Azure Enterprise Scale Cheat Sheet

Azure Enterprise Scale Cheat Sheet

2020, Oct 07    

My Azure Enterprise Scale cheat sheet. Not as a replacement for the documentation, purely to act as a quick reference.



Solely key guidance, prescriptive or not is summarised here.

Landing Zones

  1. Think of as a network spoke, used for an application or similar group of applications.
  2. Governed, well managed area for business units to build in.
  3. Cultural/organisational pre-requisites.
  4. Enterprise-scale landing zones provides guidance for architectural decisions.
  5. Landing Zone owners should have subnet creation on the vnet
  6. Primary place where AzPolicies are applied in the management group structure


  1. Business units should manage themselves
  2. Azure Policy provides guardrails, don’t insist on centralised control.
  3. Should be used as a unit of management/scale/cost
  4. Use Accounts to separate EA Dev/Test from Production workloads
  5. Clear guidance on when to have a new subscription (scale/management/policy/vnet design)
  6. Dedicated sub’s for AzMonitor and AzAutomation
  7. Dedicated sub for AD DC’s
  8. Dedicated sub for vnet Hub/dns/expressroute

Management Groups

  1. Management group structures must be considered thoroughly when an organization plans Azure adoption at scale. This is a critical design area.
  2. Use to aggregate AzPolicies
  3. Keep hierarchy as flat as possible, no more than 3-4 levels of hierarchy
  4. Management groups replicate governance, not a OU structure - don’t merge the two
  5. Manage with a dedicated SPN to reduce users with elevated rights
  6. Avoid policies and subscriptions in the root group scope

Azure AD

  1. MFA/SSO/Conditional access/PIM
  2. Break glass accounts to avoid lockout
  3. Consider different tenants for Dev/Test if a STRONG requirement
  4. Integrate logs with Az Monitor
  5. Use MSI to mitigate credential theft, and instead of SP’s


  1. Use custom roles (samples provided in EntScale)


  1. Use different ranges for different Azure regions (eg. at the /16 level)
  2. Each AzRegion should have a network Hub (can be in the same sub)
  3. If using ER, use multiple circuits and redundant gateways
  4. Design: Hub and Spoke VS Azure Virtual WAN
  5. If you’re using AzFirewall, make use of Firewall Manager in Virtual WAN
  6. Use DDOS for vnets exposed to the internet


  1. Use a centralised Log Analytics workspace in most cases
  2. Leverage WORM AzStorage for long term log retention
  3. Aim for centralised AzAutomation to provide consistency in automationOps

Other points

PaaS vs IaaS

The enterprise-scale architecture approach favors using Azure-native platform services and capabilities whenever possible.