As organisations venture into a hybrid or multi-cloud environment, managing resources across on-premises, other clouds, and Azure can become complex. An Azure Arc Landing Zone provides a standardised foundation to streamline this process. The Azure Arc Landing Zone establishes a secure, well-governed 
Within this landing zone, organisations benefit from centralised governance policies, consistent resource organisation, and automated monitoring. This translates to simplified deployments, enhanced security, and improved operational efficiency for your entire hybrid and multi-cloud estate.
The landing zone leverages Azure Arc, a technology that seamlessly extends Azure management services to Azure and non-Azure environments, including on-premises infrastructure, like Azure Stack HCI, which is Azure Arc enabled by default, other cloud providers, and the edge.
Azure Arc Landing Zone Critical Design Areas
An Azure Arc Landing Zone encompasses several of the previously described critical design areas that you can read more about here in a previous blog post https://community.hpe.com/t5/alliances/introduction-to-azure-landing-zones/ba-p/7196277 that are essential for the successful implementation and management of an Azure Arc enabled platform. These areas include the following:
- Management Group and Subscription Organisation
- Management Groups: Utilise them to logically group resources based on business units, environments (e.g., Dev, Test, Prod), or compliance requirements.
- Subscriptions: Define a strategy, since this should be based on your specific requirements and priorities, regarding whether to allocate a separate Azure subscription for Azure Arc and Azure Stack HCI.
- Resource Hierarchy: Define a clear structure for resource placement within management groups, considering factors like resource types, access control, and scalability.
- Network Topology and Connectivity
- Network Topology and Connectivity: Design your network architecture to enable secure and efficient communication between resources across different environments.
- Hybrid and Multi-cloud Connectivity: Utilise technologies like ExpressRoute or VPN Gateways to establish secure and reliable connections between Azure and your on-premises or other cloud environments
- Identity and Access Management
- Microsoft Entra ID: Establish Entra ID as the central identity authority for all resources, ensuring consistent access control and RBAC (Role-Based Access Control) across your hybrid environment.
- Conditional Access: Leverage conditional access policies to enforce additional security measures, such as multi-factor authentication or device compliance, for accessing resources.
- Service Principals: Use service principals for machine identities and grant them least privilege access based on their specific needs.
- Security, Governance and Compliance
- Azure Policy: Enforce security best practices by defining and assigning policies that govern resource configurations, deployments, and access control.
- Azure Monitor: Continuously monitor for security threats and vulnerabilities across your environments, leveraging Log Analytics and Azure Sentinel for centralised logging and security information and event management (SIEM).
- Azure Defender for Cloud: Consider subscribing to Azure Defender for Cloud for enhanced threat detection, vulnerability scanning, and automated remediation across your hybrid workloads.
- Azure Cost Management: Track and optimise costs across your entire environment, identifying and addressing potential overspending.
- Azure Tagging: Implement consistent tagging strategies to categorise resources for cost allocation, compliance reporting, and resource management.
- Naming Conventions: Implement consistent naming conventions for resources across environments to simplify identification and management.
- Management and Monitoring
- Monitoring and Logging: Implement centralised monitoring and logging solutions to gain visibility into the health and performance of your entire landing zone.
- Platform DevOps and Automation
- Infrastructure as Code (IaC): Use tools like Ansible, Terraform or Bicep to automate infrastructure provisioning, configuration, and management for consistency and reduced manual effort.
- CI/CD Pipelines: Implement continuous integration and continuous delivery (CI/CD) pipelines to streamline deployments and updates across your hybrid and multi-cloud resources.
- GitOps: Consider GitOps approaches for managing resource configurations in a version-controlled repository, ensuring traceability and collaboration.
A well-designed Azure Arc Landing Zone addresses these critical areas to create a robust and secure foundation for cloud operations.
Arguments for a Separate Azure Subscription
Whether Azure Arc and Azure Stack HCI need their own Azure subscription depends on your specific usage scenario and requirements.
Arguments for a separate Azure subscription:
- Cost segregation: You can track and manage costs specifically for your Azure Arc and Azure Stack HCI deployment, separate from other Azure resources. This helps with budgeting and cost optimisation.
- Resource isolation: Your Azure Arc and Azure Stack HCI resources are protected from accidental deletion or modification from other Azure subscriptions. This enhances security and control.
- Compliance requirements: Specific regulations might require segregated resources, making a separate subscription necessary.
- Hybrid benefit discounts: You might be eligible for additional discounts on Windows Server and SQL Server licenses by leveraging Hybrid Benefit for Azure Stack HCI with a separate subscription.
Arguments against a separate Azure subscription:
- Complexity: Managing multiple subscriptions adds complexity and administrative overhead.
- Cost overhead: Separate subscriptions incur a small monthly management fee, even if unused.
- Resource management limitations: You might have limitations on managing resources across subscriptions, requiring additional tools or permissions.
- Billing integration: Separate subscriptions necessitate separate billing and invoices, leading to additional management effort.
Conclusion
Azure Arc Landing Zone: offers a pre-defined blueprint for creating a secure and centralised foundation for managing resources in a hybrid or multi-cloud environment. This includes on-premises infrastructure, other cloud providers, and of course, Azure itself.
Azure Stack HCI: is a hyper-converged infrastructure (HCI) solution that brings together compute, storage, and networking resources into a single, easy-to-manage system. Here's the key point: Azure Stack HCI is inherently Azure Arc-enabled. This means it seamlessly integrates with the Azure Arc Landing Zone, allowing you to manage and govern your on-premises HCI infrastructure alongside your other cloud resources from a single pane of glass in the Azure portal.
For more information on the many ways we can help you, https://www.hpe.com/uk/en/services/pointnext.html
Patrick Lownds
Hewlett Packard Enterprise
