From df21658a0a87a2920ab23f0c7d5da7cef8a6b86f Mon Sep 17 00:00:00 2001 From: Luke Murray <24467442+lukemurraynz@users.noreply.github.com> Date: Sat, 24 Jun 2023 17:54:25 +1200 Subject: [PATCH 1/6] Update index.md - Increase readability Increase readability --- docs/ready/landing-zone/index.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/ready/landing-zone/index.md b/docs/ready/landing-zone/index.md index 6ddc5375fc..09d90cd3b1 100644 --- a/docs/ready/landing-zone/index.md +++ b/docs/ready/landing-zone/index.md @@ -16,16 +16,16 @@ An Azure landing zone is an environment that follows key design principles acros ## Azure landing zone architecture -An Azure landing zone architecture is scalable and modular to meet a range of deployment needs. A repeatable infrastructure allows you to consistently apply configurations and controls to every subscription. Modules make it easy to deploy and modify specific components of the Azure landing zone architecture as your requirements evolve. +An Azure landing zone architecture is scalable and modular to meet various deployment needs. A repeatable infrastructure allows you to apply configurations and controls to every subscription consistently. Modules make it easy to deploy and modify specific Azure landing zone architecture components as your requirements evolve. -The Azure landing zone conceptual architecture (*see figure 1*) represents an opinionated, target architecture for your Azure landing zone. You should use this conceptual architecture as a starting point and [tailor the architecture to meet your needs](./tailoring-alz.md). +The Azure landing zone conceptual architecture (*see figure 1*) represents an opinionated target architecture for your Azure landing zone. You should use this conceptual architecture as a starting point and [tailor the architecture to meet your needs](./tailoring-alz.md). :::image type="content" source="../enterprise-scale/media/ns-arch-cust-expanded.svg" alt-text="A conceptual architecture diagram of an Azure landing zone." lightbox="../enterprise-scale/media/ns-arch-cust-expanded.svg"::: *Figure 1: Azure landing zone conceptual architecture. Download a [Visio file](https://raw.githubusercontent.com/microsoft/CloudAdoptionFramework/master/ready/enterprise-scale-architecture.vsdx) of this architecture.* **Design areas:** The conceptual architecture illustrates the relationships between its eight design areas. These design areas are Azure billing and Azure Active Directory tenant (A), identity and access management (B), resource organization (C), network topology and connectivity (E), security (F), management (D, G, H), governance (C, D), and platform automation and DevOps (I). For more information on the design areas, see [the Azure Landing Zone environment design areas](./design-areas.md#environment-design-areas). -**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by management group. The subscriptions under the "Platform" management group represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. +**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by the management group. The "Platform" management group subscriptions represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. ### Platform landing zones vs. application landing zones @@ -33,23 +33,23 @@ An Azure landing zone consists of platform landing zones and application landing **Platform landing zone:** A platform landing zone is a subscription that provides shared services (identity, connectivity, management) to applications in application landing zones. Consolidating these shared services often improves operational efficiency. One or more central teams manage the platform landing zones. In the conceptual architecture (*see figure 1*), the "Identity subscription", "Management subscription", and "Connectivity subscription" represent three different platform landing zones. The conceptual architecture shows these three platform landing zones in detail. It depicts representative resources and policies applied to each platform landing zone. -**Application landing zone:** An application landing zone is a subscription for hosting an application. You pre-provision application landing zones through code, and use management groups to assign policy controls to them. In the conceptual architecture (*see figure 1*), the "Landing zone A1 subscription" and "Landing zone A2 subscription" represent two different application landing zones. The conceptual architecture shows only the "Landing zone A2 subscription" in detail. It depicts representative resources and policies applied to the application landing zone. +**Application landing zone:** An application landing zone is a subscription for hosting an application. You pre-provision application landing zones through code and use management groups to assign policy controls to them. In the conceptual architecture (*see figure 1*), the "Landing zone A1 subscription" and "Landing zone A2 subscription" represent two different application landing zones. The conceptual architecture shows only the "Landing zone A2 subscription" in detail. It depicts representative resources and policies applied to the application landing zone. -There are three main approaches to managing application landing zones. You should use a (1) central team, (2) application team, or (3) shared team management approach depending on your needs (*see table*). +There are three main approaches to managing application landing zones. You should use a (1) central team, (2) application team, or (3) shared team management approach, depending on your needs (*see table*). | Application landing zone management approach | Description | | --- | --- | -| Central team management | A central IT team fully operates the landing zone. The team applies controls and platform tools to both the platform landing zones and application landing zones. -| Application team management | A platform administration team delegates the entire application landing zone to an application team. The application team manages and supports the environment. The management group policies ensure that the platform team still governs the application landing zone. You can add other policies at the subscription scope and use alternative tooling for deploying, securing, or monitoring application landing zones.