing to security account
• Log retention policies aligned with compliance requirements
• Tagging strategy enforced via policy (deny untagged resources)
• Break-glass access procedure documented and tested quarterly
• Cost budgets and alerts configured per account
• Sandbox accounts available with automatic cleanup
• DNS architecture designed (split-horizon if needed)
• Terraform/IaC modules created for workload provisioning

---

:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For cloud foundation consulting, visit garnetgrid.com. :::