Azure Landing Zones: Beyond Enterprise
Building a personal cloud lab doesn’t mean compromising on architecture. The Lite-CAF approach brings enterprise-grade structure to personal projects without the overhead.
Why Landing Zones Matter
Even for a single subscription, a Landing Zone provides:
- Governance: Policies that prevent misconfigurations before they happen
- Security: RBAC and network isolation from day one
- Cost Control: Budget alerts and spending boundaries
- Scalability: When your side project becomes serious
The Lite-CAF Architecture
Management Group Hierarchy
A simplified management group tree that retains the CAF spirit:
- Root Management Group
- Platform (Hub networking, shared services)
- Workloads
- Sandbox (experiments, no policies)
- Corp (internal tools, moderate policies)
- Online (public-facing, strict policies)
Subscription Vending
Automated subscription provisioning with Terraform:
- Archetype-based configuration (Sandbox / Corp / Online)
- Automatic VNet peering to hub
- RBAC assignment based on workload type
- Budget alerts and cost tags
Key Decisions
| Decision | Choice | Rationale |
|---|---|---|
| IaC Tool | Terraform | Multi-cloud flexibility |
| CI/CD | Azure DevOps | Native integration |
| Identity | Managed Identity | No secrets to manage |
| Networking | Hub-Spoke | Simple, proven pattern |
“The best landing zone is the one you actually deploy.”