Home / Use Cases / Landing Zone

How do we build an Azure Landing Zone for the Mittelstand?

We rebuild your organically grown Azure subscription into a comprehensible Landing Zone — sized for your company, not the Enterprise maximum.

Your Azure subscription has existed for a few years. At some point someone created the first subnet, then a VM for a test system was added, then a storage account for backups, then a second subscription because the tax adviser wanted it. Today nobody quite knows what runs where, what it costs, and why the resource “vm-test-final-2” is in production. We build a Landing Zone from this that matches your company in size — not the Microsoft Enterprise maximum that nobody understands anymore.

Does this sound familiar?

Why now — and not later

An unmanaged Azure environment costs you on three levels. It costs hard cash through unused resources, oversized VMs and forgotten test environments that have been running for months. It costs time, because every change starts with detective work. And it costs security, because without structure nobody notices when a resource is created outside policy.

Typical triggers that put this on the agenda:

What this would look like at your company

Step 1 — Assessment and as-is diagram

We start by building a complete picture: which subscriptions exist, which resource groups, which resources, which identities, which permissions. Reader access is all we need for that. At the end of step 1 you have a diagram and a table in which every running resource is mapped to a purpose — or marked as “unknown” if nobody remembers what it’s there for. This step alone often uncovers noticeable savings potential — test machines from 2023 that nobody needs anymore, for example.

Stack hints: Azure Resource Graph for inventory, Cost Management exports, Entra ID role evaluation.

Step 2 — Subscription and management-group structure

We design a structure with you that fits your company. For an 80-employee company, a flat setup with management groups for “Production”, “Test/Development” and possibly “Sandbox” — with two to four subscriptions underneath — is enough in most cases. That is deliberately less than what the Microsoft CAF documentation envisages for large corporations. If you don’t have four subsidiaries, you don’t need four subscriptions per workload. Deliverable: a structure an outsider can understand in 15 minutes.

Stack hints: Management Groups, subscription vending, Entra ID PIM for privileged roles.

Step 3 — Naming and tagging convention

We agree with you on a schema people can actually remember. Typical example: <workload>-<environment>-<type>-<region>-<no>, i.e. erp-prod-vm-weu-01. Plus mandatory tags such as costcenter, owner, workload, environment. Important: the convention is only worth something if it’s enforced via Azure Policy — otherwise untagged resources will be back within three months. Deliverable: a naming and tagging standard documented on a single page, plus policy definitions that block or flag non-compliant resources at creation.

Stack hints: Azure Policy (deny/audit), tag inheritance, initiative definitions.

Step 4 — Infrastructure-as-Code foundation

Instead of everyone continuing to click around the portal, we define the important resource types as code, once. Bicep for Microsoft-native setups, Terraform if you work with other clouds anyway — both work. Deliverable: a small repository with modules for the most common needs (VM, storage account, resource group with standard policies, Key Vault), plus a short guide on how to trigger a deployment. Deliberately no over-engineering: no 14-stage pipeline with approval gates on four levels, but something an IT generalist can learn in two days.

Stack hints: Bicep or Terraform, GitHub Actions or Azure DevOps Pipelines, service principals with restricted rights.

Step 5 — Cost Management and policy baseline

Budgets per subscription, alerts when thresholds are breached, a monthly cost report to management. Plus a policy baseline: no VMs in regions outside the EU, no storage accounts with a public endpoint, mandatory diagnostic settings. Deliverable: once a month you get an overview of what Azure cost per workload and per cost centre — and the assurance that nobody accidentally creates a VM in the wrong region.

Stack hints: Azure Cost Management Budgets, Action Groups, Azure Policy Initiatives, Microsoft Defender for Cloud Free Tier.

What to watch out for

What realistically changes afterwards

What you contribute

Risks and when it doesn’t fit

How the conversation starts

Book an initial conversation

Frequently asked questions

Do we really need management groups if we only have two subscriptions? No, not necessarily. With two subscriptions, a flat structure with policies applied directly at subscription level is often enough. Management groups start paying off from three to four subscriptions, or when policies should be inherited. In the initial conversation we clarify what makes sense at your size.

Bicep or Terraform — what do you recommend? Bicep if you work exclusively in Azure and with the Microsoft tool stack. Terraform if you use multiple clouds anyway or already know the tool. Both work. More important than the choice is using it consistently.

What happens to our existing resources — will they be re-deployed? No, usually not. We bring existing resources into the new schema by back-filling tags and, where needed, moving them between resource groups. Since most Azure resources can’t be renamed, the naming convention applies to newly created resources — the existing estate is mapped via tags. Re-deployment only where there is no technical alternative, or where the resource is due for renewal anyway.

How long does it typically take? Assessment and structure design take about 2 to 3 weeks, implementing the naming/tagging policy another 2 to 4 weeks, the IaC foundation and Cost Management another 2 to 3 weeks. In total, around 6 to 10 weeks for a mid-market environment. We’ll give you an honest range after the assessment.