the_order/docs/deployment/azure/SOVEREIGNTY_LANDING_ZONE_DEPLOYMENT.md

Cloud for Sovereignty Landing Zone Deployment Guide

Last Updated: 2025-01-27
Management Group: SOVEREIGN-ORDER-OF-HOSPITALLERS
Framework: Azure Well-Architected Framework + Cloud for Sovereignty

Overview

This guide walks through deploying a complete Cloud for Sovereignty landing zone across all non-US commercial Azure regions, using the Azure Well-Architected Framework principles.

Prerequisites

1. Azure Subscription with access to management group
2. Management Group: SOVEREIGN-ORDER-OF-HOSPITALLERS must exist
3. Azure CLI installed and authenticated
4. Terraform >= 1.5.0 installed
5. Environment Variables configured in .env file

Architecture Overview

Management Group Hierarchy

SOVEREIGN-ORDER-OF-HOSPITALLERS (Root)
├── Landing Zones
│   ├── Platform
│   ├── Sandbox
│   └── Workloads
├── Management
│   ├── Identity
│   ├── Security
│   └── Monitoring
└── Connectivity
    ├── Hub Networks
    └── Spoke Networks

Regional Architecture

Each region (7 total) includes:

• Hub Virtual Network (gateway, firewall, management)
• Spoke Virtual Network (application, database, storage)
• Azure Firewall
• Key Vault with private endpoint
• Log Analytics Workspace
• Storage Account with private endpoint

Deployment Steps

Step 1: Validate Environment

# Load and validate environment variables
source infra/scripts/azure-load-env.sh

# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS

Step 2: Deploy Management Group Hierarchy

cd infra/terraform/management-groups

# Initialize Terraform
terraform init

# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"

# Apply
terraform apply

This creates:

• Landing Zones management group
• Platform, Sandbox, and Workloads groups
• Management group (Identity, Security, Monitoring)
• Connectivity group (Hub Networks, Spoke Networks)

Step 3: Deploy Sovereignty Policies

cd ../policies

# Initialize Terraform
terraform init

# Review plan
terraform plan -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS"

# Apply
terraform apply

This creates and assigns:

• Allowed locations policy (non-US regions only)
• Deny US regions policy
• Require data residency tags
• Require encryption at rest
• Require resource tags
• Policy initiative for sovereignty compliance

Step 4: Deploy Multi-Region Landing Zones

cd ../multi-region

# Initialize Terraform
terraform init

# Review plan (all regions)
terraform plan \
  -var="environment=dev" \
  -var="management_group_id=SOVEREIGN-ORDER-OF-HOSPITALLERS" \
  -var="deploy_all_regions=true"

# Apply
terraform apply

This deploys landing zones to:

1. West Europe (Netherlands) - Primary
2. North Europe (Ireland) - Secondary
3. UK South (London)
4. Switzerland North (Zurich)
5. Norway East (Oslo)
6. France Central (Paris)
7. Germany West Central (Frankfurt)

Step 5: Verify Deployment

# Check resource groups
az group list --query "[?contains(name, 'az-')]" --output table

# Check Key Vaults
az keyvault list --query "[?contains(name, 'az-')]" --output table

# Check Virtual Networks
az network vnet list --query "[?contains(name, 'az-')]" --output table

# Check policy compliance
az policy state list --filter "complianceState eq 'NonCompliant'" --query "[].{Resource:resourceId, Policy:policyDefinitionName}" --output table

Automated Deployment

Use the deployment script for automated deployment:

./infra/scripts/deploy-sovereignty-landing-zone.sh

This script:

1. Loads environment variables
2. Deploys management group hierarchy
3. Deploys sovereignty policies
4. Deploys multi-region landing zones
5. Provides deployment summary

Regional Resources

Per Region Resources

Each region deployment creates:

• 1 Resource Group
• 2 Virtual Networks (Hub + Spoke)
• 6 Subnets (3 hub + 3 spoke)
• 1 Azure Firewall
• 1 Public IP (for firewall)
• 2 VNet Peerings (hub ↔ spoke)
• 1 Key Vault (with private endpoint)
• 1 Log Analytics Workspace
• 1 Storage Account (with private endpoint)
• 2 Private Endpoints (Key Vault + Storage)

