docs/deployment/azure/SOVEREIGNTY_LANDING_ZONE_DEPLOYMENT.md

# Cloud for Sovereignty Landing Zone Deployment Guide

**Last Updated**: 2025-01-27  
**Management Group**: SOVEREIGN-ORDER-OF-HOSPITALLERS  
**Framework**: Azure Well-Architected Framework + Cloud for Sovereignty

## Overview

This guide walks through deploying a complete Cloud for Sovereignty landing zone across all non-US commercial Azure regions, using the Azure Well-Architected Framework principles.

## Prerequisites

1. **Azure Subscription** with access to management group
2. **Management Group**: `SOVEREIGN-ORDER-OF-HOSPITALLERS` must exist
3. **Azure CLI** installed and authenticated
4. **Terraform** >= 1.5.0 installed
5. **Environment Variables** configured in `.env` file

## Architecture Overview

### Management Group Hierarchy

```
SOVEREIGN-ORDER-OF-HOSPITALLERS (Root)
├── Landing Zones
│   ├── Platform
│   ├── Sandbox
│   └── Workloads
├── Management
│   ├── Identity
│   ├── Security
│   └── Monitoring
└── Connectivity
    ├── Hub Networks
    └── Spoke Networks
```

### Regional Architecture

Each region (7 total) includes:
- Hub Virtual Network (gateway, firewall, management)
- Spoke Virtual Network (application, database, storage)
- Azure Firewall
- Key Vault with private endpoint
- Log Analytics Workspace
- Storage Account with private endpoint

## Deployment Steps

### Step 1: Validate Environment

```bash
# Load and validate environment variables
source infra/scripts/azure-load-env.sh

# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS
```

### Step 2: Deploy Management Group Hierarchy

```bash
cd infra/terraform/management-groups

# Initialize Terraform
terraform init

# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"

# Apply
terraform apply
```

This creates:
- Landing Zones management group
- Platform, Sandbox, and Workloads groups
- Management group (Identity, Security, Monitoring)
- Connectivity group (Hub Networks, Spoke Networks)

### Step 3: Deploy Sovereignty Policies

```bash
cd ../policies

# Initialize Terraform
terraform init

# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"

# Apply
terraform apply
```

This creates and assigns:
- Allowed locations policy (non-US regions only)
- Deny US regions policy
- Require data residency tags
- Require encryption at rest
- Require resource tags
- Policy initiative for sovereignty compliance

### Step 4: Deploy Multi-Region Landing Zones

```bash
cd ../multi-region

# Initialize Terraform
terraform init

# Review plan (all regions)
terraform plan \
  -var="environment=dev" \
  -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" \
  -var="deploy_all_regions=true"

# Apply
terraform apply
```

This deploys landing zones to:
1. West Europe (Netherlands) - Primary
2. North Europe (Ireland) - Secondary
3. UK South (London)
4. Switzerland North (Zurich)
5. Norway East (Oslo)
6. France Central (Paris)
7. Germany West Central (Frankfurt)

### Step 5: Verify Deployment

```bash
# Check resource groups
az group list --query "[?contains(name, 'az-')]" --output table

# Check Key Vaults
az keyvault list --query "[?contains(name, 'az-')]" --output table

# Check Virtual Networks
az network vnet list --query "[?contains(name, 'az-')]" --output table

# Check policy compliance
az policy state list --filter "complianceState eq 'NonCompliant'" --query "[].{Resource:resourceId, Policy:policyDefinitionName}" --output table
```

## Automated Deployment

Use the deployment script for automated deployment:

```bash
./infra/scripts/deploy-sovereignty-landing-zone.sh
```

This script:
1. Loads environment variables
2. Deploys management group hierarchy
3. Deploys sovereignty policies
4. Deploys multi-region landing zones
5. Provides deployment summary

## Regional Resources

### Per Region Resources

Each region deployment creates:

- **1 Resource Group**
- **2 Virtual Networks** (Hub + Spoke)
- **6 Subnets** (3 hub + 3 spoke)
- **1 Azure Firewall**
- **1 Public IP** (for firewall)
- **2 VNet Peerings** (hub ↔ spoke)
- **1 Key Vault** (with private endpoint)
- **1 Log Analytics Workspace**
- **1 Storage Account** (with private endpoint)
- **2 Private Endpoints** (Key Vault + Storage)

### Total Resources (7 regions)

- **7 Resource Groups**
- **14 Virtual Networks**
- **42 Subnets**
- **7 Azure Firewalls**
- **7 Public IPs**
- **14 VNet Peerings**
- **7 Key Vaults**
- **7 Log Analytics Workspaces**
- **7 Storage Accounts**
- **14 Private Endpoints**

