Unique Landing Zone
5 min read
Overview
This page describes the Unique Landing Zone — a customized Azure Landing Zone designed to meet the specific security, compliance, and operational requirements of Unique deployments in Customer Managed Tenants. It covers the rationale for deviating from the standard Azure Landing Zone, the resource group structure, roles and access control, required Azure services, and supporting tooling.
Audience: Cloud Architects, DevOps Engineers, Security Engineers, IT Administrators, and client stakeholders involved in cloud environment design and operations.
Introduction to Azure Landing Zone
Azure (Application) Landing Zone is Microsoft’s framework for adopting Azure services with best practices for governance, security, scalability, and cost management. It provides blueprints for creating production-ready cloud environments with structured governance, automated deployments, resource organization, security baselines, and cost controls.
See Azure Landing Zone documentation.
Reasons for Deviation from Azure Landing Zone
While the Azure Landing Zone provides a solid foundation, certain client-specific requirements necessitate deviations. The Unique Landing Zone addresses these by:
Focused Risk Mitigation: Targeting specific risks — data exfiltration, Kubernetes data plane security, and cost management — critical for our client base.
Enhanced Automation: Prioritizing automation to improve security, reduce human error, and ensure consistent policy enforcement.
Customized Resource Segregation: Organizing resources to minimize risk exposure and tighten control over sensitive data.
Tailored Role Management: Implementing custom roles aligned with specific operational and security requirements.
Unique Landing Zone Architecture
The Unique Landing Zone is designed around three principles: a risk-based approach, automation-first operations, and strict resource segregation.
Risk-Based Approach
Data Exfiltration: Comprehensive measures to prevent unauthorized data extraction.
Kubernetes Data Plane: Security controls for data exfiltration through the Kubernetes data plane.
Privileged Roles: Secure use of privileged roles via Privileged Identity Management (PIM) or Just-in-Time (JIT) access.
Cloud Resource Misconfiguration: Prevention and detection of misconfigurations.
Cost Management: Strategies to prevent over-provisioning and manage costs effectively.
Third-party Security: Management of vulnerabilities in third-party applications.
Automation First
Automation is foundational to the Unique Landing Zone. It enhances change control, minimizes lateral movement risks, enforces least privilege, maintains comprehensive audit trails, and promotes modern collaboration practices. Automation also reduces the need for manual roles and permissions, positively impacting costs and timelines.
Automation and Source Control:
GitHub Repository (Client GitHub): Central repository where the client manages infrastructure as code (IaC).
CI/CD Pipeline (e.g., Azure DevOps): Pull requests are submitted, reviewed, merged, and trigger automation scripts for provisioning.
PIM RBAC Assignments: Privileged Identity Management assigns RBAC roles dynamically, granting JIT access.
Deployment Workflow
Code Delivery: Unique employees submit infrastructure changes via pull requests to the client’s GitHub repository. Changes are reviewed and approved by client administrators.
CI/CD Pipeline: On approval, the pipeline pulls the latest code and triggers automation scripts to provision or update resources.
Provisioning: Provisioners deploy resources into Main and Sensitive resource groups. Automation ensures sensitive data is handled securely with restricted access.
Access Control: Observers have read-only access to their respective groups. Client Control has full oversight for compliance and security adjustments.
Audit and Compliance: All operations are logged in the Audit Resource Group (write-only for Unique, fully accessible by client administrators). Regular reviews ensure policy compliance.
Resource Groups
Resources are segregated into groups based on risk management, following the principle of least privilege.