| -| Shared management | With technology platforms such as AKS or AVS, a central IT team manages the underlying service. The application teams are responsible for the applications running on top of the technology platforms. You need to use different controls or access permissions for this model. These controls and permissions differ from the ones you use to centrally manage application landing zones. +| Central team management | A central IT team fully operates the landing zone. The team applies controls and platform tools to the platform and application landing zones. +| Application team management | A platform administration team delegates the entire application landing zone to an application team. The application team manages and supports the environment. The management group policies ensure the platform team still governs the application landing zone. You can add other policies at the subscription scope and use alternative tooling for deploying, securing, or monitoring application landing zones.| +| Shared management | With technology platforms such as AKS or AVS, a central IT team manages the underlying service. The application teams are responsible for the applications running on top of the technology platforms. You need to use different controls or access permissions for this model. These controls and permissions differ from the ones you use to manage application landing zones centrally. ## Azure landing zone accelerators -Accelerators are infrastructure-as-code implementations that help you deploy an Azure landing zone the right way. We have a platform landing zone accelerator and several application landing zone accelerators that you can deploy. +Accelerators are infrastructure-as-code implementations that help you deploy an Azure landing zone correctly. We have a platform landing zone accelerator and several application landing zone accelerators you can deploy. ### Platform landing zone accelerator -There's a ready-made deployment experience called the **Azure landing zone portal accelerator**. The Azure landing zone portal accelerator deploys the conceptual architecture (*see figure 1*) and applies predetermined configurations to key components such as management groups and policies. It's suitable for organizations where the conceptual architecture aligns with the planned operating model and resource structure. +There's a ready-made deployment experience called the **Azure landing zone portal accelerator**. The Azure landing zone portal accelerator deploys the conceptual architecture (*see figure 1*) and applies predetermined configurations such as management groups and policies. It suits organizations whose conceptual architecture aligns with the planned operating model and resource structure. You should use the Azure landing zone portal accelerator if you plan to manage your environment with the Azure portal. If you want to use Bicep or Terraform, see the [Bicep and Terraform deployment options](/azure/architecture/landing-zones/landing-zone-deploy#platform). Deploying the Azure landing zone portal accelerator requires permissions to create resources at the tenant (`/`) scope. Follow the guidance in [Tenant deployments with ARM templates: Required access](/azure/azure-resource-manager/templates/deploy-to-tenant?tabs=azure-powershell#required-access) to grant these permissions. @@ -70,7 +70,7 @@ Application landing zone accelerators help you deploy application landing zones. ## Next steps -An Azure landing zone is an environment adheres to key design principles across eight design areas. You should familiarize yourself with these design principles to tailor them to your needs. +An Azure landing zone is an environment that adheres to crucial design principles across eight design areas. You should familiarize yourself with these design principles to tailor them to your needs. > [!div class="nextstepaction"] > [Design principles](./design-principles.md) From 2d2397cbc8b4e963442b024f3558363dacebc069 Mon Sep 17 00:00:00 2001 From: Bryan Lamos Date: Fri, 4 Aug 2023 11:51:13 -0700 Subject: [PATCH 2/6] Per Microsoft style guide --- docs/ready/landing-zone/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ready/landing-zone/index.md b/docs/ready/landing-zone/index.md index 09d90cd3b1..170b3f4f26 100644 --- a/docs/ready/landing-zone/index.md +++ b/docs/ready/landing-zone/index.md @@ -40,7 +40,7 @@ There are three main approaches to managing application landing zones. You shoul | Application landing zone management approach | Description | | --- | --- | | Central team management | A central IT team fully operates the landing zone. The team applies controls and platform tools to the platform and application landing zones. -| Application team management | A platform administration team delegates the entire application landing zone to an application team. The application team manages and supports the environment. The management group policies ensure the platform team still governs the application landing zone. You can add other policies at the subscription scope and use alternative tooling for deploying, securing, or monitoring application landing zones.| +| Application team management | A platform administration team delegates the entire application landing zone to an application team. The application team manages and supports the environment. The management group policies ensure that the platform team still governs the application landing zone. You can add other policies at the subscription scope and use alternative tooling for deploying, securing, or monitoring application landing zones.| | Shared management | With technology platforms such as AKS or AVS, a central IT team manages the underlying service. The application teams are responsible for the applications running on top of the technology platforms. You need to use different controls or access permissions for this model. These controls and permissions differ from the ones you use to manage application landing zones centrally. ## Azure landing zone accelerators From a7cc11da412cea5886aaa2707f1176f698cf26ca Mon Sep 17 00:00:00 2001 From: Bryan Lamos Date: Fri, 4 Aug 2023 11:56:12 -0700 Subject: [PATCH 3/6] Revert to original text "under" is used in this paragraph a few times, in the literal sense of the subscriptions being under the management group in the diagram --- docs/ready/landing-zone/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ready/landing-zone/index.md b/docs/ready/landing-zone/index.md index 170b3f4f26..163d1c6989 100644 --- a/docs/ready/landing-zone/index.md +++ b/docs/ready/landing-zone/index.md @@ -25,7 +25,7 @@ The Azure landing