Azure Landing Zones Networking

Brewing the Latest Azure Landing Zone – Networking the Modern Enterprise

Aligning new connectivity models with the ALZ and SLZ reference architectures.

If the network is the “espresso shot” of your landing zone, then the connectivity model is your barista — it decides how everything gets blended together. Over the last year, Azure networking patterns have had a serious refill. Between Virtual WAN, private endpoints, and platform-owned connectivity, the modern Landing Zone (LZ) and Secure Landing Zone (SLZ) are paving a clearer path for scalable, secure, and consistent enterprise networking.

This post breaks down what’s changed in the Azure Landing Zone (ALZ) reference design, how it integrates with SLZ guidance, and where sovereign deployment models fit in.

Let’s stir it up.

☁️ What Is “Networking the Modern Enterprise”?

In Microsoft’s Cloud Adoption Framework (CAF), network topology and connectivity is one of the eight core design areas for a Landing Zone. It defines how workloads, users, and services communicate — and how governance and security controls flow through that design.

Historically, enterprises built “Connected Landing Zones” where each domain owned its own virtual network. The Platform team provided connectivity through hub-and-spoke topologies. As governance matured and services like Azure Virtual WAN evolved, Microsoft shifted to the Platform-Owned Connectivity model — a cleaner, scalable, and more secure approach that supports hybrid, multicloud, and sovereign environments.

The latest addition: Sovereign Landing Zone (SLZ) concepts now extend this model for compliant, isolated environments (e.g., financial services, critical infrastructure, or government workloads).

🔌 How It Works

At a high level, modern Azure connectivity now aligns with three design layers:

  1. Platform Connectivity (Core):
    A centralised layer that hosts Virtual WAN, route tables, and connectivity policies managed by the platform team.

  2. Landing Zone Networks:
    Workload vNets or vWAN hubs connected via private endpoints or secured peering. These zones inherit policies and connectivity from the Platform layer, not peer-to-peer connections.

  3. Secure Landing Zone (SLZ):
    Overlays Zero Trust and Defender for Cloud integration on top of the baseline ALZ network model. In many cases, it introduces automated security rulesets and DDoS/Firewall as Code patterns.

In practical terms, traffic flows are now mediated by Virtual WAN hubs, Azure Firewall Premium, and Private Link instead of traditional NVA (Network Virtual Appliance) choke points.

🗺️ Example Architecture

flowchart TD A[On-premises WAN/ExpressRoute] --> B[Virtual WAN Hub] B --> C[Azure Firewall / Security Services] C --> D[Landing Zone vNet 1] C --> E[Landing Zone vNet 2] D --> F[Private Endpoints / PaaS Services] E --> F F --> G[Microsoft Backbone Services]

This structure supports scale-out networking, consistent routing policy enforcement, and integrates neatly with Azure Policy, Defender for Cloud, and Azure Monitor.

🌍 Real‑World Impact

Scenario 1: Hybrid Enterprise with Global Workloads
A financial services customer migrating multiple regional workloads to Azure replaces numerous virtual network peerings with Virtual WAN hubs per geography. Each hub standardises route propagation and central internet egress, cutting operational overhead by 60%.

Scenario 2: Secure Landing Zone for Gov Customers
A government department implementing a Sovereign Landing Zone uses restricted Azure regions and enforces data residency via Virtual WAN secure hubs with isolated Network Security Groups (NSGs). This model passes audit checks for Information Security Manual (ISM) compliance while allowing standardised DevOps pipelines.

🧱 Implementation Examples

Azure Portal – High‑Level Setup Steps

  1. Create a Virtual WAN resource in your platform region.
  2. Add Virtual Hubs for each geography (e.g., AU‑East, SE‑Asia).
  3. Connect VPN/ExpressRoute gateways or on-premises edge routers.
  4. Add hub-to-spoke connections for each Landing Zone vNet.
  5. Configure Azure Firewall Premium, NSGs, and route tables.
  6. Deploy Private Endpoints for platform services (e.g., Storage, SQL).

🧩 Bicep Example – Platform-Owned Connectivity 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45

param location string = resourceGroup().location
param vwanName string = 'corp-vwan'
param vhubName string = 'au-east-hub'
param firewallName string = 'corp-fw'

resource vwan 'Microsoft.Network/virtualWans@2023-09-01' = {
  name: vwanName
  location: location
  properties: {
    allowBranchToBranchTraffic: true
  }
}

resource vhub 'Microsoft.Network/virtualHubs@2023-09-01' = {
  name: vhubName
  location: location
  properties: {
    addressPrefix: '10.50.0.0/23'
    virtualWan: {
      id: vwan.id
    }
  }
}

resource azfw 'Microsoft.Network/azureFirewalls@2023-09-01' = {
  name: firewallName
  location: location
  properties: {
    sku: {
      name: 'AZFW_VNet'
      tier: 'Premium'
    }
    threatIntelMode: 'Alert'
    ipConfigurations: [
      {
        name: 'fwConfig'
        properties: {
          subnet: {
            id: resourceId('Microsoft.Network/virtualNetworks/subnets', vhubName, 'AzureFirewallSubnet')
          }
        }
      }
    ]
  }
}

Key Notes

  • Use Azure Firewall Manager for routing and policy orchestration.
  • Avoid direct peering between Landing Zones; all traffic should traverse the platform hub.
  • In SLZ contexts, enforce outbound web traffic inspection and certificate validation.

⚠️ Gotchas & Edge Cases

  • Private Endpoint Sprawl: Too many PE connections across vNets can cause DNS complexity — consider Private DNS Zones managed centrally.
  • Cross-region failover: Virtual WAN hubs aren’t automatically resilient across geographies; plan hub failover manually or automate via Bicep.
  • NVAs in a new world: With Azure Firewall Premium and IDPS features maturing, NVAs should be limited to specific use cases (e.g., vendor-standard inspection or multicloud transit).
  • Sovereign Regions: SLZ deployments may have resource provider restrictions; confirm service availability before adopting standard ALZ templates.

✅ Best Practices

  • Adopt Platform-owned Connectivity as the default pattern for enterprise landing zones.
  • Consolidate policy and tagging strategy across all vNets for traceability and governance alignment.
  • Use Azure Policy to control where Private DNS Zones can be created — ensuring they reside within the Connectivity (Platform) Zone, not inside workload subscriptions. This keeps name resolution consistent, auditable, and centrally managed.
  • Deploy Virtual WAN secure hubs with Azure Firewall Premium tier for central egress and Zero Trust enforcement.
  • Prefer Private Link over service endpoint exposure; eliminate public endpoints altogether.
  • Manage DNS centrally in the platform layer and link zones to the appropriate spokes via Private DNS zone virtual network links.
  • Automate hub and spoke deployment using Bicep or Terraform, and avoid ad-hoc peering.
  • In Sovereign Landing Zones, maintain strict separation between management, workload, and monitoring planes to meet regulatory assurance.
🍺
Brewed Insight: The shift from connected landing zones to platform-owned connectivity mirrors how enterprises are modernising their cloud governance: centralised guardrails, decentralised innovation.
Think of the network as the “brew method” — the beans (your workloads) won’t taste right without the right pressure, filter, and flow.

🔗 Learn More