Overview of the Sovereign Landing Zone
The Sovereign Landing Zone (SLZ) is a variant of the enterprise scale Azure Landing Zone intended for organizations that need advanced sovereign controls. The SLZ helps these organizations meet their regulatory compliance requirements through Azure-native Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) capabilities. Using a configurable landing zone empowers organizations with tools to address their sovereignty needs by enforcing resources to be compliant with policies defined with Azure Policy.
Why use the Sovereign Landing Zone?
Data can only remain sovereign when the owner has exclusive control over it. In Azure, exclusive control means:
Being the only entity that can grant the permissions necessary for users and workloads to access and process the data.
Approving the regions that workloads can be deployed into.
Technical controls to protect against unauthorized data access is necessary at all levels. Therefore granting access to operators of cloud providers and managed services providers should also be explicit.
The SLZ provides an opinionated architecture that enables an organization to meet their sovereignty needs while being configured via a singular configuration file and entirely deployable by a singular script. These sovereignty needs are met by combining:
Aligning to the Cloud Adoption Framework to simplify adoption.
Incorporating the technical guardrails provided by the policy portfolio, including the Sovereignty Baseline policy initiatives.
Enabling policy configuration to allow organizations to customize their data sovereignty needs.
Streamlining the use of Azure Confidential Computing services.
For more information on how to deploy and configure the SLZ, see the Sovereign Landing Zone documentation on GitHub.
When to use Sovereign Landing Zone instead of Azure Landing Zone?
The Sovereign Landing Zone (SLZ) is a variant of the Azure Landing Zone (ALZ) Bicep repository, meaning it includes additional Landing Zone Management Groups and Policy Assignments. For more information, see the guidance Tailor the Azure landing zone architecture to meet requirements.
The SLZ uses the same code base as ALZ Bicep and comes with:
- Additional orchestration and deployment automation capabilities
- An opinionated landing zone design for data sovereignty and confidential computing requirements
- Additional Azure Policy Initiatives and Policy assignments to help meet sovereignty requirements for public sector customers, partners and ISVs
A common question related to SLZ is when an organization should use one landing zone over the other. Both the ALZ and SLZ teams recommend the following guidance:
Use ALZ when you prioritize:
- Default option for most customers across various industries that can be built upon
- Detailed configuration and customization options over the entire environment
- Multiple deployment options including Portal, Bicep and Terraform
Use SLZ when you prioritize:
- Public sector customers focused on digital sovereignty requirements
- Streamlined data governance capabilities enforced by policy and Azure Confidential Computing
- Simplified deployment experience when using region-specific policy initiatives
- Deployment of workload templates to promote sovereign migration efforts