## Network Architecture

### Hub Network

- **Gateway Subnet**: VPN/ExpressRoute connectivity
- **Azure Firewall Subnet**: Centralized security
- **Management Subnet**: Management and monitoring

### Spoke Network

- **Application Subnet**: Application workloads
- **Database Subnet**: Database servers (with delegation)
- **Storage Subnet**: Storage private endpoints

### Connectivity

- Hub and Spoke connected via VNet peering
- Hub allows gateway transit
- Spoke uses remote gateways

## Security Features

### Data Sovereignty

- **Private Endpoints**: All PaaS services use private endpoints
- **Customer-Managed Keys**: Encryption with Key Vault
- **Data Residency Tags**: All resources tagged with region
- **Network Isolation**: Hub-and-spoke architecture

### Compliance

- **Azure Policies**: Enforce location and encryption
- **Tagging**: Required tags for governance
- **Audit Logging**: Log Analytics for all regions
- **Access Control**: RBAC and management groups

## Cost Estimation

### Per Region (Monthly)

- Virtual Networks: ~$50
- Azure Firewall: ~$1,200 (Standard SKU)
- Key Vault: ~$15 (Premium SKU)
- Log Analytics: ~$200-500 (data ingestion)
- Storage Account: ~$50-200 (depending on usage)
- Private Endpoints: ~$35 (2 endpoints)

**Total per region**: ~$1,550-2,000/month

### Multi-Region (7 regions)

- **Development**: ~$10,850-14,000/month
- **Production**: ~$15,000-20,000/month (with higher usage)

## Monitoring

### Regional Monitoring

Each region has:
- Log Analytics Workspace
- Application Insights ready
- Azure Monitor metrics
- Network Watcher

### Centralized Monitoring

- Cross-region querying
- Centralized dashboards
- Alert rules per region
- Cost tracking per region

## Disaster Recovery

### Regional Failover

- Primary: West Europe
- Secondary: North Europe
- Backup regions: Other 5 regions

### RTO/RPO

- **RTO**: 4 hours
- **RPO**: 1 hour

### DR Strategy

1. Automated failover for critical services
2. Manual failover for non-critical services
3. Geo-replication for storage
4. Cross-region backup

## Next Steps

After deployment:

1. **Configure Application Workloads**
   - Deploy AKS clusters per region
   - Configure application networking
   - Set up application monitoring

2. **Set Up Monitoring**
   - Create Grafana dashboards
   - Configure alert rules
   - Set up cost alerts

3. **Implement Security**
   - Configure Azure Firewall rules
   - Set up Microsoft Defender for Cloud
   - Configure Azure Sentinel

4. **Optimize Costs**
   - Review resource usage
   - Implement reserved instances
   - Optimize storage tiers

## Troubleshooting

### Management Group Not Found

```bash
# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS

# Create if needed (requires appropriate permissions)
az account management-group create --name SOVEREIGN-ORDER-OF-HOSPITALLERS
```

### Policy Assignment Fails

```bash
# Check policy assignment
az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/SOVEREIGN-ORDER-OF-HOSPITALLERS"

# Verify permissions
az role assignment list --assignee <your-user-id>
```

### Region Deployment Fails

```bash
# Check resource provider registration
az provider list --query "[?namespace=='Microsoft.Network']"
az provider register --namespace Microsoft.Network

# Check quotas
az vm list-usage --location westeurope --output table
```

## References

- [Azure Well-Architected Framework](https://docs.microsoft.com/azure/architecture/framework/)
- [Cloud for Sovereignty](https://azure.microsoft.com/solutions/sovereignty/)
- [Azure Landing Zones](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/)
- [Management Groups](https://docs.microsoft.com/azure/governance/management-groups/)

---

**Last Updated**: 2025-01-27
feat: comprehensive project structure improvements and Cloud for Sovereignty landing zone - Add Cloud for Sovereignty landing zone architecture and deployment - Implement complete legal document management system - Reorganize documentation with improved navigation - Add infrastructure improvements (Dockerfiles, K8s, monitoring) - Add operational improvements (graceful shutdown, rate limiting, caching) - Create comprehensive project structure documentation - Add Azure deployment automation scripts - Improve repository navigation and organization 2025-11-13 09:32:55 -08:00			`# Cloud for Sovereignty Landing Zone Deployment Guide`

			`Last Updated: 2025-01-27`
			`Management Group: SOVEREIGN-ORDER-OF-HOSPITALLERS`
			`Framework: Azure Well-Architected Framework + Cloud for Sovereignty`

			`## Overview`

			`This guide walks through deploying a complete Cloud for Sovereignty landing zone across all non-US commercial Azure regions, using the Azure Well-Architected Framework principles.`

