Updating your Azure landing zones

Today we're discussing how you can update your Azure landing zones in the Azure environment with your host Thomas Maurer and Jan Faurskov and Paul Grimley from the Azure landing zone team.

Landing zones are really a great way to build your Azure environment using best practices and building a platform where you can deploy apps and services. Paul and Jan get asked this question a lot as to “once you've deployed Azure landing zones, how do you keep it up to date?”

What are some of the challenges you face in keeping your Azure landing zone up-to-date?

Paul wanted to highlight some of the challenges in keeping your Azure landing zone up-to-date. From his experience, maintaining Azure landings zones has various levels of complexity depending on how it's deployed. Whether that's through Bicep, through the Azure portal and through Terraform. Customers can manually subscribe to Azure landing zone repo to follow changes. However, the team is very actively developing Azure landing zones and therefore there's a lot of notifications that you're going to get from subscribing to the Azure landing zone repo, so you'll find it hard to actually find the information you're looking for there. So, Paul and team created a “What's new section”. This section is updated to provide guidance and updates that have occurred throughout the month. It is recommended that the customer manually review these changes by going in every month to the “What's new section” and combing through that information to see what's relevant for them and understand what is new. The other thing Paul’s team has heard is the cost of change is greater than the cost of staying the same. The resource is available to help inform customers of the value of keeping up to date with Azure Landing zone changes that have occurred and why they should do so. With all the changes happening in the cloud with new services and new features, that's all great, but obviously you need to keep up with your environment to take advantage of them.

What does it take to update Azure landing zones?

When you deploy Azure Landing Zone reference implementation; so, using Azure portal, Bicep, Terraform, it takes a snapshot of the Azure landing zone guidance and code that at that particular point in time. So based on the customer’s environment it can drift from the latest enhancements that Microsoft has made and changes that have been made to the reference implementations. Azure Policy is at the center of Azure landing zones providing policy driven governance and guardrails. Microsoft also has an Azure landing zone library, and a custom library of policies that are deployed that are assigned to the reference implementations. Paul heard from customers that policies were complex to update and that they were lacking clear guidance and struggling to handle the permutations that arose. For example, deprecating Azure landing zone custom policies, how do they do that? Updates that Microsoft made to custom policies where the Azure landing zone team continues to maintain and evolve those as part of Azure Landing zone updates. Microsoft needed a clear process on how customers’ investments in Azure landing zones are kept up to date with the evolution that Paul’s team has made.

What guidance is provided to assist customers in updating their Azure landing zones?

Jan and team have created an overview page within the CAF or the Cloud Adoption Framework documentation, which is the initial landing page for guidance on why you should keep your Azure landing zones updated.

There are several reasons why you would want to keep your Azure landing zones updated. One of the reasons is to maintain improved security. As new threats emerge, Azure landing zones evolve to meet this, and customer implementation should follow suit to maintain recommended security posture.

The second reason is to avoid platform configuration drift. As things change, technical debt accumulates and so to keep this to a minimum the implementation should be regularly reviewed and updated where required.

Another reason is to optimize for Azure improvements, as Azure, the platform involves, new services will become available which should be included in Azure landing zone resource implementations and all the services may be deprecated and should be reconsidered.

Lastly, get support; a landing zone, as a deployable reference and implementation, is an open-source project, so support is limited to community engagement, so you want to keep the solution or the implementation as aligned as possible to Azure Landing zone current version. Keeping your landing zone aligned to the current implementation makes community support more likely.

At the bottom of the article, there are links to a couple of articles on how you would go about Migrating landing zone custom policies to Azure built-in policies and how to Update Azure landing zone custom policies to newer versions.

In the to Update Azure landing zone custom policies to newer versions guidance, there is information on how to handle drift detection by comparing customers’ Azure tenant to Azure landings baselines where Azure Governance Visualizer provides a simple way to compare and list details on each policy within the customers’ environment.

Then, to accompany this drift detection, there is also a document that details deprecated services, which is located in the Azure landing zone GitHub repo. Depending on the outcome of the drift detection, there is also provided guidance on how to Migrate Azure landing zone policies to Azure built-in policies or Update Azure landing zone custom policies.

There is an article about Use infrastructure as code to update Azure landing zones and there is also a step-by-step guidance within the Azure landing zone repo that goes through the low level process for both custom updates and transitioning to build it.

Where should customers go to get started?

• Familiarize yourself with the documentation at aka.ms/alz/update and the subsequent links there will take you off to the deeper instruction set.
• If you want to keep up to date on the latest updates to Enterprise Scale/Azure Landing Zones please visit aka.ms/alz/whatsnew as it is updated monthly.
• As policies and services are further developed by Microsoft, one or more Azure Landing Zone (ALZ) components may be superseded and need to be deprecated, you can find more information at aka.ms/alz/deprecated.
• Anybody can also join a free, quarterly community call aka.ms/alz/communitycallregister. If you want to hear about previous updates that Microsoft has done, there are deep dives and discussions at archived community calls.
• Highly recommended that you check out Azure Governance Visualizer or known as AzGovViz. You can see a demo at aka.ms/AzGovViz/Demo. This tool is fantastic, and it really complements the Cloud Adoption Framework guidance that has been put together and it helps with that drift detection in an automated way that can match your Azure tenant to the latest releases of policies.

There's plenty of documentation Paul would encourage customers to go and familiarize themselves with their processes and how this would align with future updates that they need to make. And if customers need to make any tweaks to those processes to incorporate this guidance, highly recommend they start looking at that so that they have time to plan for that updates are released.

Recommended Next Steps:

 If you’d like to learn more about the general principles prescribed by Microsoft, we recommend Microsoft Cloud Adoption Framework for platform and environment-level guidance and Azure Well-Architected Framework. You can also register for an upcoming workshop led by Azure partners on cloud migration and adoption topics and incorporate click-through labs to ensure effective, pragmatic training.

You can view the whole video below.