Full CAF/WAF Deployment Overview
DOCUMENT CATEGORY: Runbook
SCOPE: Full Azure Landing Zone deployment
PURPOSE: Deploy complete CAF/WAF Enterprise-Scale architecture
MASTER REFERENCE: Azure Landing Zones — Enterprise-Scale
Status: Active
The Full CAF/WAF Deployment model implements the Azure Landing Zone conceptual architecture — a comprehensive management group hierarchy with dedicated subscriptions per function, following Microsoft Cloud Adoption Framework (CAF) and Well-Architected Framework (WAF) Enterprise-Scale guidelines. This provides maximum governance, policy control, and RBAC isolation for your Azure Local environment.
This is the same architecture Microsoft recommends for production Azure environments. For Azure Local specifically, it ensures that platform services (identity, connectivity, monitoring) are cleanly separated from your landing zone workloads (Azure Local clusters, Arc-enabled servers).
Choose Full CAF/WAF Deployment when your organization:
- Deploys multiple Azure Local clusters across sites or environments
- Has strict compliance or regulatory requirements (healthcare, finance, government)
- Needs separation of duties between platform, identity, connectivity, and workload teams
- Plans to scale Azure Local alongside other Azure workloads
- Wants full alignment with the Azure Landing Zone design areas
Architecture Overview
The example below uses Infinite azurelocal Corp (IIC). Replace names with values from your variables.yml.
Tenant Root Group
└── cmp-iic-root # Organization Root MG
├── cmp-platform-iic # Platform Services
│ ├── cmp-platform-identity-iic # Identity (Entra ID Connect, etc.)
│ ├── cmp-platform-management-iic # Monitoring, logging, automation
│ └── cmp-platform-connectivity-iic # Hub networking, ExpressRoute, VPN
├── cmp-landing-zones-iic # Landing Zones
│ ├── cmp-lz-corp-iic # Corporate / Azure Local workloads
│ └── cmp-lz-online-iic # Internet-facing workloads
├── cmp-sandbox-iic # Non-production experimentation
└── cmp-decommissioned-iic # Resources pending deletion
This mirrors the CAF Enterprise-Scale reference architecture:
- Platform MGs host shared services (identity, monitoring, hub networking) that all landing zones consume
- Landing Zone MGs host workload subscriptions — your Azure Local clusters live here under
cmp-lz-corp-iic - Sandbox provides a safe space for experimentation without affecting production governance
- Decommissioned holds resources in a grace period before deletion
Subscriptions
Each leaf-level management group hosts one or more dedicated subscriptions:
| Management Group | Example Subscription | Purpose |
|---|---|---|
cmp-platform-identity-iic | iic-platform-identity-001 | Entra ID Connect, identity services |
cmp-platform-management-iic | iic-platform-management-001 | Azure Monitor, Log Analytics, Automation |
cmp-platform-connectivity-iic | iic-platform-connectivity-001 | Hub VNet, VPN, ExpressRoute |
cmp-lz-corp-iic | iic-lz-azurelocal-corp-001 | Azure Local clusters (production) |
cmp-lz-online-iic | iic-lz-azurelocal-online-001 | Internet-facing workloads |
Resource Groups
Each subscription contains resource groups organized by function. Landing zone subscriptions use a per-cluster RG pattern:
| Subscription | Example Resource Group | Purpose |
|---|---|---|
iic-platform-management-001 | rg-mgmt-monitoring-eus-01 | Azure Monitor, Log Analytics |
iic-platform-connectivity-001 | rg-connectivity-hub-eus-01 | Hub VNet, Azure Firewall |
iic-lz-azurelocal-corp-001 | rg-c01-azl-eus-01 | Azure Local cluster + Arc resources |
Key Characteristics
| Aspect | Implementation |
|---|---|
| Management Groups | 10+ (root, platform, landing zones, sandbox, decommissioned) |
| Subscriptions | 5+ (dedicated per platform function and landing zone) |
| Resource Groups | Multiple per subscription, organized by function |
| Policy Scope | Management group-level policy inheritance |
| RBAC Scope | Subscription-level access boundaries with MG inheritance |
| Cost Tracking | Subscription-based cost isolation |
Prerequisites
Before starting this deployment path:
- Entra ID tenant established — you are the tenant owner or have Global Administrator access
- Tenant root access — Owner or User Access Administrator at tenant root management group scope
- Billing access — EA enrollment account owner, MCA billing profile owner, or ability to create subscriptions via Azure portal
-
variables.ymlconfigured with management group, subscription, and resource group values - Authenticated Azure session — see Authentication
Deployment Steps
| Task | Description |
|---|---|
| Task 01 | Configure Management Groups — deploy the full hierarchy |
| Task 02 | Create Subscriptions — provision and associate dedicated subscriptions |
| Task 03 | Create Resource Groups — create RGs in each subscription |
Comparison with Single Subscription Deployment
| Feature | Full CAF/WAF | Single Subscription |
|---|---|---|
| Management Groups | 10+ | 2 (root + landing zone) |
| Subscriptions | 5+ | 1 |
| Resource Groups | Multiple per function | 1 per cluster |
| Setup Complexity | High | Low |
| Governance Flexibility | Maximum | Limited |
| Cost Tracking | Subscription-based | Tag-based |
| Best For | Multi-cluster, enterprise | Single cluster, PoC |
Considerations
- Higher initial complexity — more management groups, subscriptions, and resource groups to deploy and maintain
- Multiple subscriptions — requires EA/MCA billing access or multiple subscription provisioning capability
- Ongoing governance — more policy assignments and RBAC role assignments to manage
- Config schema —
variables.ymlmust define the full hierarchy (management groups, subscriptions, resource groups per subscription) - Growth-ready — this investment pays off when you add clusters, environments, or workloads
Deliverables
At the end of this deployment path, you will have:
- Complete management group hierarchy deployed (root, platform, landing zones, sandbox, decommissioned)
- Dedicated subscriptions provisioned per platform function and landing zone
- Subscriptions associated with the correct management groups
- Resource groups created in each subscription
- Governance structure ready for policy assignment and resource provider registration
Next Steps
Start with Task 01: Configure Management Groups
References
- Azure Landing Zones — Conceptual Architecture
- CAF Enterprise-Scale Architecture
- Azure Landing Zone Design Areas
- Management Groups Overview
- Azure Local Toolkit — Governance Module
Navigation
| Previous | Up | Next |
|---|---|---|
| — | Phase 01 — Landing Zones | Task 01 — Management Groups |
Version Control
- Created: 2026-01-15 by Hybrid Cloud Solutions
- Last Updated: 2026-03-19 by Hybrid Cloud Solutions
- Version: 3.0.0