Azure Landing Zone Implementation
Apr 03, 2023
This case study talks about, a health giant with a global presence, that wanted to implement an Azure landing zone to establish a secure and scalable cloud environment. This use case is aimed to improve security, governance, and control for all the existing and future subscriptions in the customer’s Azure account. The key security aspects that the Cloud Infrastructure team covered were security control policies, proactive remediation, identity and access management policies and roles, cloud security and configuration tooling, alerting, and monitoring, and iteratively evolving and improving overall governance and control.
To build a secure landing zone in Azure with proper organizational structure and security boundaries which can incorporate cloud-native services with appropriate privilege identity controls and provide management of cloud resources and ensure compliance with organizational standards and regulations with RBAC. Designing a solution that is ideal for several subscriptions, users, and segmented architecture with segregated environments was our ultimate objective.
After identifying the challenges faced by the customer, Intuitive.Cloud helped the customer with their multi-subscription strategy by setting up an Azure landing zone. Intuitive.Cloud worked closely with the customer to understand its requirements and goals and designed an Azure landing zone that met the organization's needs. An Azure landing zone is the output of a multi-subscription Azure environment that accounts for scale, security governance, networking, and identity. An Azure landing zone enables application migration, modernization, and innovation at an enterprise scale in Azure.
The Azure landing zone was built using terraform templates. The terraform templates were used to deploy foundational resources, such as virtual networks, subnets, network security groups, and storage accounts. As part of detective controls in Azure environment:
- Implemented Azure defender
- Implemented Azure Advance Threat Protection
- Implemented Azure Sentinel for SIEM solution
With centralized monitoring and logging, Azure AD logs, user activity, and Network flow logs are aggregated in log analytics workspace & dashboard is created in Azure monitor for better visibility. Logic apps are configured to be triggered from event hub based on the log analytics events, and resource utilization thresholds.
The Azure landing zone was designed to meet the organization's compliance requirements. The organization's data was classified based on its sensitivity, and appropriate security controls were implemented to protect the data. The Azure landing zone was also configured to meet the organization's compliance requirements, such as HIPAA. The organization's security and compliance teams were involved in the process to ensure that the Azure landing zone met their standards.
After assessing the customer’s environment and thoroughly understanding their requirements the Intuitive.Cloud Engineering team deployed the entire Landing Zone solution using Terraform.
- Created the Azure management group and account structure.
- Integrated Azure Active Directory with Customer’s on-premises AD.
- Centralized Terraform tooling to enable infrastructure provisioning across all the Azure Accounts.
- Enabled the Azure Security Center
- Custom Azure Policy implemented to strengthen the security posture
- Created centralized Azure Blob Storage for Azure Monitor Logs
- Connections using ExpressRoute and Azure WAN for the Azure Virtual Network (VNet) peering model
- Inspection VNets were deployed to inspect the ingress and egress traffic using Palo-Alto firewall
- Enrolled all the existing accounts in a controlled manner
- In the end, Intuitive.Cloud delivered a complete engineering design supporting runbooks, platform designs and configurations, and a comprehensive knowledge transfer plan to the customer’s business and technology teams
Results and Impact
After the successful deployment of the Landing Zone solution, the customer observed the following benefits:
- Data protection with appropriate security controls in place.
- A robust organizational structure with appropriate security boundaries and privilege identity and access controls.
- A HIPAA-compliant, secure, multi-subscription Azure environment.
- Azure Security Center and Azure Monitor Logs provided better visibility and control over their resources and their access.
- Realized cost savings using Azure Reserved Instances, Azure Hybrid Benefit, and other cost-saving measures.
- Achieved a highly scalable and available Azure environment
- Centralized toolchain for infrastructure provisioning using terraform
- Ability to iteratively evolve and improve their overall governance and control across all the Azure accounts
- Centralized security policies for their accounts
A Landing zone forms the baseline for any organization’s cloud adoption journey. It is extremely crucial for a Healthcare organization that its security, governance, and compliance requirements are never compromised. Therefore, by careful planning with Intuitive.Cloud’s Engineering team, the customer was able to build a strong, secure, and compliant foundation for beginning its cloud adoption journey. The organization also experienced cost reductions and improved efficiency. Moreover, with the right industry-standard best practices in place, they achieved a secure, scalable, and highly available Azure environment to accelerate their cloud adoption journey.