Landing Zones & Cloud Foundations

The baseline of accounts, identities, networks, logging, and guardrails every workload lands into. Vendor-neutral guide to what a foundation is, the building blocks every one has, and how AWS, Azure, and GCP reference designs compare.

A modern server room featuring network equipment with blue illumination
Photo by panumas nikhomkhai on Pexels

· · Vendor-neutral · View source on GitHub

The 30-second version: A landing zone (a.k.a. cloud foundation) is the baseline of accounts, identities, networks, logging sinks, and guardrails that workloads land into when they're deployed. The point is that every workload - the second one, the fiftieth, the five-hundredth - starts from the same identity model, network segmentation, log aggregation, and policy-as-code guardrails, instead of whatever the team that built it decided in the moment.

Every cloud has a reference design: AWS Control Tower / Landing Zone Accelerator, Azure Cloud Adoption Framework landing zones, GCP Enterprise Foundations Blueprint. The shapes look different; the building blocks underneath are the same.

On this page

  1. What a landing zone actually is
  2. Why it exists - the problem it solves
  3. The eight building blocks every landing zone has
  4. AWS, Azure, and GCP side-by-side
  5. AWS - Control Tower & Landing Zone Accelerator
  6. Azure - Cloud Adoption Framework landing zones
  7. GCP - Enterprise Foundations Blueprint
  8. Maturity stages - day 1 vs day 500
  9. When you do not need a landing zone
  10. Bootstrapping path
  11. Common pitfalls
  12. Further reading
  13. FAQ

What a landing zone actually is

Strip the marketing off and a landing zone is six concrete things, deployed once and reused by every workload that follows:

  1. A resource hierarchy - folders or organizational units that group accounts/subscriptions/projects by environment and business unit.
  2. An identity baseline - your SSO provider federated to the cloud, group-based access, no long-lived root credentials.
  3. A shared network - central VPC/VNet topology (often hub-and-spoke), private connectivity to on-prem, no public egress by default.
  4. A logging spine - aggregated audit, flow, and resource logs flowing to a centralized security project for long-term retention.
  5. A policy spine - organization-level guardrails that pre-block risky configurations everywhere (no public buckets, no internet-routable SGs in prod, no unencrypted databases).
  6. A delivery pipeline - the IaC repository, review process, and deploy pipeline that's the only thing allowed to change foundation resources.

Everything else workloads bring themselves. The foundation gives them a defined surface to land on.

Why it exists - the problem it solves

Two organizations adopt cloud. Both end up with 200 workloads after three years.

Org A built their first workload by hand. Team-by-team, every subsequent workload made similar decisions independently - its own log destination, its own VPC, its own IAM role naming, its own MFA enforcement. Audit asks "where are all your CloudTrail logs going?" and the answer is "uh, depends on the team." Their blast radius is the whole org because a compromise in one workload's permissions can reach others' data.

Org B stood up a landing zone first. Their second workload landed on it, then their fiftieth, then their two-hundredth. All 200 dump logs into the same security project, use the same SSO groups for access, sit in the same Shared VPC with the same egress controls, and are pre-blocked by the same org policies from creating public buckets in prod. Audit asks the same question; the answer is "one project, here's the dashboard."

The landing zone is the difference between those two paths. It's not faster on day one - it's slower. It pays off on day 200, when the cost of fixing 199 different patterns is much higher than the cost of building one good pattern up front.

The same logic applies at smaller scale: any time you have more than one team deploying to more than one environment, the foundation eliminates a whole class of "where does this go?" decisions.

The eight building blocks every landing zone has

Every cloud's reference design organizes the same eight ideas. The names and tooling differ - the underlying capabilities don't.

1. Resource hierarchy

Accounts/subscriptions/projects organized in a folder tree by environment (prod, non-prod, sandbox) and business unit. Boundaries for billing, policy, and access.

2. Identity & SSO

Your IdP (Okta, Entra, Google Workspace) federated to the cloud. Group-based access, no long-lived root keys, MFA enforced everywhere.

3. Shared network

Hub-and-spoke or transit topology. Private connectivity to on-prem (Direct Connect/ExpressRoute/Interconnect). No public egress by default.

4. Centralized logging

Aggregated audit, flow, and resource logs sunk to a dedicated security account for long-term retention, analysis, and SIEM export.

5. Policy guardrails

Org-level policy-as-code (SCPs, Azure Policy, Org Policy) pre-blocking risky configs - no public buckets in prod, no IMDSv1, no unencrypted disks.

6. Encryption & secrets

Centrally managed KMS keys and a secrets-management project (Secret Manager / Key Vault / Secrets Manager) with audited access.

7. Account vending

A self-service way for teams to request a new account/subscription/project that arrives pre-wired into the foundation - IaM, network, logging, policies all attached.

8. Detective controls

Security Hub / Defender for Cloud / Security Command Center surfacing findings centrally, plus a feedback loop to remediation.

