Brownfield landing zone considerations

A brownfield deployment is an existing environment that requires modification to align to the Azure landing zone target architecture and best practices. When you need to resolve a brownfield deployment scenario, consider your existing Microsoft Azure environment as the place to start. This article summarizes guidance found elsewhere in the Cloud Adoption Framework Ready documentation For more information, see Introduction to the Cloud Adoption Framework Ready methodology.

Resource organization

In a brownfield environment, you've already established your Azure environment. But it's never too late to apply proven resource organization principles now and moving forward. Consider implementing any of the following suggestions:

• If your current environment doesn't use management groups, consider them. Management groups are key to managing policies, access, and compliance across subscriptions at scale. Management groups help guide your implementation.
• If your current environment uses management groups, consider the guidance in management groups when evaluating your implementation.
• If you have existing subscriptions in your current environment, consider the guidance in subscriptions to see if you're using them effectively. Subscriptions act as policy and management boundaries and are scale units.
• If you have existing resources in your current environment, consider using the guidance in naming and tagging to influence your tagging strategy and your naming conventions going forward.
• Azure Policy is useful in establishing and enforcing consistency regarding taxonomic tags.

Security

To refine your existing Azure environment's security posture regarding authentication, authorization, and accounting is an ongoing, iterative process. Consider implementing the following recommendations:

• Make use of Microsoft's top 10 Azure security best practices. This guidance summarizes field-proven guidance from Microsoft cloud solution architects (CSAs) and Microsoft Partners.
• Deploy Microsoft Entra Connect cloud sync to provide your local Active Directory Domain Services (AD DS) users with secure single sign-on (SSO) to your Microsoft Entra ID-backed applications. Another benefit to configuring hybrid identity is you can enforce Microsoft Entra multifactor authentication (MFA) and Microsoft Entra Password Protection to further protect these identities
• Provide secure authentication to your cloud apps and Azure resources by using Microsoft Entra Conditional Access.
• Implement Microsoft Entra Privileged Identity Management to ensure least-privilege access and deep reporting in your entire Azure environment. Teams should begin recurring access reviews to ensure the right people and service principles have current and correct authorization levels. Also, study the Cloud Adoption Framework access control guidance.
• Make use of the recommendations, alerting, and remediation capabilities of Microsoft Defender for Cloud. Your security team can also integrate Microsoft Defender for Cloud into Microsoft Sentinel if they need a more robust, centrally managed hybrid and multicloud Security Information Event Management (SIEM)/Security Orchestration and Response (SOAR) solution.

Governance

Like Azure security, Azure governance isn't a "one and done" proposition. Rather, it's an ever-evolving process of standardization and compliance enforcement. Consider implementing the following controls:

• Review our guidance for establishing a management baseline for your hybrid or multicloud environment
• Implement Microsoft Cost Management features like billing scopes, budgets, and alerts to ensure your Azure spend stays within prescribed bounds
• Use Azure Policy to enforce governance guardrails on Azure deployments, and trigger remediation tasks to bring existing Azure resources into a compliant state
• Consider Microsoft Entra entitlement management to automate Azure requests, access assignments, reviews, and expiration
• Apply Azure Advisor recommendations to ensure cost optimization and operational excellence in Azure, both of which are core principles of the Microsoft Azure Well-Architected Framework.

Networking

It's true that refactoring an already established Azure virtual network (VNet) infrastructure can be a heavy lift for many businesses. That said, consider incorporating the following guidance into your network design, implementation, and maintenance efforts:

• Review our best practices for planning, deploying, and maintaining Azure VNet hub and spoke topologies
• Consider Azure Virtual Network Manager (Preview) to centralize network security group (NSG) security rules across multiple VNets
• Azure Virtual WAN unifies networking, security, and routing to help businesses build hybrid cloud architectures safer and quicker
• Access Azure data services privately with Azure Private Link. The Private Link service ensures your users and applications communicate with key Azure services by using the Azure backbone network and private IP addresses instead of over the public Internet

Next steps

Now that you have an overview of Azure brownfield environment considerations, here are some related resources to review:

• Azure Landing Zones Bicep - Deployment Flow
• Microsoft Well-Architected Framework
• Cloud Adoption Framework tools and templates