6a8582e54d
- Add Cloud for Sovereignty landing zone architecture and deployment - Implement complete legal document management system - Reorganize documentation with improved navigation - Add infrastructure improvements (Dockerfiles, K8s, monitoring) - Add operational improvements (graceful shutdown, rate limiting, caching) - Create comprehensive project structure documentation - Add Azure deployment automation scripts - Improve repository navigation and organization
8.2 KiB
8.2 KiB
Cloud for Sovereignty Landing Zone Deployment Guide
Last Updated: 2025-01-27
Management Group: SOVEREIGN-ORDER-OF-HOSPITALLERS
Framework: Azure Well-Architected Framework + Cloud for Sovereignty
Overview
This guide walks through deploying a complete Cloud for Sovereignty landing zone across all non-US commercial Azure regions, using the Azure Well-Architected Framework principles.
Prerequisites
- Azure Subscription with access to management group
- Management Group:
SOVEREIGN-ORDER-OF-HOSPITALLERSmust exist - Azure CLI installed and authenticated
- Terraform >= 1.5.0 installed
- Environment Variables configured in
.envfile
Architecture Overview
Management Group Hierarchy
SOVEREIGN-ORDER-OF-HOSPITALLERS (Root)
├── Landing Zones
│ ├── Platform
│ ├── Sandbox
│ └── Workloads
├── Management
│ ├── Identity
│ ├── Security
│ └── Monitoring
└── Connectivity
├── Hub Networks
└── Spoke Networks
Regional Architecture
Each region (7 total) includes:
- Hub Virtual Network (gateway, firewall, management)
- Spoke Virtual Network (application, database, storage)
- Azure Firewall
- Key Vault with private endpoint
- Log Analytics Workspace
- Storage Account with private endpoint
Deployment Steps
Step 1: Validate Environment
# Load and validate environment variables
source infra/scripts/azure-load-env.sh
# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS
Step 2: Deploy Management Group Hierarchy
cd infra/terraform/management-groups
# Initialize Terraform
terraform init
# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"
# Apply
terraform apply
This creates:
- Landing Zones management group
- Platform, Sandbox, and Workloads groups
- Management group (Identity, Security, Monitoring)
- Connectivity group (Hub Networks, Spoke Networks)
Step 3: Deploy Sovereignty Policies
cd ../policies
# Initialize Terraform
terraform init
# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"
# Apply
terraform apply
This creates and assigns:
- Allowed locations policy (non-US regions only)
- Deny US regions policy
- Require data residency tags
- Require encryption at rest
- Require resource tags
- Policy initiative for sovereignty compliance
Step 4: Deploy Multi-Region Landing Zones
cd ../multi-region
# Initialize Terraform
terraform init
# Review plan (all regions)
terraform plan \
-var="environment=dev" \
-var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" \
-var="deploy_all_regions=true"
# Apply
terraform apply
This deploys landing zones to:
- West Europe (Netherlands) - Primary
- North Europe (Ireland) - Secondary
- UK South (London)
- Switzerland North (Zurich)
- Norway East (Oslo)
- France Central (Paris)
- Germany West Central (Frankfurt)
Step 5: Verify Deployment
# Check resource groups
az group list --query "[?contains(name, 'az-')]" --output table
# Check Key Vaults
az keyvault list --query "[?contains(name, 'az-')]" --output table
# Check Virtual Networks
az network vnet list --query "[?contains(name, 'az-')]" --output table
# Check policy compliance
az policy state list --filter "complianceState eq 'NonCompliant'" --query "[].{Resource:resourceId, Policy:policyDefinitionName}" --output table
Automated Deployment
Use the deployment script for automated deployment:
./infra/scripts/deploy-sovereignty-landing-zone.sh
This script:
- Loads environment variables
