White Paper:

Azure Landing Zones

Part 3

Author: Eric MacDonald, VP of Cloud Transformation

Networking is the backbone of every landing zone.

Part 3 of the Azure Landing Zones series moves from identity and governance into the connective tissue of your cloud: the network. This installment breaks down the architecture, design patterns, and automation required to build a scalable, secure, CAF-aligned network foundation across your Azure environment.

From choosing the right topology (Hub-Spoke, Virtual WAN, or Hybrid) to implementing segmentation, routing, hybrid connectivity, cross-region architecture, and Network-as-Code automation, this guide gives you the blueprint for a predictable, governed, and fully instrumented landing zone network.

If identity is the control plane, networking is the highway system — and getting it wrong creates long-term technical debt fast. This paper shows you how to design it right the first time.

Read White Paper

Azure Landing Zones: Networking & Connectivity (Part 3)

Modern cloud operations rely on a well-architected network. Part 3 of the ALZ series provides a deep dive into how traffic flows, how hybrid connectivity scales, and how governance and security stay enforceable across every subscription.

Expanding Microsoft’s Cloud Adoption Framework (CAF), this paper provides practical guidance for:

  • Building the Connectivity layer and the Platform Subscription

  • Selecting and implementing enterprise-grade network topologies

  • Designing segmentation and IP address strategies that scale

  • Enforcing Zero Trust with centralized egress filtering, firewalls, and NSGs

  • Deploying hybrid connections with VPN and ExpressRoute

  • Automating network provisioning and guardrails using Bicep/Terraform and Azure Virtual Network Manager

  • Operating and monitoring networks with Azure-native tools.

 

Part 1 covers some foundational considerations, and Part 2 addresses design, automation and identity access best practices. 
Azure Landing Zones Part 3 Content