100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cloud

Landing Zone (Cloud)

AdvancedConcept10K learners

A cloud landing zone is a pre-configured, well-governed multi-account or multi-subscription environment that provides the baseline networking, identity, security, and policy controls a new workload can be deployed into.

Definition

A cloud landing zone is a pre-configured, well-governed multi-account or multi-subscription environment that provides the baseline networking, identity, security, and policy controls a new workload can be deployed into.

Overview

A landing zone is the answer to a question every organization eventually asks when adopting cloud at scale: instead of every team configuring its own account, networking, and security controls from scratch, what if there were a standardized, pre-built environment that already has identity federation, logging, network connectivity, and security guardrails in place, so new workloads simply "land" into a compliant environment from day one? That standardized environment is the landing zone. A typical landing zone separates concerns into a small set of foundational accounts or subscriptions — for identity, centralized logging, network hub connectivity, and security tooling — alongside a repeatable "account factory" or template that provisions new workload accounts pre-wired to those foundations with the correct guardrails already applied. On AWS this is commonly built using AWS Organizations together with AWS Control Tower; on Azure it is built using Management Groups following the Cloud Adoption Framework; and on Google Cloud it follows the enterprise foundations blueprint on top of Resource Manager folders. Regardless of cloud, the landing zone typically enforces things like mandatory tagging, centralized log aggregation, network segmentation, and preventive guardrails (via service control policies, Azure Policy, or organization policies) that block non-compliant configurations before they can be deployed. Landing zones matter because they turn governance from something bolted on after the fact into something built into the platform every workload runs on, which is far more reliable at scale than relying on every individual team to remember and correctly implement security best practices. They are also a prerequisite for many compliance certifications, since auditors want to see consistent, centrally enforced controls rather than ad hoc per-team configuration.

Key Concepts

  • Pre-configured baseline for identity, networking, logging, and security across an organization
  • Repeatable account or subscription provisioning ('account factory') with guardrails pre-applied
  • Preventive guardrails enforced through policy engines (SCPs, Azure Policy, organization policies)
  • Centralized logging and monitoring wired into every new workload automatically
  • Network hub-and-spoke or similar segmentation model connecting workloads to shared services
  • Alignment with cloud-provider frameworks such as AWS Control Tower or the Azure Cloud Adoption Framework
  • Designed to scale to hundreds of accounts or projects without reconfiguring governance each time

Use Cases

Standing up a governed multi-account foundation before onboarding application teams to the cloud
Meeting compliance requirements that demand consistent, centrally enforced security controls
Accelerating new project or account creation while guaranteeing baseline security posture
Separating platform/shared-services accounts from individual workload accounts
Reducing the risk of misconfigured networking or identity in newly created cloud environments
Providing a consistent foundation for multi-cloud or hybrid-cloud governance strategies

Frequently Asked Questions

From the Blog