Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Sovereign Landing Zone (SLZ) is a variant of the Azure landing zone that helps organizations implement sovereign controls, such as data residency, customer managed keys, externally managed encryption keys, encryption at rest, encryption in transit, confidential computing, and operational oversight. There's no single mandated deployment path. Organizations can adopt SLZ capabilities incrementally or as a full variant of an existing Azure landing zone.
Important
SLZ is an architectural variant. You don't need to replace your Azure landing zone implementation. Instead, layer sovereign design choices, controls, and policies. Start from your existing landing zone unless critical structural gaps exist.
Implementation options
To deploy and manage your Sovereign landing zone (SLZ), use any of the following implementation options.
Terraform
The Sovereign Landing Zone (SLZ) implementation is currently available only through the Terraform Azure Verified Modules for the platform landing zone. You can deploy these modules either manually or by using the (recommended) Azure landing zone accelerator.
Azure landing zone accelerator high-level process overview
The best way to deploy Sovereign Platform Landing Zone (SLZ) is via the Azure landing zone accelerator. It provides a guided experience to help you set up a landing zone aligned to your organization's needs. The following list describes the high-level steps to follow.
Important
You must follow the steps in the user guide. The following steps are a high-level summary only.
- Choose Infrastructure-as-Code (IaC) tool - Terraform
- Choose Version Control System (VCS) - GitHub or Azure DevOps
- Choose a Scenario
- Choose Options to tweak your platform landing zone deployment
- Ensure 15 - Implement Sovereign Landing Zone (SLZ) controls is followed
- Ensure prerequisites are met
- Deploy Bootstrap
- Run CD to deploy platform landing zone
- Iterate, customize, and extend your landing zone via your chosen VCS and CI/CD pipelines
Bicep
The Bicep implementation option is in development. It builds on the new Bicep Azure Verified Modules for a platform landing zone, described in the blog post Update on Bicep Azure Verified Modules for platform landing zone.
Azure landing zone library
Both Terraform and Bicep implementations of SLZ use the Azure landing zone library, a collection of resources to help you build and manage governance on Azure.
The library includes Azure Policy assets, together with a series of constructs that result in a deployable architecture. It's extensible, customizable, and flexible. It supports many implementation approaches and scenarios.
You can find the SLZ library assets in the platform/slz directory of the Azure landing zone library.
Note
The SLZ library takes a dependency, as detailed further here, on the Azure landing zone library (platform/alz directory) as you can see in the dependencies section of the SLZ's alz_library_metadata.json file.
For more information, see the following sections in the Azure landing zone library documentation: