# Cloud for Sovereignty Landing Zone Deployment Guide **Last Updated**: 2025-01-27 **Management Group**: SOVEREIGN-ORDER-OF-HOSPITALLERS **Framework**: Azure Well-Architected Framework + Cloud for Sovereignty ## Overview This guide walks through deploying a complete Cloud for Sovereignty landing zone across all non-US commercial Azure regions, using the Azure Well-Architected Framework principles. ## Prerequisites 1. **Azure Subscription** with access to management group 2. **Management Group**: `SOVEREIGN-ORDER-OF-HOSPITALLERS` must exist 3. **Azure CLI** installed and authenticated 4. **Terraform** >= 1.5.0 installed 5. **Environment Variables** configured in `.env` file ## Architecture Overview ### Management Group Hierarchy ``` SOVEREIGN-ORDER-OF-HOSPITALLERS (Root) ├── Landing Zones │ ├── Platform │ ├── Sandbox │ └── Workloads ├── Management │ ├── Identity │ ├── Security │ └── Monitoring └── Connectivity ├── Hub Networks └── Spoke Networks ``` ### Regional Architecture Each region (7 total) includes: - Hub Virtual Network (gateway, firewall, management) - Spoke Virtual Network (application, database, storage) - Azure Firewall - Key Vault with private endpoint - Log Analytics Workspace - Storage Account with private endpoint ## Deployment Steps ### Step 1: Validate Environment ```bash # Load and validate environment variables source infra/scripts/azure-load-env.sh # Verify management group exists az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS ``` ### Step 2: Deploy Management Group Hierarchy ```bash cd infra/terraform/management-groups # Initialize Terraform terraform init # Review plan terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" # Apply terraform apply ``` This creates: - Landing Zones management group - Platform, Sandbox, and Workloads groups - Management group (Identity, Security, Monitoring) - Connectivity group (Hub Networks, Spoke Networks) ### Step 3: Deploy Sovereignty Policies ```bash cd ../policies # Initialize Terraform terraform init # Review plan terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" # Apply terraform apply ``` This creates and assigns: - Allowed locations policy (non-US regions only) - Deny US regions policy - Require data residency tags - Require encryption at rest - Require resource tags - Policy initiative for sovereignty compliance ### Step 4: Deploy Multi-Region Landing Zones ```bash cd ../multi-region # Initialize Terraform terraform init # Review plan (all regions) terraform plan \ -var="environment=dev" \ -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" \ -var="deploy_all_regions=true" # Apply terraform apply ``` This deploys landing zones to: 1. West Europe (Netherlands) - Primary 2. North Europe (Ireland) - Secondary 3. UK South (London) 4. Switzerland North (Zurich) 5. Norway East (Oslo) 6. France Central (Paris) 7. Germany West Central (Frankfurt) ### Step 5: Verify Deployment ```bash # Check resource groups az group list --query "[?contains(name, 'az-')]" --output table # Check Key Vaults az keyvault list --query "[?contains(name, 'az-')]" --output table # Check Virtual Networks az network vnet list --query "[?contains(name, 'az-')]" --output table # Check policy compliance az policy state list --filter "complianceState eq 'NonCompliant'" --query "[].{Resource:resourceId, Policy:policyDefinitionName}" --output table ``` ## Automated Deployment Use the deployment script for automated deployment: ```bash ./infra/scripts/deploy-sovereignty-landing-zone.sh ``` This script: 1. Loads environment variables 2. Deploys management group hierarchy 3. Deploys sovereignty policies 4. Deploys multi-region landing zones 5. Provides deployment summary ## Regional Resources ### Per Region Resources Each region deployment creates: - **1 Resource Group** - **2 Virtual Networks** (Hub + Spoke) - **6 Subnets** (3 hub + 3 spoke) - **1 Azure Firewall** - **1 Public IP** (for firewall) - **2 VNet Peerings** (hub ↔ spoke) - **1 Key Vault** (with private endpoint) - **1 Log Analytics Workspace** - **1 