- Deploys management group hierarchy
- Deploys sovereignty policies
- Deploys multi-region landing zones
- Provides deployment summary
Regional Resources
Per Region Resources
Each region deployment creates:
- 1 Resource Group
- 2 Virtual Networks (Hub + Spoke)
- 6 Subnets (3 hub + 3 spoke)
- 1 Azure Firewall
- 1 Public IP (for firewall)
- 2 VNet Peerings (hub ↔ spoke)
- 1 Key Vault (with private endpoint)
- 1 Log Analytics Workspace
- 1 Storage Account (with private endpoint)
- 2 Private Endpoints (Key Vault + Storage)
Total Resources (7 regions)
- 7 Resource Groups
- 14 Virtual Networks
- 42 Subnets
- 7 Azure Firewalls
- 7 Public IPs
- 14 VNet Peerings
- 7 Key Vaults
- 7 Log Analytics Workspaces
- 7 Storage Accounts
- 14 Private Endpoints
Network Architecture
Hub Network
- Gateway Subnet: VPN/ExpressRoute connectivity
- Azure Firewall Subnet: Centralized security
- Management Subnet: Management and monitoring
Spoke Network
- Application Subnet: Application workloads
- Database Subnet: Database servers (with delegation)
- Storage Subnet: Storage private endpoints
Connectivity
- Hub and Spoke connected via VNet peering
- Hub allows gateway transit
- Spoke uses remote gateways
Security Features
Data Sovereignty
- Private Endpoints: All PaaS services use private endpoints
- Customer-Managed Keys: Encryption with Key Vault
- Data Residency Tags: All resources tagged with region
- Network Isolation: Hub-and-spoke architecture
Compliance
- Azure Policies: Enforce location and encryption
- Tagging: Required tags for governance
- Audit Logging: Log Analytics for all regions
- Access Control: RBAC and management groups
Cost Estimation
Per Region (Monthly)
- Virtual Networks: ~$50
- Azure Firewall: ~$1,200 (Standard SKU)
- Key Vault: ~$15 (Premium SKU)
- Log Analytics: ~$200-500 (data ingestion)
- Storage Account: ~$50-200 (depending on usage)
- Private Endpoints: ~$35 (2 endpoints)
Total per region: ~$1,550-2,000/month
Multi-Region (7 regions)
- Development: ~$10,850-14,000/month
- Production: ~$15,000-20,000/month (with higher usage)
Monitoring
Regional Monitoring
Each region has:
- Log Analytics Workspace
- Application Insights ready
- Azure Monitor metrics
- Network Watcher
Centralized Monitoring
- Cross-region querying
- Centralized dashboards
- Alert rules per region
- Cost tracking per region
Disaster Recovery
Regional Failover
- Primary: West Europe
- Secondary: North Europe
- Backup regions: Other 5 regions
RTO/RPO
- RTO: 4 hours
- RPO: 1 hour
DR Strategy
- Automated failover for critical services
- Manual failover for non-critical services
- Geo-replication for storage
- Cross-region backup
Next Steps
After deployment:
-
Configure Application Workloads
- Deploy AKS clusters per region
- Configure application networking
- Set up application monitoring
-
Set Up Monitoring
- Create Grafana dashboards
- Configure alert rules
- Set up cost alerts
-
Implement Security
- Configure Azure Firewall rules
- Set up Microsoft Defender for Cloud
- Configure Azure Sentinel
-
Optimize Costs
- Review resource usage
- Implement reserved instances
- Optimize storage tiers
Troubleshooting
Management Group Not Found
# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS
# Create if needed (requires appropriate permissions)
az account management-group create --name SOVEREIGN-ORDER-OF-HOSPITALLERS
Policy Assignment Fails
# Check policy assignment
az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/SOVEREIGN-ORDER-OF-HOSPITALLERS"
# Verify permissions
az role assignment list --assignee <your-user-id>
Region Deployment Fails
# Check resource provider registration
az provider list --query "[?namespace=='Microsoft.Network']"
az provider register --namespace Microsoft.Network
# Check quotas
az vm list-usage --location westeurope --output table
References
Last Updated: 2025-01-27