60 lines
4.5 KiB
Markdown
60 lines
4.5 KiB
Markdown
---
|
||
title: "CTP Topic 34 Azure Landing Zone Architecture Overview"
|
||
type: source
|
||
tags:
|
||
- Azure
|
||
- Landing-Zone
|
||
- CTP
|
||
- Cloud-Transformation-Programme
|
||
date: 2026-04-14
|
||
last_updated: 2026-05-06
|
||
---
|
||
|
||
## Source File
|
||
- [[raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/01_AWS-Landing-Zone/ctp-topic-34-azure-landing-zone-architecture-overview.md]]
|
||
|
||
## Summary(用中文描述)
|
||
- 核心主题:Micro Focus 内部 Azure Landing Zone(着陆区)架构规划,旨在简化团队采用 Azure 云
|
||
- 问题域:跨团队依赖、手动部署瓶颈、Azure 企业级接入与合规管控
|
||
- 方法/机制:使用 Azure 管理组(Management Groups)分层组织订阅;平台/着陆区/退役/沙盒四区分离;Terraform Cloud 实现基础设施自动化;PIM 强制最小权限访问
|
||
- 结论/价值:Landing Zone 以模板化为核心,提供身份访问管理、审计、合规、安全监控、网络四大支柱;团队可在自动化保障下独立部署创新工作负载,减少跨团队依赖
|
||
|
||
## Key Claims(用中文描述)
|
||
- Kishore Garlopati(演讲人)通过 Azure Enterprise Enrollment + Azure AD 完成企业接入,目标是让各团队以最小依赖部署 Azure 工作负载
|
||
- Azure 管理组类似 Windows 父目录,按四区组织:platform(身份/连接)、landing zones(模板化项目)、decommission(停用资源)、sandbox(隔离实验)
|
||
- 连接订阅(Connectivity)作为所有入站/出站 Azure 流量的中心枢纽,集成了 DDoS 防护和 Checkpoint 防火墙
|
||
- Landing Zone 的核心设计原则:可扩展(Scalable)、模块化(Modular)、全自动化(Fully Automated)
|
||
- Terraform Cloud 通过 Terraform State 管理订阅间依赖关系,实现跨订阅基础设施编排
|
||
- Privileged Identity Management (PIM) 和特权访问组确保用户获得恰到好处的角色权限
|
||
|
||
## Key Quotes
|
||
> "The primary goal is to minimize cross-team dependencies through automation, granting teams greater independence in deploying innovative solutions within the Azure environment." — Kishore Garlopati,演讲核心目标
|
||
> "The core reason of these individual or isolated subscriptions is you are basically containing a subscription for a specific purpose." — 订阅隔离的设计哲学
|
||
> "This sandbox is an interesting one because these landings on subscriptions allows your workloads." — 沙盒订阅的灵活性价值
|
||
|
||
## Key Concepts
|
||
- [[Azure-Landing-Zone]]:微软推荐的云采用框架,通过管理组和订阅层次结构为 Azure 工作负载提供可扩展、模块化、自动化的基础平台
|
||
- [[Management-Groups]]:Azure 组织实体的高层容器,类似 Windows 父目录,用于分层管理策略和访问权限
|
||
- [[Privileged-Identity-Management-PIM]]:Azure AD 功能,通过实时特权访问减少持久性管理员权限,降低凭证被盗风险
|
||
- [[Terraform-Cloud]]:HashiCorp 基础设施即代码平台,支持 Terraform State 跨订阅依赖管理
|
||
- [[Cloud-Transformation-Programme]]:Micro Focus 云转型计划,覆盖 AWS/Azure 多云 Landing Zone 建设
|
||
|
||
## Key Entities
|
||
- [[Kishore-Garlopati]]:Micro Focus 云架构师,Azure Landing Zone 方案主讲人
|
||
- [[Micro-Focus]]:企业软件公司,其云转型计划(CTP)推进多云 Landing Zone 架构落地
|
||
- [[Azure-Enterprise-Enrollment]]:Azure 企业协议接入点,是组织使用 Azure 的前提条件
|
||
- [[Azure-Active-Directory]]:Azure 身份与访问管理服务,用于用户认证和策略控制
|
||
|
||
## Connections
|
||
- [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]] ← comparable_to ← [[ctp-topic-34-azure-landing-zone-architecture-overview]]
|
||
- [[ctp-topic-1-gruntwork-landing-zone-architecture]] ← related_to ← [[ctp-topic-34-azure-landing-zone-architecture-overview]]
|
||
- [[ctp-topic-9-ci-cd-with-gruntwork]] ← extends ← [[ctp-topic-1-gruntwork-landing-zone-architecture]]
|
||
- [[ctp-topic-3-deploy-and-maintain-infrastructure]] ← related_to ← [[ctp-topic-34-azure-landing-zone-architecture-overview]]
|
||
|
||
## Contradictions
|
||
- 与 [[ctp-topic-1-gruntwork-landing-zone-architecture]] 对比:
|
||
- 冲突点:AWS 侧使用 Gruntwork 基础设施模块 + Jenkins 构建 Landing Zone,Azure 侧使用 Terraform Cloud + 管理组
|
||
- 当前观点:Azure Landing Zone 通过 Terraform Cloud 管理订阅间状态,适合 Micro Focus 多云战略
|
||
- 对方观点:AWS Gruntwork LZ 通过 Jenkins CI/CD 管道,强调产品服务应有业务上下文(AWS Service Catalog)
|
||
- 说明:两者均为 CTP 下的 Landing Zone 实现,技术栈差异由多云战略驱动,非矛盾冲突
|