Jeremy Winter - Partner Director, Azure Management | Microsoft
As businesses look to the cloud to ensure business resiliency and to spur innovation, we continue to see customer migrations to Azure accelerate. Increasingly, we’ve heard from business leaders preparing to migrate that they could learn from our best practices and want general help thinking about migration.
IT and business leaders often ask us about how they can both enable their teams to innovate with agility in Azure and remain compliant within organizational governance, security, and efficiency guardrails. Getting this balance right is critical to cloud migration success. One of the most important questions to getting it right is how to set up destination Azure environments we call landing zones.
At Microsoft, we believe that cloud agility isn’t at odds with setting up the right foundation for migration initiatives—in fact, taking time to do the latter sets organizations up for a faster path to success. Our customers and partners have been using Azure landing zones—a set of architecture guidelines, reference implementations, and code samples based on proven practices—to prepare cloud environments.
“With everybody’s limited budget, especially during the pandemic, the support from both a financial perspective and with FastTrack for Azure backing. I very quickly realized that we could deliver in a quicker timeframe than initially planned. The landing zone was a great initiative because that focused everybody in terms of what are the deliverables? What are we looking to achieve? What technologies are we going to use to do that? Microsoft linked in seamlessly with SoftwareOne and as a customer of both of these companies, it was reassuring for us.”
Gavin Scott, Head of IT, Actavo
What are the key decisions to be made in setting-up your cloud destination?
At the onset of migration initiatives, we see customers and partners focus on the key considerations below to define their ideal operating environment in Azure. These considerations are abstracted as operating models, with “central operations” and “enterprise operations” as two options at different ends of the spectrum.
- Old roles versus new opportunities: Migrating to the cloud can modernize many workloads as well as how IT operates. Azure can reduce the volume of repetitive maintenance tasks, unlocking opportunities to apply IT staff expertise in new ways. At the same time, Azure does offer options to preserve practices, controls, and structures that are proven to work. A key decision for leaders is where to land on this spectrum.
- Change management versus democratized actions: With greater access to self-service deployment and flexibility for decisions, change management and change control can look different in the cloud. While workload teams typically prefer the agility to quickly make changes to workloads and environments, cloud centers of excellence seek to ensure changes are safe, compliant, and operationally efficient. The key decision for leaders here is how much of cloud governance requirements should be automated.
- Standardized versus specialized operations: Creating multiple and connected levels of operational controls in Azure to accommodate specialized needs of various workloads is absolutely possible. Central IT, for instance, can ensure basic operational standards for all workloads, while empowering workload teams to set additional guardrails. The key question for leaders is which day-to-day operations will be performed by central IT teams and which by workload teams.
- Architecture; as-is versus re-imagined: The first inclination for most teams might be to simply replicate on-premises design and architectures, “as-is” in Azure. When a low complexity and narrowly scoped estate is moving to cloud, that might be the optimal approach. In time, as migration scopes grow—spanning more applications, databases, and infrastructure components—achieving higher efficiency in Azure becomes even more attractive. A key decision for leaders is which path to take during iterative migration initiatives.
Azure landing zones appropriately guide customers and partners in setting up the desired operating model in Azure. Landing zones ensure that roles, change management, governance, and operations are all considered at the beginning of the journey to achieve the desired balance of agility and governance.
Why are Azure landing zones valuable in implementing your design decisions in the cloud?
Examples from two of our customers on each end of the operating model spectrum illustrate how landing zones guide destination decisions, as well as the implementation path.
The first example is a US-based large manufacturing and distribution company, with operations spanning four continents. This customer aimed to establish “central operations” while retiring a series of data centers that would have otherwise required expensive hardware upgrades. One of the complicating (though not uncommon) factors was each regional subsidiary had distinct governance, security, and operations requirements.
To accelerate this complex migration, with the help of our partners, we started by migrating a single subsidiary, enabling the customer to learn and iterate towards the desired centralized operating model. During the first four weeks, the customer migrated hundreds of low-risk VMs to an Azure landing zone. Within eight weeks, the customer established the final operating model, migrating mission-critical, and sensitive data workloads for their first subsidiary. Other subsidiaries then built on this initial operating model to meet their specific needs. The customer now uses Azure Blueprints and Azure Policy to deploy self-service landing zones to comply with global and local standards. Azure landing zones enabled the customer to successfully mitigate complexity and mold the cloud platform architecture to fit the centralized operating model they were looking for.
The second example comes from one of our customers in Germany preparing to move thousands of servers to Azure. Most of those servers hosted low-complexity, steady-state workloads governed by central operations on-premises. As part of the migration effort, the customer needed to transform and modernize IT operations, including adherence to high security and compliance requirements that were to take effect. In eight weeks, this customer was able to start an Azure environment in alignment with the transformation vision while meeting the new security and compliance requirements. The enterprise-scale flavor of Azure landing zones provided implementation options needed for the destination to meet stringent requirements and enabled the enterprise transformation vision.
For an overview of landing zone and considerations you should make to build your landing zone in Azure, view this Azure landing zones video.
How are Azure landing zones constructed?
To construct Azure landing zones, customers and partners first clarify how they prefer to deploy their landing zones. Next up are decisions on “design area” configuration options. Let’s take a look at a couple of the “design areas” to demonstrate how they contribute to the construction of landing zones.
- Deployment options: How to deploy Azure landing zones is an important early design decision. Each implementation option provides slightly different methods to match the skill level of your team and the operating model. User-interface based options and scripting-based methods, as well as deployments directly from GitHub are available.
- Identity: Best practice guidance and enabling capabilities Azure Active Directory, Azure role-based access control (RBAC), and Azure Policy help establish and preserve the right levels of identity and access across the cloud platform. The best practices, decision guides, and references in Azure landing zones help design the foundation with a secure and compliant approach.
- Resource organization: Sound governance starts with standards for organizing resources. Naming and tagging standards, subscription design (segmentation of resources), management group hierarchy (consistent organization of segments) are needed to reflect operating model preferences. Landing zones provide the guidance to get started.
- Business continuity and disaster recovery (BCDR): Reliability and rapid recovery are essential for business continuity. Design areas within landing zones guide customers to set up destination environments with high degrees of protection and faster recovery options.
“The landing zone that serves as a foundation for customers’ identity, security, networking, operations and governance needs, tends to be a lynchpin of success for future migrations. Claranet prides on getting this right in addition to helping build an excellent post migration operational model. Our collaboration with the Azure Migration Program (AMP) team was tremendously helpful to our customers, bringing the best of what we have with Microsoft’s recommendations and focusing on landing zone to better prepare for their growing cloud portfolio.”
Mark Turner, Cloud Business Unit Director, Claranet
Getting started with Azure landing zones
To guide our customers and partners in getting cloud destination environments ready with Azure landing zones, ready section under the Cloud Adoption Framework (CAF) provides step-by-step, prescriptive guidance. We recommend that customers start with the following three steps within CAF to educate and activate their migration crews:
- Begin by determining which cloud operating model reflects the right balance for your agility and governance needs.
- Continue onto "design areas" for Azure landing zones for an overview of the configuration options available to achieve your operating model.
- Select an Azure landing zone implementation option to match your selected operating model, migration scope, and velocity. Once you’ve identified the best option, deployment instructions and supporting scripts can automatically deploy reference implementations of each Azure landing zone.
Customers truly realize the value of migrations once they have started operating from the cloud. Cloud destinations that enable innovation and agility, while ensuring governance and security are key to accelerate that value realization. Azure landing zones are ready to guide customers and partners in setting-up cloud destinations and, more importantly, for setting-up post-migration success.
This blog post was originally posted here.