			`## Prerequisites`

			`1. Azure Subscription with access to management group`
			2. Management Group: `SOVEREIGN-ORDER-OF-HOSPITALLERS` must exist
			`3. Azure CLI installed and authenticated`
			`4. Terraform >= 1.5.0 installed`
			5. Environment Variables configured in `.env` file

			`## Architecture Overview`

			`### Management Group Hierarchy`

			```
			`SOVEREIGN-ORDER-OF-HOSPITALLERS (Root)`
			`├── Landing Zones`
			`│ ├── Platform`
			`│ ├── Sandbox`
			`│ └── Workloads`
			`├── Management`
			`│ ├── Identity`
			`│ ├── Security`
			`│ └── Monitoring`
			`└── Connectivity`
			`├── Hub Networks`
			`└── Spoke Networks`
			```

			`### Regional Architecture`

			`Each region (7 total) includes:`
			`- Hub Virtual Network (gateway, firewall, management)`
			`- Spoke Virtual Network (application, database, storage)`
			`- Azure Firewall`
			`- Key Vault with private endpoint`
			`- Log Analytics Workspace`
			`- Storage Account with private endpoint`

			`## Deployment Steps`

			`### Step 1: Validate Environment`

			```bash
			`# Load and validate environment variables`
			`source infra/scripts/azure-load-env.sh`

			`# Verify management group exists`
			`az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS`
			```

			`### Step 2: Deploy Management Group Hierarchy`

			```bash
			`cd infra/terraform/management-groups`

			`# Initialize Terraform`
			`terraform init`

			`# Review plan`
			`terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"`

			`# Apply`
			`terraform apply`
			```

			`This creates:`
			`- Landing Zones management group`
			`- Platform, Sandbox, and Workloads groups`
			`- Management group (Identity, Security, Monitoring)`
			`- Connectivity group (Hub Networks, Spoke Networks)`

			`### Step 3: Deploy Sovereignty Policies`

			```bash
			`cd ../policies`

			`# Initialize Terraform`
			`terraform init`

			`# Review plan`
			`terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"`

			`# Apply`
			`terraform apply`
			```

			`This creates and assigns:`
			`- Allowed locations policy (non-US regions only)`
			`- Deny US regions policy`
			`- Require data residency tags`
			`- Require encryption at rest`
			`- Require resource tags`
			`- Policy initiative for sovereignty compliance`

			`### Step 4: Deploy Multi-Region Landing Zones`

			```bash
			`cd ../multi-region`

			`# Initialize Terraform`
			`terraform init`

			`# Review plan (all regions)`
			`terraform plan \`
			`-var="environment=dev" \`
			`-var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" \`
			`-var="deploy_all_regions=true"`

			`# Apply`
			`terraform apply`
			```

			`This deploys landing zones to:`
			`1. West Europe (Netherlands) - Primary`
			`2. North Europe (Ireland) - Secondary`
			`3. UK South (London)`
			`4. Switzerland North (Zurich)`
			`5. Norway East (Oslo)`
			`6. France Central (Paris)`
			`7. Germany West Central (Frankfurt)`

			`### Step 5: Verify Deployment`

			```bash
			`# Check resource groups`
			`az group list --query "[?contains(name, 'az-')]" --output table`

			`# Check Key Vaults`
			`az keyvault list --query "[?contains(name, 'az-')]" --output table`

			`# Check Virtual Networks`
			`az network vnet list --query "[?contains(name, 'az-')]" --output table`

			`# Check policy compliance`
			`az policy state list --filter "complianceState eq 'NonCompliant'" --query "[].{Resource:resourceId, Policy:policyDefinitionName}" --output table`
			```

			`## Automated Deployment`

			`Use the deployment script for automated deployment:`

			```bash
			`./infra/scripts/deploy-sovereignty-landing-zone.sh`
			```

			`This script:`
			`1. Loads environment variables`
			`2. Deploys management group hierarchy`
			`3. Deploys sovereignty policies`
			`4. Deploys multi-region landing zones`
			`5. Provides deployment summary`

			`## Regional Resources`

			`### Per Region Resources`

			`Each region deployment creates:`

			`- 1 Resource Group`
			`- 2 Virtual Networks (Hub + Spoke)`
			`- 6 Subnets (3 hub + 3 spoke)`
			`- 1 Azure Firewall`
			`- 1 Public IP (for firewall)`
			`- 2 VNet Peerings (hub ↔ spoke)`
			`- 1 Key Vault (with private endpoint)`
			`- 1 Log Analytics Workspace`
			`- 1 Storage Account (with private endpoint)`
			`- 2 Private Endpoints (Key Vault + Storage)`