From above contemporary server cable trays in a modern data center
Photo by Brett Sayles on Pexels

AWS, Azure, and GCP side-by-side

Each cloud ships a reference landing-zone implementation. The names differ. The capabilities map nearly one-to-one:

Building block AWS Azure GCP
Hierarchy AWS Organizations, OUs, accounts Management groups, subscriptions Organization, folders, projects
Identity IAM Identity Center (SSO) + permission sets Entra ID + role assignments Cloud Identity + IAM allow policies
Network Transit Gateway, network account Hub VNet, Azure Firewall, Virtual WAN Shared VPC, host project
Logging Org-wide CloudTrail to log archive account Activity log + diagnostic settings to Log Analytics workspace Aggregated log sinks to security project
Policy Service Control Policies (SCPs) Azure Policy + initiatives Organization Policy constraints
Encryption KMS + Secrets Manager Key Vault Cloud KMS + Secret Manager
Account vending Control Tower Account Factory / AFT Subscription vending via Bicep / Terraform Project factory (Terraform)
Detection Security Hub, GuardDuty Defender for Cloud, Sentinel Security Command Center
Reference design Control Tower + Landing Zone Accelerator CAF Enterprise-Scale landing zones (ALZ) Enterprise Foundations Blueprint

Anyone who's built a landing zone on one cloud has 80% of the conceptual model needed to build one on another. The remaining 20% is the cloud-specific quirks of each service - and that's where the multi-day reading lives.

AWS - Control Tower & Landing Zone Accelerator

AWS ships two overlapping reference designs. Knowing which is which matters when someone tells you their "landing zone."

AWS Control Tower

An AWS-managed service that provisions and continuously governs a multi-account landing zone. Low-code, opinionated, with a console-driven experience and a built-in Account Factory for vending new accounts. Includes mandatory and elective guardrails (SCPs + AWS Config rules) and a managed Audit and Log Archive account out of the box. The right choice if you want AWS to own the wiring.

Landing Zone Accelerator (LZA)

An open-source AWS Solution (CloudFormation + CDK) that deploys a more comprehensive baseline - more security services, more customizable network architectures, support for regulated workloads. Can run on top of Control Tower. The right choice if you need more control than Control Tower's opinionations allow (custom regions, specific compliance frameworks like FedRAMP, ITAR).

The key AWS-specific decisions

Azure - Cloud Adoption Framework landing zones

Microsoft's reference is the CAF Enterprise-Scale landing zone (often abbreviated "ALZ" - Azure Landing Zone). Unlike AWS, Azure's reference is a documented architecture plus reference IaC (Bicep, Terraform, ARM) - there's no single managed service that is the landing zone.

The CAF design

A management-group tree (Tenant Root → Top-Level MG → Platform, Landing Zones, Decommissioned, Sandbox) with subscriptions hanging off the right MGs. Platform MG holds the Connectivity, Identity, and Management subscriptions; Landing Zones MG holds workload subscriptions for application teams.

The key Azure-specific decisions

Implementation choice: Enterprise-Scale (ESLZ) reference repo, ALZ-Bicep, Terraform module, or the portal-driven Azure landing zone accelerator. All deploy roughly the same architecture.

GCP - Enterprise Foundations Blueprint

Google's reference is the Enterprise Foundations Blueprint (formerly the Security Foundations Blueprint). Like Azure, it's a documented design + reference Terraform (terraform-example-foundation) - not a single managed service.

The blueprint design

One organization at the top. A folder hierarchy by environment (production, non-production, development) and by business unit. Projects under each folder, grouped by purpose (workload projects, host projects for Shared VPC, security projects for centralized services).

The key GCP-specific decisions

Reference repo: terraform-example-foundation on GitHub - every resource the blueprint describes, deployable.

Man analyzing business data and financial graphs on a laptop
Photo by Kaboompics on Pexels

Maturity stages - day 1 vs day 500

You don't deploy the full reference design on day one. Foundations grow with the org:

Stage 1 - Bootstrap (1 account)

One account, SSO from day one, MFA on root, billing alerts on, CloudTrail/Activity Log to a dedicated bucket, baseline guardrails. Do this in any account - it's just hygiene. Cost: an afternoon.

Stage 2 - Separation (3-5 accounts)

Split prod from non-prod from sandbox into separate accounts/subscriptions/projects. Add an OU/MG/folder per environment. Aggregate logs to one of them. Add a few SCPs/Policies on prod. The first real "landing zone."

Stage 3 - Scale (20-50 accounts)

Account vending via IaC. Shared network with hub-and-spoke. Centralized SIEM ingestion. Org-policy library covering 20+ guardrails. Detective controls (Security Hub / Defender / SCC) consolidated. The reference designs assume you're here.

