This site is under development and subject to change. Please do not rely on the information contained here. Look out for some exciting updates to Azure Landing Zones coming in 2025!
Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure Landing Zones Documentation
  2. /
  3. Accelerator
  4. /
  5. User guide
  6. /
  7. Advanced scenarios
Edit page

Advanced scenarios

Scenario 1 - Secure island for bootstrap resources

Depending on your security needs, you may wish to store the Azure resources deployed by the bootstrap in separate subscription and optionally a separate management group hierarchy to the Azure Landing Zone. This could be the case when you need to separate the concerns of deploying and maintaining the Azure Landing Zone from the day to day access of the Azure Landing Zone.

The resources deployed by the bootstrap vary depending on the options you choose, but they may include the following:

  • Storage account for state file
  • User assigned managed identities
  • [Optional] Self hosted agents
  • [Optional] Networking, DNS and Private End Point for storage account

In order to use the secure island approach, you can follow these steps:

Option 1 - Separate subscription under separate management group hierarchy

  1. Create a new management group under Tenant Root Group.
  2. Apply your desired policies and permissions to the new management group.
  3. Create a new subscription for the bootstrap resources and place it in the new management group. Take note of the subscription id.
  4. Grant owner rights to the account you are using to deploy the accelerator on the new subscription.
  5. Run the bootstrap as normal, following the instructions in the Quick Start guide.
  6. When you get to step for updating the input config file variables, enter the subscription id of the new subscription you created into the bootstrap_subscription_id field.
  7. Continue with the rest of the steps in the Quick Start guide.

This will result in the bootstrap resources being deployed in the new subscription and management group hierarchy, while the Azure Landing Zone is deployed into the defined management group hierarchy.

Option 2 - Separate subscription under Azure Landing Zones management group hierarchy

  1. Create a new subscription for the bootstrap resources. Take note of the subscription id.

  2. Grant owner rights to the account you are using to deploy the accelerator on the new subscription.

  3. Use the platform_landing_zone starter module to deploy the Azure Landing Zone.

  4. Update the tfvars file to include subscription placement for the new subscription using the management_group_settings.subscription_placement setting. For example:

    management_group_settings = {
  subscription_placement = {
    identity = {
      subscription_id       = "$${subscription_id_identity}"
      management_group_name = "identity"
    }
    connectivity = {
      subscription_id       = "$${subscription_id_connectivity}"
      management_group_name = "connectivity"
    }
    management = {
      subscription_id       = "$${subscription_id_management}"
      management_group_name = "management"
    }
    bootstrap = {
      subscription_id       = "<bootstrap-subscription-id>" # Add your bootstrap subscription id here
      management_group_name = "management"
    }
  }
}

  5. Run the bootstrap as normal, following the instructions in the Quick Start guide.

  6. When you get to step for updating the bootstrap configuration file variables, enter the subscription id of the new subscription you created into the bootstrap_subscription_id field.

  7. Continue with the rest of the steps in the Quick Start guide.

This will result in the bootstrap resources being deployed in the new subscription. When you then deploy the Azure Landing Zone your subscription will be moved under the management management group.

gdoc_arrow_left_alt Phase 3 - Run Starter modules gdoc_arrow_right_alt