Storage Account** (with private endpoint) - **2 Private Endpoints** (Key Vault + Storage) ### Total Resources (7 regions) - **7 Resource Groups** - **14 Virtual Networks** - **42 Subnets** - **7 Azure Firewalls** - **7 Public IPs** - **14 VNet Peerings** - **7 Key Vaults** - **7 Log Analytics Workspaces** - **7 Storage Accounts** - **14 Private Endpoints** ## Network Architecture ### Hub Network - **Gateway Subnet**: VPN/ExpressRoute connectivity - **Azure Firewall Subnet**: Centralized security - **Management Subnet**: Management and monitoring ### Spoke Network - **Application Subnet**: Application workloads - **Database Subnet**: Database servers (with delegation) - **Storage Subnet**: Storage private endpoints ### Connectivity - Hub and Spoke connected via VNet peering - Hub allows gateway transit - Spoke uses remote gateways ## Security Features ### Data Sovereignty - **Private Endpoints**: All PaaS services use private endpoints - **Customer-Managed Keys**: Encryption with Key Vault - **Data Residency Tags**: All resources tagged with region - **Network Isolation**: Hub-and-spoke architecture ### Compliance - **Azure Policies**: Enforce location and encryption - **Tagging**: Required tags for governance - **Audit Logging**: Log Analytics for all regions - **Access Control**: RBAC and management groups ## Cost Estimation ### Per Region (Monthly) - Virtual Networks: ~$50 - Azure Firewall: ~$1,200 (Standard SKU) - Key Vault: ~$15 (Premium SKU) - Log Analytics: ~$200-500 (data ingestion) - Storage Account: ~$50-200 (depending on usage) - Private Endpoints: ~$35 (2 endpoints) **Total per region**: ~$1,550-2,000/month ### Multi-Region (7 regions) - **Development**: ~$10,850-14,000/month - **Production**: ~$15,000-20,000/month (with higher usage) ## Monitoring ### Regional Monitoring Each region has: - Log Analytics Workspace - Application Insights ready - Azure Monitor metrics - Network Watcher ### Centralized Monitoring - Cross-region querying - Centralized dashboards - Alert rules per region - Cost tracking per region ## Disaster Recovery ### Regional Failover - Primary: West Europe - Secondary: North Europe - Backup regions: Other 5 regions ### RTO/RPO - **RTO**: 4 hours - **RPO**: 1 hour ### DR Strategy 1. Automated failover for critical services 2. Manual failover for non-critical services 3. Geo-replication for storage 4. Cross-region backup ## Next Steps After deployment: 1. **Configure Application Workloads** - Deploy AKS clusters per region - Configure application networking - Set up application monitoring 2. **Set Up Monitoring** - Create Grafana dashboards - Configure alert rules - Set up cost alerts 3. **Implement Security** - Configure Azure Firewall rules - Set up Microsoft Defender for Cloud - Configure Azure Sentinel 4. **Optimize Costs** - Review resource usage - Implement reserved instances - Optimize storage tiers ## Troubleshooting ### Management Group Not Found ```bash # Verify management group exists az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS # Create if needed (requires appropriate permissions) az account management-group create --name SOVEREIGN-ORDER-OF-HOSPITALLERS ``` ### Policy Assignment Fails ```bash # Check policy assignment az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/SOVEREIGN-ORDER-OF-HOSPITALLERS" # Verify permissions az role assignment list --assignee ``` ### Region Deployment Fails ```bash # Check resource provider registration az provider list --query "[?namespace=='Microsoft.Network']" az provider register --namespace Microsoft.Network # Check quotas az vm list-usage --location westeurope --output table ``` ## References - [Azure Well-Architected Framework](https://docs.microsoft.com/azure/architecture/framework/) - [Cloud for Sovereignty](https://azure.microsoft.com/solutions/sovereignty/) - [Azure Landing Zones](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/) - [Management Groups](https://docs.microsoft.com/azure/governance/management-groups/) --- **Last Updated**: 2025-01-27