Stage 4 - Enterprise (100+ accounts)

Multi-region failover for the foundation itself. Service perimeters / private-only data planes (VPC-SC, private endpoints). Automated remediation. Compliance frameworks (FedRAMP, PCI, HITRUST) layered as policy initiatives. A dedicated platform team owning the foundation as a product.

Skipping stages is expensive. A common failure mode is going from Stage 1 to Stage 4 because someone read the reference design and tried to deploy all of it at once - you end up with a complex foundation no one understands. Build incrementally; the reference designs are the destination, not the starting point.

When you do not need a landing zone

Foundations are overhead. The overhead pays off when you have multiple teams, environments, and workloads. If you don't, it's pure cost.

The rule of thumb: if your second workload is six months away, you don't need a landing zone yet. If your second workload is six weeks away, you needed one yesterday.

Bootstrapping path

For anyone standing up a foundation from scratch, a sane order of operations:

  1. Pick a reference - Control Tower + LZA on AWS; ALZ on Azure; the Enterprise Foundations Blueprint on GCP. Don't invent your own - every "we built our own landing zone" story I've seen ended in a rewrite within three years.
  2. Stand up identity first. SSO from your IdP, group-to-role mappings, MFA enforced, root accounts locked away. Nothing else matters if identity is broken.
  3. Stand up the log spine second. One destination per log type (audit, flow, data-access). Retention policies. Sink into your SIEM (or just into a bucket/storage account/dataset for now).
  4. Stand up the hierarchy third. Three top-level folders/OUs/MGs - prod, non-prod, sandbox - even if you have one workload. The hierarchy is cheap; restructuring later is expensive.
  5. Layer in the network. Shared VPC / hub VNet / TGW once you have more than one workload that needs to talk privately. Skip if you don't.
  6. Layer in guardrails as needed. Don't deploy 100 SCPs/Policies on day one - pick the highest-leverage 10 (no public buckets, deny outside approved regions, require encryption, deny disabling logs) and grow the library as patterns emerge.
  7. Wire deploy through CI/CD. Foundation changes go through a pipeline with code review; no console writes in prod. Same model as application deploys - see our cloud deployment page for the small-scale version of this idea.
  8. Vending last. Once you have a working foundation, automate the "new account" path so app teams can self-serve. Don't write account-factory code before you have a working foundation to put accounts into.

Realistic time investment for a small org doing this with a focused team: 2-3 months to a usable Stage 2; 6-12 months to a credible Stage 3. The reference designs are larger and assume larger teams; they're not deliverables-in-a-quarter.

Common pitfalls

Further reading

Reference designs

Frameworks & benchmarks

Related CSOH pages

FAQ

What is the difference between a "landing zone" and a "cloud foundation"?

In practice, none. "Cloud foundation" is the more vendor-neutral phrasing; "landing zone" originated in AWS terminology and spread to every cloud. Microsoft's docs use both terms; Google's blueprint title says "foundations"; AWS docs say "landing zone." Pick whichever your org uses.

Should I use the cloud vendor's reference or roll my own?

Use the reference. The "we built our own" path almost always reinvents the same patterns the reference already implements - but worse, and undocumented, and abandoned when the original engineer leaves. Customize on top of the reference; don't replace it.

How long does standing up a real landing zone take?

For a focused team using a vendor reference: 4-8 weeks to a credible Stage 2 (separation + logging + basic guardrails); 4-6 months to a credible Stage 3 (vending + shared network + meaningful policy library). The reference design fully deployed is more like a year of work plus an ongoing platform team - but most orgs don't need the full reference.

Does Cloud Adoption Framework work for AWS or just Azure?

"Cloud Adoption Framework" is Microsoft's term. AWS has its own equivalent (the Cloud Adoption Framework for AWS, plus the Well-Architected Framework). Google has the Cloud Architecture Framework. All three are general guidance documents; the landing-zone reference designs are the specific deployable artifacts within them.

Can I use Terraform / OpenTofu for any of these?

Yes - all three clouds publish Terraform reference implementations (LZA has CDK first but Terraform support exists; ALZ has an official Terraform module; the GCP blueprint is Terraform). Vendor IaC (CloudFormation, Bicep, Deployment Manager) is also supported on each respective cloud. Pick what your team operates today.

What about Kubernetes - does the landing zone include cluster baselines?

The classic landing-zone reference designs do not include opinionated Kubernetes baselines. The foundation provides the account / network / logging layer that K8s clusters land into; the cluster-level baseline (Pod Security Standards, network policies, admission controllers, RBAC) is a separate concern. Increasingly orgs deploy a "platform" layer on top of the foundation that includes cluster baselines - but that's an addition, not part of the standard landing-zone reference.

How does this relate to zero trust?

The landing zone is where zero-trust principles get operationalized. "Verify explicitly" means SSO + MFA at the foundation. "Least privilege" means SCP/Policy guardrails at the OU/MG/folder level. "Assume breach" means centralized logging + detective controls. Zero trust is the philosophy; the landing zone is the infrastructure that makes it actually work.

Where next