After the SLZ has been deployed, organizations can begin using it to host workloads. Workloads will need their own landing zones, and for more details about the types of landing zones review the what is a landing zone documentation.
In short, the landing zone as deployed by the SLZ provides the governance framework and controls that can simplify the onboarding of workload landing zones within it's management group structure. This means workload landing zones don't need to recreate common infrastructure such as a hub network as they may use the one that already exists, nor do they need to manage policy assignments as they'll inherent the ones already assigned.
Workload landing zones require the creation of a subscription and placing it within the management group structure. While you may customize the management groups available, the following exist by default:
- Connectivity - Used to host platform workloads that provide core networking capabilities
- Identity - Used to host platform workloads that provide identity management, access, and syncing capabilities
- Management - Used to host platform workloads that provide core monitoring and alerting capabilities
- Corp - Used to host application workloads that do not need to be accessed from the public internet
- Confidential Corp - Used to host application workloads that do not need to be accessed from the public internet but require use of confidential computing
- Online - Used to host application workloads that do need to be accessed from the public internet
- Confidential Online - Used to host application workloads that do need to be accessed from the public internet but require use of confidential computing
- Sandbox - Used to host isolated environments for testing workloads and capabilities
- Decommissioned - Used to host workloads or capabilities that are retired, but still need to be retained
Subscription vending provides a platform mechanism for programmatically issuing subscriptions to application teams that need to deploy workloads. This notion allows for an organization's governance and security teams to build controls and a process around subscription creation, then application teams can request a new subscription for their workload on demand after making a few choices.
Landing zone vending is a GitHub repository provides the automation to deploy landing zones for workloads within the SLZ. It is recommended for an organization's governance and security teams to review the parameters available in this module and enforce certain values for some, while leaving the others up to the requesting team to fill out. Once all values are added, then a pipeline running with a highly privileged account would create the landing zone and grant reduced permissions to the development team to deploy their workload within.
It is recommended to not allow a development team set the following values:
- subscriptionBillingScope
- subscriptionTenantId
- virtualNetworkDdosPlanId
- virtualNetworkLocation
- hubNetworkResourceId
It is recommended to allow a development to set the following values:
- subscriptionDisplayName
- subscriptionAliasName
- subscriptionWorkload
- subscriptionManagementGroupId
However, organizations may customize these lists further and provide certain allowed values that a development team can request.
To support usage of the landing zone vending module and running individual deployment steps, during every execution of the SLZ key resources will be logged to a CSV file. These log files will be stored in /orchestration/scripts/outputs and will be timestamped with the deployment name in the title.
The CSV file has the following columns:
- Resource Name - The human readable resource name
- Resource Type - The resource type useful for filtering the CSV
- Resource Id - The unique identifier for the resource that's commonly needed as a parameter
- Deployment Module - The deployment module where this resource is created
- Comments - A human readable comment about where this value is commonly used
Microsoft Cloud for Sovereignty has published a variety of workload templates including a sample application that are designed to be deployed within the SLZ. These are useful resources to reference during the workload migration process.