Scenarios
Scenarios are common use cases when deploying the Platform landing zone. The following section provide a description of the scenario and link to the pre-configured files for that scenario.
- Full Scenarios - Enterprise-scale deployments with full resource coverage
- SMB Scenarios - Cost-optimized deployments for smaller organizations
- Estimated Costs - Approximate monthly infrastructure cost comparison
- Multi-Region Hub and Spoke Virtual Network with Azure Firewall
- Multi-Region Virtual WAN with Azure Firewall
- Multi-Region Hub and Spoke Virtual Network with Network Virtual Appliance (NVA)
- Multi-Region Virtual WAN with Network Virtual Appliance (NVA)
- Management Groups, Policy and Management Resources Only
- Single-Region Hub and Spoke Virtual Network with Azure Firewall
- Single-Region Virtual WAN with Azure Firewall
- Single-Region Hub and Spoke Virtual Network with Network Virtual Appliance (NVA)
- Single-Region Virtual WAN with Network Virtual Appliance (NVA)
These scenarios are designed for small-medium businesses only (e.g. less than 10 workloads or less than 100/200 FTEs) that want to start with an Azure landing zone (ALZ) aligned platform landing zone but perhaps are not yet ready for the full scale of ALZ and the associated cost. However, they want to start on the right path and not pin themselves in to an architecture they cannot expand upon later. They are cost-optimized with reduced resource deployment, out of the box.
Identity and security subscriptions are recommended but optional in these scenarios also.
WarningThe SMB scenarios disable the DDoS Network Protection Plan to reduce costs. If you use these scenarios, you MUST consider and plan how to sufficiently protect your applications and workloads from DDoS attacks, like using DDoS IP Protection, or an alternative solution.
- SMB Single-Region Hub and Spoke Virtual Network with Azure Firewall
- SMB Single-Region Virtual WAN with Azure Firewall
The following table provides an approximate monthly cost comparison for the fixed infrastructure resources deployed by each scenario. Costs are based on the westus region in USD.
| Scenario | Estimated Monthly Cost (USD) |
|---|---|
| Multi-Region Hub & Spoke with Azure Firewall | 8,277.72 |
| Multi-Region Virtual WAN with Azure Firewall | 8,263.12 |
| Multi-Region Hub & Spoke with NVA | 5,515.42 * |
| Multi-Region Virtual WAN with NVA | 5,500.82 * |
| Management Only | 0.00 |
| Single-Region Hub & Spoke with Azure Firewall | 5,638.36 |
| Single-Region Virtual WAN with Azure Firewall | 5,631.06 |
| Single-Region Hub & Spoke with NVA | 4,257.21 * |
| Single-Region Virtual WAN with NVA | 4,249.91 * |
| SMB Single-Region Hub & Spoke | 689.85 |
| SMB Single-Region Virtual WAN | 689.85 |
* NVA scenarios do not include the cost of the Network Virtual Appliance itself, which varies by vendor and configuration.
NoteEstimated fixed infrastructure costs based on Azure Retail Prices for the westus region in USD as of 2026-04-02. Consumption-based costs (data processing, log ingestion, DNS queries, etc.) are not included and will vary based on usage. DDoS Protection Plan pricing is sourced from the Azure DDoS Protection pricing page. You can generate your own estimates for any region and currency using the Get-ScenarioCostEstimates.ps1 script.