Group | Content | Permissions |
|---|---|---|
Main | Primary resources for core services — no customer data | Managed by responsible party (Unique or client, per Responsibilities). Includes basic infrastructure and non-sensitive configurations. |
Sensitive | All customer data: prompts, uploaded files, encryption keys | Least privilege via JIT. Automation highly recommended to minimize human intervention. |
Audit | Centralized, tamper-proof audit logs | Write-only by Unique and their workloads. Modifications by client or automated processes only. |
Vnet | Networking setup, including limited internet access for pulling necessary content | Typically client-managed due to security impact. Automation preferred. |
Terraform | Terraform state files | Restricted to a few individuals or automation. State securely maintained with tracked modifications. |
Roles and Access Control
A robust RBAC framework enforces least privilege, segregates duties, and minimizes risk. Azure PIM and JIT access dynamically manage permissions.
Role | Resource Group Main | Resource Group Sensitive | Key Responsibilities |
|---|---|---|---|
Observer | Read | — | Monitor resources and access secrets in Main Key Vault. |
Maintainer | Read, Write, Delete | — | Maintain and manage resources. Handle secrets in Main Key Vault. |
Provisioner | Read, Write, Delete | Read, Write, Delete | Deploy and configure resources in both groups. Transfer config values from Main to Sensitive Key Vault (ensuring maintainers never access sensitive data directly). |
Sensitive Data Observer | — | Read | View and monitor sensitive data and resources. Read-only. |
Secrets Management:
Main Key Vault: Stores secrets required for operations in the Main resource group.
Sensitive Key Vault: Stores sensitive keys and data with strict access controls. Provisioners handle transfers from Main to Sensitive Key Vault.
Configuration Workflow: Unique employees are assigned roles (Observer, Maintainer, Provisioner, Sensitive Data Observer) based on responsibilities. Provisioners place configuration values in the Main Key Vault and handle secure transfers — maintainers never see sensitive data.
Required Services — "Chat" Use Case
Clients must provision the following Azure services to support the Chat application within the Unique Landing Zone.
Service | Use Case | Best Practices |
|---|---|---|
Container Orchestrator (AKS) | Host chat application services | Use AKS for scalability. Implement network policies and RBAC for secure access control. |
Telemetry (Azure Monitor) | Monitor application performance | Use Azure Monitor and Log Analytics for telemetry. Set up alerts for real-time incident response. |
Logging Solution | Retain application logs | Deploy Azure Log Analytics for centralized log management. Configure retention policies per data governance standards. |
Secure Audit Log Storage | Retain audit logs | Use Azure Blob Storage with immutability policies. Encrypt at rest and in transit. |
PostgreSQL | Persist application data | Use Azure Database for PostgreSQL. Enable automated backups and geo-replication. |
Redis Cache | Session state, caching, Tyk API Gateway, frontend WebSockets | Use Azure Cache for Redis. Configure high availability and disaster recovery. |
LLMs | Chat features, reporting features | Integrate Azure OpenAI Service. Ensure proper authentication and access control. |
Compatible Storage (Blob/ADLS) | Chat logs, media, Knowledge features, SharePoint Connector | Use Azure Blob Storage or Data Lake Storage. Implement lifecycle management for cost optimization. |
Azure AD App Registration | User authentication and authorization | Register in Azure AD for SSO. Implement Conditional Access policies. |
Supporting Tooling
Both Customer Managed Tenants and on-premise installations require the following tools for deployment management, security, and compliance.
Tool | Use Case | Best Practices | Examples |
|---|---|---|---|
Git / VCS | Versioned Unique artefacts, IaC, customization, automation, audits | Branch protection rules. PR-based reviews. Regular backups. | GitHub, GitHub Enterprise, Azure DevOps, GitLab Enterprise |
CI/CD Automation | Apply code changes published by Unique | Pipeline as code. Automated testing and security scans. Rollback strategies. | GitHub Actions, Azure DevOps, GitLab CI, FluxCD, ArgoCD |
Container Registry | Cache, scan, analyze container images from Unique releases | Vulnerability scanning. Signed images. RBAC. | Azure Container Registry, Harbor, DockerHub, GitHub Packages |
Helm Chart Gallery | Cache, validate Helm charts from Unique releases | Regular updates. Staging validation before production. Access controls. | Azure Container Registry, Harbor, Chart Museum |