By: Maurice Kok

What is a Landing Zone and Why do I need one?

What is a Landing Zone and Why do I need one?

When a customer of Digital Survival Company wants to start their cloud journey or run one of their business applications in Microsoft Azure or Amazon Web Services (AWS), we always advise starting with a Landing Zone.

What is a Landing Zone?

According to the documentation, Microsoft defines a Landing Zone as

The output of a multi-subscription environment accounts for scale, security governance, networking, and identity.


Within Digital Survival Company, we would define a Landing Zone as

All the choices you need to make and subjects you need to think about before starting your cloud journey.

In our opinion, it is a framework within your organization to start the journey efficiently and in a controlled manner. We combine the technical implementation of a Landing Zone with the Cloud Adoption Frameworks of the different cloud vendors. We bring years of experience working with enterprise cloud environments to guide you around the known pitfalls and do it “the first time right.”

The Landing Zone is a set of building blocks and will evolve to your needs. We will start making choices (supported with rationals) on the higher level topics like identity framework, governance, networking, and security. We can continue with the more low-level decisions when these are set, like naming convention, subscription design, resource groups, and management groups segregation. This gives you the basics to host your workload or solution.

When designing the Landing Zone, you need to think about the deployment of policy, monitoring, and cost control. This is the same for such workloads that will land on the Landing Zone.

Determine a set with pre-approved cloud services for the production workload.

Reduce failures while balancing resiliency and costs.

Let development of workload not only be driven by functionality and features, but also on stability, security, scalability, manageability, continuity, and all those other beautiful ‘itties”.

Please don’t become the internal cloud provider of your organization but provide the guardrails for your organization to leverage the cloud as they wish.

The Well-Architected Framework and its available reviews will guide you to think about the topics when developing your workload for the cloud.

Why do I need a Landing Zone?

You don’t need much to start wrong in the public cloud. You only need a credit card and perhaps an identity provider, but that is enough. Resources and workloads can be created manually via the portal. It’s my personal observation that creating resources from the Microsoft Azure portal is more accessible than from the AWS Portal. However, being more accessible comes with a price. It forces the creator of the resources (technical or non-technical) to make decisions based on their knowledge, and they will only have the progress of the solution in mind. As time passes, there is a growth of services spun up with more dependencies relying on those services. There is no longer an overview of the services or resources that are needed or are already deprecated.

Having a Landing Zone in place enables your organization, IT department, or DevSecOps teams to use the public cloud within your predefined terms and guardrails. It will facilitate you and your organization regarding networking, security, and monitoring. This will give you control of your cloud consumption costs, increase overview of your services and lower the network attack surface.

How can we help?

We are there to guide you through this process. We will always start with workshops. The number and depth depend on the size and complexity of your organization. Together with you, we will define the first guardrails, who can use the Landing Zone, and how, when, and where the Landing Zone will be leveraged.

We know the common blockers and pitfalls. We have seen organizations acting too soon by applying current-state requirements to a future-state environment as an early-stage gate. Organizations that do not let the Landing Zone grow with the demands of the business or workload or waiting for total alignment on the environment before starting. These situations can delay the first workload by weeks, months, or even years.

On the other hand, acting too late can have significant long-term consequences on the success of the cloud adoption effort. We suggest an iterative approach based on a well-structured cloud adoption plan to avoid these common blockers, maximizing learning opportunities and minimizing time to business success.

Suppose you are considering a migration to the cloud or are interested in our approach to cloud adoption. In that case, Digital Survival Company can advise you on your journey to ensure your success when running your workloads on Azure or AWS.