Total Resources (7 regions)

• 7 Resource Groups
• 14 Virtual Networks
• 42 Subnets
• 7 Azure Firewalls
• 7 Public IPs
• 14 VNet Peerings
• 7 Key Vaults
• 7 Log Analytics Workspaces
• 7 Storage Accounts
• 14 Private Endpoints

Network Architecture

Hub Network

• Gateway Subnet: VPN/ExpressRoute connectivity
• Azure Firewall Subnet: Centralized security
• Management Subnet: Management and monitoring

Spoke Network

• Application Subnet: Application workloads
• Database Subnet: Database servers (with delegation)
• Storage Subnet: Storage private endpoints

Connectivity

• Hub and Spoke connected via VNet peering
• Hub allows gateway transit
• Spoke uses remote gateways

Security Features

Data Sovereignty

• Private Endpoints: All PaaS services use private endpoints
• Customer-Managed Keys: Encryption with Key Vault
• Data Residency Tags: All resources tagged with region
• Network Isolation: Hub-and-spoke architecture

Compliance

• Azure Policies: Enforce location and encryption
• Tagging: Required tags for governance
• Audit Logging: Log Analytics for all regions
• Access Control: RBAC and management groups

Cost Estimation

Per Region (Monthly)

• Virtual Networks: ~$50
• Azure Firewall: ~$1,200 (Standard SKU)
• Key Vault: ~$15 (Premium SKU)
• Log Analytics: ~$200-500 (data ingestion)
• Storage Account: ~$50-200 (depending on usage)
• Private Endpoints: ~$35 (2 endpoints)

Total per region: ~$1,550-2,000/month

Multi-Region (7 regions)

• Development: ~$10,850-14,000/month
• Production: ~$15,000-20,000/month (with higher usage)

Monitoring

Regional Monitoring

Each region has:

• Log Analytics Workspace
• Application Insights ready
• Azure Monitor metrics
• Network Watcher

Centralized Monitoring

• Cross-region querying
• Centralized dashboards
• Alert rules per region
• Cost tracking per region

Disaster Recovery

Regional Failover

• Primary: West Europe
• Secondary: North Europe
• Backup regions: Other 5 regions

RTO/RPO

• RTO: 4 hours
• RPO: 1 hour

DR Strategy

1. Automated failover for critical services
2. Manual failover for non-critical services
3. Geo-replication for storage
4. Cross-region backup

Next Steps

After deployment:

1. Configure Application Workloads

   • Deploy AKS clusters per region
   • Configure application networking
   • Set up application monitoring

2. Set Up Monitoring

   • Create Grafana dashboards
   • Configure alert rules
   • Set up cost alerts

3. Implement Security

   • Configure Azure Firewall rules
   • Set up Microsoft Defender for Cloud
   • Configure Azure Sentinel

4. Optimize Costs

   • Review resource usage
   • Implement reserved instances
   • Optimize storage tiers

Troubleshooting

Management Group Not Found

# Verify management group exists
az account management-group show --name SOVEREIGN-ORDER-OF-HOSPITALLERS

# Create if needed (requires appropriate permissions)
az account management-group create --name SOVEREIGN-ORDER-OF-HOSPITALLERS

Policy Assignment Fails

# Check policy assignment
az policy assignment list --scope "/providers/Microsoft.Management/managementGroups/SOVEREIGN-ORDER-OF-HOSPITALLERS"

# Verify permissions
az role assignment list --assignee <your-user-id>

Region Deployment Fails

# Check resource provider registration
az provider list --query "[?namespace=='Microsoft.Network']"
az provider register --namespace Microsoft.Network

# Check quotas
az vm list-usage --location westeurope --output table

References

• Azure Well-Architected Framework
• Cloud for Sovereignty
• Azure Landing Zones
• Management Groups

---

Last Updated: 2025-01-27