			`### Total Resources (7 regions)`

			`- 7 Resource Groups`
			`- 14 Virtual Networks`
			`- 42 Subnets`
			`- 7 Azure Firewalls`
			`- 7 Public IPs`
			`- 14 VNet Peerings`
			`- 7 Key Vaults`
			`- 7 Log Analytics Workspaces`
			`- 7 Storage Accounts`
			`- 14 Private Endpoints`

			`## Network Architecture`

			`### Hub Network`

			`- Gateway Subnet: VPN/ExpressRoute connectivity`
			`- Azure Firewall Subnet: Centralized security`
			`- Management Subnet: Management and monitoring`

			`### Spoke Network`

			`- Application Subnet: Application workloads`
			`- Database Subnet: Database servers (with delegation)`
			`- Storage Subnet: Storage private endpoints`

			`### Connectivity`

			`- Hub and Spoke connected via VNet peering`
			`- Hub allows gateway transit`
			`- Spoke uses remote gateways`

			`## Security Features`

			`### Data Sovereignty`

			`- Private Endpoints: All PaaS services use private endpoints`
			`- Customer-Managed Keys: Encryption with Key Vault`
			`- Data Residency Tags: All resources tagged with region`
			`- Network Isolation: Hub-and-spoke architecture`

			`### Compliance`

			`- Azure Policies: Enforce location and encryption`
			`- Tagging: Required tags for governance`
			`- Audit Logging: Log Analytics for all regions`
			`- Access Control: RBAC and management groups`

			`## Cost Estimation`

			`### Per Region (Monthly)`

			`- Virtual Networks: ~$50`
			`- Azure Firewall: ~$1,200 (Standard SKU)`
			`- Key Vault: ~$15 (Premium SKU)`
			`- Log Analytics: ~$200-500 (data ingestion)`
			`- Storage Account: ~$50-200 (depending on usage)`
			`- Private Endpoints: ~$35 (2 endpoints)`

			`Total per region: ~$1,550-2,000/month`

			`### Multi-Region (7 regions)`

			`- Development: ~$10,850-14,000/month`
			`- Production: ~$15,000-20,000/month (with higher usage)`

			`## Monitoring`

			`### Regional Monitoring`

			`Each region has:`
			`- Log Analytics Workspace`
			`- Application Insights ready`
			`- Azure Monitor metrics`
			`- Network Watcher`

			`### Centralized Monitoring`

			`- Cross-region querying`
			`- Centralized dashboards`
			`- Alert rules per region`
			`- Cost tracking per region`

			`## Disaster Recovery`

			`### Regional Failover`

			`- Primary: West Europe`
			`- Secondary: North Europe`
			`- Backup regions: Other 5 regions`

			`### RTO/RPO`

			`- RTO: 4 hours`
			`- RPO: 1 hour`

			`### DR Strategy`

			`1. Automated failover for critical services`
			`2. Manual failover for non-critical services`
			`3. Geo-replication for storage`
			`4. Cross-region backup`

			`## Next Steps`

			`After deployment:`

			`1. Configure Application Workloads`
			`- Deploy AKS clusters per region`
			`- Configure application networking`
			`- Set up application monitoring`

			`2. Set Up Monitoring`
			`- Create Grafana dashboards`
			`- Configure alert rules`
			`- Set up cost alerts`

			`3. Implement Security`
			`- Configure Azure Firewall rules`
			`- Set up Microsoft Defender for Cloud`
			`- Configure Azure Sentinel`

			`4. Optimize Costs`
			`- Review resource usage`
			`- Implement reserved instances`
			`- Optimize storage tiers`

			`## Troubleshooting`

			`### Management Group Not Found`

			```bash
			`# Verify management group exists`
			`az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS`

			`# Create if needed (requires appropriate permissions)`
			`az account management-group create --name SOVEREIGN-ORDER-OF-HOSPITALLERS`
			```

			`### Policy Assignment Fails`

			```bash
			`# Check policy assignment`
			`az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/SOVEREIGN-ORDER-OF-HOSPITALLERS"`

			`# Verify permissions`
			`az role assignment list --assignee <your-user-id>`
			```

			`### Region Deployment Fails`

			```bash
			`# Check resource provider registration`
			`az provider list --query "[?namespace=='Microsoft.Network']"`
			`az provider register --namespace Microsoft.Network`

			`# Check quotas`
			`az vm list-usage --location westeurope --output table`
			```

			`## References`

			`- [Azure Well-Architected Framework](https://docs.microsoft.com/azure/architecture/framework/)`
			`- [Cloud for Sovereignty](https://azure.microsoft.com/solutions/sovereignty/)`
			`- [Azure Landing Zones](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/)`
			`- [Management Groups](https://docs.microsoft.com/azure/governance/management-groups/)`

			`---`

			`Last Updated: 2025-01-27`