Landing Zones in Public Clouds

A Landing Zone is a pre-configured, secure, and scalable cloud environment that provides a baseline for deploying workloads. It includes essential resources, policies, and guardrails to ensure compliance, security, and operational efficiency from day one.

Why Use Landing Zones?

  • Accelerate cloud adoption with ready-to-use environments

  • Enforce security, compliance, and governance standards

  • Standardize networking, identity, and resource organization

  • Enable multi-account/subscription management

Landing Zone Definitions by Cloud Provider

Azure: Azure Landing Zone

  • Definition: A set of guidelines, reference architectures, and automation (often via Azure Blueprints, ARM/Bicep, or Terraform) to deploy a secure, governed Azure environment.

  • Key Features:

    • Management groups and subscriptions

    • Azure Policy for compliance

    • Role-Based Access Control (RBAC)

    • Hub-and-spoke networking

    • Integration with Azure Security Center

  • Reference: Azure Landing Zones Documentation

AWS: AWS Landing Zone / Control Tower

  • Definition: An automated solution (AWS Control Tower or custom IaC) to set up a secure, multi-account AWS environment with best practices for identity, logging, and networking.

  • Key Features:

    • Multi-account structure (using AWS Organizations)

    • Centralized logging (CloudTrail, S3)

    • Service Control Policies (SCPs)

    • VPC baseline networking

    • Guardrails for compliance

  • Reference: AWS Landing Zone Solution | AWS Control Tower

GCP: Google Cloud Landing Zone (Foundation)

  • Definition: A set of Terraform modules and best practices to create a secure, scalable GCP environment, often called the "foundation" or "landing zone".

  • Key Features:

    • Hierarchical resource organization (folders, projects)

    • Identity and Access Management (IAM)

    • Shared VPC and networking

    • Audit logging

    • Security Command Center integration

  • Reference: GCP Landing Zone Foundation

Key Differences Between Cloud Landing Zones

Feature
Azure
AWS
GCP

Resource Hierarchy

Management Groups, Subs

Organizations, Accounts

Folders, Projects

Automation Tools

Blueprints, ARM, Bicep, TF

Control Tower, CloudFormation, TF

Terraform, Deployment Manager

Policy/Guardrails

Azure Policy, RBAC

SCPs, IAM, Guardrails

IAM, Org Policy

Networking

Hub-Spoke, VNet

VPC, Subnets

Shared VPC

Logging & Auditing

Azure Monitor, Log Analytics

CloudTrail, CloudWatch

Cloud Audit Logs

Security Integration

Security Center, Defender

Security Hub, GuardDuty

Security Command Center

Best Practices

  • Use Infrastructure as Code (Terraform, Bicep, CloudFormation) for repeatability

  • Start with the official landing zone reference architectures

  • Customize guardrails and policies for your organization

  • Automate account/subscription/project creation

  • Integrate with CI/CD for continuous compliance

Landing Zone Joke

Why did the cloud architect refuse to land in an unprepared environment?

Because there was no landing zone—he didn’t want to crash the deployment!

For more details, always refer to the official documentation and cloud adoption frameworks for each provider.

PreviousGCP to AWSNextAWS Landing Zone

Last updated