Open Source on GitHub

Startup-Scale Landing Zone

A stripped-down, opinionated, production-ready Azure Landing Zone designed for startups and digital-native teams. Built for companies with 5–50 engineers that need to get Azure right from day one without enterprise complexity.

Quick Start View on GitHub
$ cat tldr.md
1
One management group, two subscriptions (Prod + Non-Prod) is all you need to start. Don't over-engineer your hierarchy.
2
Skip the hub network, Azure Firewall, and dedicated Connectivity subscription until you actually have hybrid/on-prem requirements or 10+ workloads.
3
Enable Defender for Cloud CSPM (free) + Defender for Servers P2 on prod only. Turn on diagnostic settings to a single Log Analytics workspace. That's your security baseline.
4
Set budget alerts at 50%, 80%, and 100% of your monthly burn. Tag everything with environment and team. No exceptions.
5
Deploy this in under 1 hour with Bicep or Terraform. Graduate to full ALZ when you hit ~50 engineers, multi-region, or regulatory compliance requirements.

Why This Landing Zone

Enterprise-grade foundations without enterprise complexity.

1 Hour Deploy

From zero to production-ready Azure with Bicep or Terraform. No consultants required.

2 Subscriptions

One management group, prod + non-prod. Simple hierarchy that grows with you.

🛡

Security Built-in

Defender for Cloud, RBAC, NSG deny-all defaults, policy enforcement from day one.

💰

Cost Aware

Budget alerts at 50/80/100%, tag enforcement, and reservation guidance built in.

How It Compares

ALZ (Enterprise Scale)

100+ modules, months to understand, built for 10k-seat enterprises

ALZ-Bicep

Still enterprise-scoped, overwhelming for a 10-person startup

CAF Terraform Module

Enterprise-scoped, in extended support (archived Aug 2026). Microsoft recommends migrating to Azure Verified Modules.

This Project

Deploys in 1 hour. Grows with you. Written for engineers, not consultants.

Architecture Overview

Simple, self-contained subscriptions. No hub network, no Azure Firewall — until you need them.

Management Hierarchy

Tenant Root Group
mg-<yourcompany> Policies
sub-<yourcompany>-prod Production workloads
sub-<yourcompany>-nonprod Dev / Staging / QA

Network Layout

vnet-<co>-prod 10.0.0.0/16
snet-aks/20
snet-app/22
snet-data/22
snet-shared/24
vnet-<co>-nonprod 10.1.0.0/16
snet-aks/20
snet-app/22
snet-data/22
snet-shared/24
No VNet peering — each subscription is self-contained

Quick Start

From zero to production-ready in under an hour.

1

Prerequisites

5 min

Clone the repo, log in to Azure, and validate your environment. You'll need Azure CLI, two subscriptions (prod + nonprod), and Owner permissions.

Show commands 
git clone https://github.com/ricmmartins/sslz.git
cd sslz

az login
az account set --subscription <YOUR_PROD_SUBSCRIPTION_ID>

# Validates CLI tools, Azure auth, provider registrations, and permissions
./scripts/validate-prerequisites.sh
2

Management Groups (Optional)

5 min

Create the management group hierarchy. Requires tenant-level permissions (Owner on Tenant Root Group). Skip if you don't have access — the landing zone works without it.

Bicep command 
az deployment tenant create \
  --location eastus2 \
  --template-file infra/bicep/modules/management-groups.bicep \
  --parameters \
    companyName='<yourcompany>' \
    prodSubscriptionId='<PROD_SUB_ID>' \
    nonprodSubscriptionId='<NONPROD_SUB_ID>'
Terraform command 
cd infra/terraform/modules/management-groups
terraform init
terraform apply \
  -var='subscription_id=<ANY_SUB_ID>' \
  -var='company_name=<yourcompany>' \
  -var='prod_subscription_id=<PROD_SUB_ID>' \
  -var='nonprod_subscription_id=<NONPROD_SUB_ID>'
cd ../../../..
3

Deploy

20 min

Deploy the landing zone — policies, networking, monitoring, Defender for Cloud, and budgets. Copy the parameter file, edit with your values, preview with what-if/plan, then deploy.

Bicep commands 
cd infra/bicep

# Copy and edit parameters (companyName, emails, budget, etc.)
cp parameters/prod.bicepparam parameters/prod.local.bicepparam

# Preview changes (no resources created)
az deployment sub what-if \
  --location eastus2 \
  --template-file main.bicep \
  --parameters parameters/prod.local.bicepparam

# Deploy
az deployment sub create \
  --location eastus2 \
  --template-file main.bicep \
  --parameters parameters/prod.local.bicepparam \
  --name "lz-prod-$(date +%Y%m%d-%H%M%S)"
Terraform commands 
cd infra/terraform

# Copy and edit variables (subscription_id, company_name, emails, etc.)
cp terraform.tfvars.example terraform.tfvars

terraform init
terraform plan -out=tfplan    # Preview changes
terraform apply tfplan        # Deploy
4

Verify

5 min

Confirm resource groups, Log Analytics, policies, and Defender plans were created correctly.

Show commands 
# Check resource groups
az group list \
  --query "[?contains(name, 'yourcompany')].name" -o tsv

# Check Log Analytics workspace
az monitor log-analytics workspace list \
  --query "[].name" -o tsv

# Check policy assignments
az policy assignment list \
  --query "[].displayName" -o tsv

# Check Defender plans
az security pricing list \
  --query "value[?pricingTier=='Standard'].{Name:name, Tier:pricingTier}" -o table

# Check security contact
az security contact show --name default \
  --query "{Email:emails, Roles:notificationsByRole.roles}" -o table

# Check budget
az consumption budget list \
  --query "[].{Name:name, Amount:amount, TimeGrain:timeGrain}" -o table

# Check NSG rules
az network nsg list --query "[].name" -o tsv
5

Post-Deploy

30 min

Assign RBAC roles to your team, set up CI/CD with Workload Identity Federation, and enable cost anomaly alerts. See the Day-1 Checklist below.

Teardown commands (if needed) 
# Remove all landing zone resources
./scripts/teardown.sh --tool terraform --env nonprod --company yourcompany
./scripts/teardown.sh --tool bicep --env nonprod --company yourcompany

Full Deployment Guide

Day-1 Checklist

90 minutes from zero to production-ready. Three phases, one afternoon.

Pre-Deployment

30 min

Deploy

30 min

Post-Deployment

30 min

What's Included

Management Groups

Single MG with two subscriptions underneath

Azure Policy

Microsoft Cloud Security Benchmark (audit), required tags, allowed locations

Networking

VNet + subnets per subscription, NSGs with deny-all-inbound default

Monitoring

Log Analytics workspace, Activity Log forwarding, diagnostic settings policy

Security

Defender for Cloud CSPM, Defender for Servers P2 (prod), MFA via Security Defaults

Cost Management

Budget alerts at 50/80/100%, tagging enforcement

CI/CD

GitHub Actions workflows for Bicep and Terraform

What's NOT Included (By Design)

Enterprise components you should add later when needed.

Hub VNet + Azure Firewall Add when hybrid connectivity or centralized egress control required
ExpressRoute / VPN Gateway Add when on-prem connectivity needed
Multiple MG layers Add when 5+ subscriptions with different policy needs
Private DNS Zones at scale Add when 3+ PaaS services using Private Endpoints across VNets
Advanced Conditional Access Add when 30+ Azure users or regulated customer data
PIM (Privileged Identity Management) Add when you need just-in-time admin access (Series B+)

Graduation Guide

Starter Examples

Pre-built configurations for common startup archetypes.

SaaS Startup

Container Apps + Azure SQL Elastic Pool + Redis + Key Vault

View on GitHub →

AI Startup

AKS with GPU node pools + Azure OpenAI + Blob Storage

View on GitHub →

API-First Startup

App Service + API Management + Cosmos DB

View on GitHub →

Documentation

Practical guides written for engineers, not consultants.

Architecture Decisions

Why this layout, what we skipped, and when to revisit

Resource Inventory

Complete list of every Azure resource created

Networking Deep Dive

VNet design, NSGs, and when you actually need a hub

Security Baseline

Defender, RBAC, logging, and network security

Cost Management

Budgets, reservations, and common cost mistakes

CI/CD Setup

Workload Identity Federation and GitHub Actions

Troubleshooting

Common deployment errors and fixes

Graduation Guide

When and how to migrate to full ALZ

Architecture Diagrams

Visual diagrams of the full landing zone