zone conceptual architecture (*see figure 1*) represents an op **Design areas:** The conceptual architecture illustrates the relationships between its eight design areas. These design areas are Azure billing and Azure Active Directory tenant (A), identity and access management (B), resource organization (C), network topology and connectivity (E), security (F), management (D, G, H), governance (C, D), and platform automation and DevOps (I). For more information on the design areas, see [the Azure Landing Zone environment design areas](./design-areas.md#environment-design-areas). -**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by the management group. The "Platform" management group subscriptions represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. +**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by the management group. The subscriptions under the "Platform" management group represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. ### Platform landing zones vs. application landing zones From 916df7ddc6a013d64dbb28c4e2fcd14edc2fa3c2 Mon Sep 17 00:00:00 2001 From: Bryan Lamos Date: Fri, 4 Aug 2023 11:58:11 -0700 Subject: [PATCH 4/6] Revert It's more obvious without "the" that a subscription aligns to one of several management groups --- docs/ready/landing-zone/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ready/landing-zone/index.md b/docs/ready/landing-zone/index.md index 163d1c6989..e6f8240426 100644 --- a/docs/ready/landing-zone/index.md +++ b/docs/ready/landing-zone/index.md @@ -25,7 +25,7 @@ The Azure landing zone conceptual architecture (*see figure 1*) represents an op **Design areas:** The conceptual architecture illustrates the relationships between its eight design areas. These design areas are Azure billing and Azure Active Directory tenant (A), identity and access management (B), resource organization (C), network topology and connectivity (E), security (F), management (D, G, H), governance (C, D), and platform automation and DevOps (I). For more information on the design areas, see [the Azure Landing Zone environment design areas](./design-areas.md#environment-design-areas). -**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by the management group. The subscriptions under the "Platform" management group represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. +**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by management group. The subscriptions under the "Platform" management group represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. ### Platform landing zones vs. application landing zones From 2a4101b92478bcd08d0e63883c56c76624fe725b Mon Sep 17 00:00:00 2001 From: Bryan Lamos Date: Fri, 4 Aug 2023 11:59:41 -0700 Subject: [PATCH 5/6] remove extra space --- docs/ready/landing-zone/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ready/landing-zone/index.md b/docs/ready/landing-zone/index.md index e6f8240426..924d312d28 100644 --- a/docs/ready/landing-zone/index.md +++ b/docs/ready/landing-zone/index.md @@ -25,7 +25,7 @@ The Azure landing zone conceptual architecture (*see figure 1*) represents an op **Design areas:** The conceptual architecture illustrates the relationships between its eight design areas. These design areas are Azure billing and Azure Active Directory tenant (A), identity and access management (B), resource organization (C), network topology and connectivity (E), security (F), management (D, G, H), governance (C, D), and platform automation and DevOps (I). For more information on the design areas, see [the Azure Landing Zone environment design areas](./design-areas.md#environment-design-areas). -**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by management group. The subscriptions under the "Platform" management group represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. +**Resource organization:** The conceptual architecture shows a sample management group hierarchy. It organizes subscriptions (yellow boxes) by management group. The subscriptions under the "Platform" management group represent the platform landing zones. The subscriptions under the "Landing zone" management group represent the application landing zones. The conceptual architecture shows five subscriptions in detail. You can see the resources in each subscription and the policies applied. ### Platform landing zones vs. application landing zones From 7b24e4dae01dc7df1fa8d7062c29c0878414ae8c Mon Sep 17 00:00:00 2001 From: Bryan Lamos Date: Fri, 4 Aug 2023 12:08:25 -0700 Subject: [PATCH 6/6] revert The term "configurations" applies to the components themselves (management groups and policies). The components are not "configurations". --- docs/ready/landing-zone/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ready/landing-zone/index.md b/docs/ready/landing-zone/index.md index 924d312d28..7654f17688 100644 --- a/docs/ready/landing-zone/index.md +++ b/docs/ready/landing-zone/index.md @@ -49,7 +49,7 @@ Accelerators are infrastructure-as-code implementations that help you deploy an ### Platform landing zone accelerator -There's a ready-made deployment experience called the **Azure landing zone portal accelerator**. The Azure landing zone portal accelerator deploys the conceptual architecture (*see figure 1*) and applies predetermined configurations such as management groups and policies. It suits organizations whose conceptual architecture aligns with the planned operating model and resource structure. +There's a ready-made deployment experience called the **Azure landing zone portal accelerator**. The Azure landing zone portal accelerator deploys the conceptual architecture (*see figure 1*) and applies predetermined configurations to key components such as management groups and policies. It suits organizations whose conceptual architecture aligns with the planned operating model and resource structure. You should use the Azure landing zone portal accelerator if you plan to manage your environment with the Azure portal. If you want to use Bicep or Terraform, see the [Bicep and Terraform deployment options](/azure/architecture/landing-zones/landing-zone-deploy#platform). Deploying the Azure landing zone portal accelerator requires permissions to create resources at the tenant (`/`) scope. Follow the guidance in [Tenant deployments with ARM templates: Required access](/azure/azure-resource-manager/templates/deploy-to-tenant?tabs=azure-powershell#required-access) to grant these permissions.