https://github.com/Jamonygr/azure-landing-zone-lab

I recently wrapped up a hands-on lab where I built an Azure Landing Zone using Terraform. The goal was to create a repeatable, scalable foundation for cloud workloads with baked-in governance and networking. Here’s what I tackled, how it works, and what I learned.

Scope: Deployed a modular landing zone covering core networking (hub-and-spoke), load balancing, identity hooks, and baseline policies. Everything is defined as code in *.tf plus terraform.tfvars for environment-specific values.

Networking: Set up a hub VNet with shared services and peered spokes for workloads. In the hub, I added an Azure Load Balancer to front services; in the spokes, subnets are pre-segmented for app tiers.

Security & Governance: Used Terraform to wire in role assignments and policy baselines to enforce tagging, restrict regions, and require encryption at rest. Centralized logging routes to a Log Analytics workspace for diagnostics across resources.

Automation: terraform init/plan/apply drives everything. Variables in terraform.tfvars let me swap environments (lab → staging) without code drift. State is remote-backed to keep collaboration safe.

Resilience: Health probes and rules on the load balancer distribute traffic across backend pools, with diagnostics enabled for visibility. Network security groups guard subnets with least-privilege rules.

Observability: Enabled diagnostics for LB, VNets, and gateways, funneling logs/metrics to Log Analytics. This makes it easy to trace traffic flows and spot misconfigurations early.

Lessons learned:

Treat the landing zone as a product: version it, document it, and test changes with plan before apply.

Keep variables clean—terraform.tfvars should be the only place you swap environment-specific values.

Turn on diagnostics and logging from day one; it saves hours of troubleshooting.

Start with opinionated defaults (regions, tags, SKUs) and relax only when requirements demand it.

How to try it

Clone the repo and review terraform.tfvars for your subscription IDs, regions, and CIDR blocks.

Run terraform init, then terraform plan to validate changes.

terraform apply to stand up the landing zone; validate the load balancer endpoints and VNet peering.

Why this mattersA solid landing zone reduces time-to-delivery for new workloads, enforces guardrails by default, and keeps operations observable. With everything in Terraform, it’s easy to iterate, review, and roll forward confidently.

Feel free to ask if you want the exact module layout, sample terraform.tfvars, or diagrams of the hub-and-spoke plus load balancer flow.

Copied from: Posts | Wix.com - <https://manage.wix.com/dashboard/136c3e71-702b-495c-b214-d18f0f6b829a/blog/2f873452-90d4-48ad-ad40-c6c5f9c8e5de/edit?tab=ai-tools>