This article is contributed. See the original author and article here.

I introduced Enterprise-Scale in my first blog, which is part of the Cloud Adoption Framework (CAF). In this second blog I want to answer the question about when Enterprise-Scale should be adopted, compared to alternative solutions; in my own words and from my own view.


Azure landing zone and implementation options

On the implementation options we have a few information documented related to the question above, as follows:

When business requirements necessitate a rich initial implementation of landing zones, with fully integrated governance, security, and operations from the start, Microsoft recommends the enterprise-scale approach.


However, I think this does not fully address the question about the when, as from my view the following must be take into account as well:

  • The culture of the organization (centrally IT-controlled vs DevOps empowered)
  • The cloud and DevOps maturity of application teams
  • The cloud maturity of the organization’s operating model

Should Enterprise-Scale be used?

If an organization is very much IT-controlled, and there is a mandatory layer to enable a centralized IT team to control the entire cloud adoption, including all networking aspects, identity, security, monitoring for all applications, etc., Enterprise-Scale might not be the best implementation options for Azure landing zones. This is due to the fact that such an IT-controlled approach would not align with the Enterprise-Scale design principles.

In contrast, if an organization embraces DevOps principles and methodologies, empowers application teams to implement a DevOps approach (they own an application end-to-end), Enterprise-Scale might be a very good fit. This is due to the fact that Enterprise-Scale considers a cloud-native way to build landing zones, which differs greatly from a traditional on-premises data center setup. One concrete example is the recommended approach to protect web applications and web APIs, which in an on-premises data center would be completely owned by the central IT team. In Enterprise-Scale, though, the service used to protect web applications and APIs is part of the landing zone, therefore setup in a decentralized way. But of course, configured Azure policies (guard-rails) ensure the required configuration of the protection service (Azure Application Gateway and Azure Web Application Firewall, to be precise).

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: