Real-World Production Implementation

Article 12 of 12 in the Cloud Landing Zone Series - The Grand Finale

Introduction

This final article brings together all the concepts from the previous 11 articles into a complete, production-ready landing zone implementation.

What this article covers:

  • Complete Terraform code for AWS + Azure landing zones

  • Multi-account/subscription architecture

  • Network topology with Transit Gateway + Virtual WAN

  • Security baseline (GuardDuty, Security Hub, Azure Defender)

  • Governance policies (SCPs, Azure Policy)

  • Centralized logging and monitoring

  • Account vending automation

  • CI/CD pipelines for infrastructure

This represents patterns I've refined through implementing landing zones across various organizations - distilling lessons learned into reusable code and architecture.

Rather than abstract concepts, this article provides concrete implementation - actual Terraform modules, real configurations, and proven patterns that work in production environments.


Architecture Overview

spinner

Complete Terraform Implementation

Repository Structure

Organization Setup

Service Control Policies

Transit Gateway (Network Hub)

Account Baseline Module

Production Account Example


CI/CD Pipeline


What I Learned Building This

After 50+ landing zone implementations, these are the lessons that matter:

Lesson 1: Start Simple, Iterate

Don't try to build the perfect landing zone on day 1. Start with:

  1. Organization + OUs

  2. Account vending

  3. Network baseline

  4. Security baseline

Then add governance, compliance, advanced networking, etc.

Lesson 2: Automation is Non-Negotiable

Manual processes don't scale beyond 10 accounts.

What to automate:

  • Account provisioning (Service Catalog)

  • Baseline configuration (Lambda + EventBridge)

  • Security scanning (GuardDuty, Security Hub, Config)

  • Compliance reporting (automated)

Lesson 3: Security Must Be Built In, Not Bolted On

Security added after deployment = retrofitting pain.

Action: SCPs, GuardDuty, Security Hub, Config from day 1.

Lesson 4: Network Design Matters

Bad network design is expensive to fix later.

Action: Plan IP addressing, Transit Gateway architecture, DNS strategy before provisioning accounts.

Lesson 5: Governance Prevents Future Pain

Lack of governance = sprawl, cost overruns, compliance failures.

Action: SCPs, tagging policies, cost budgets, approval workflows.

Lesson 6: Observability Enables Operations

Can't operate what you can't see.

Action: Centralized logging, CloudWatch dashboards, alerts to PagerDuty.

Lesson 7: IaC is the Only Way to Scale

Manual deployment = inconsistency, errors, slow provisioning.

Action: Everything in Terraform, version controlled, CI/CD deployed.

Lesson 8: Documentation in Code > Wiki Pages

Wiki documentation goes stale immediately.

Action: Terraform code with comments, module READMEs, ADRs in Git.


Conclusion: You're Ready

You've completed the Cloud Landing Zone 101 series. 12 articles, 100,000+ words, complete Terraform implementations, real-world examples.

What you now know:

  1. Landing zone fundamentals and ROI

  2. Design principles and architecture patterns

  3. Identity, access, and security

  4. Network architecture and connectivity

  5. Governance and policy frameworks

  6. Monitoring, logging, and operational excellence

  7. Infrastructure as Code best practices

  8. Account/subscription vending automation

  9. Multi-environment management

  10. Security operations and threat protection

  11. Migration and workload onboarding

  12. Real-world production implementation

What to do next:

  1. Start small: Build a landing zone for 3-5 accounts

  2. Automate everything: Use the Terraform code from this series

  3. Test thoroughly: Validate SCPs, test account vending, verify logging

  4. Iterate: Add features incrementally (don't try to build everything day 1)

  5. Document: Keep your code well-commented and maintain a changelog

Resources:

The future is multi-cloud. You now have the knowledge to build world-class landing zones on AWS, Azure, and GCP.

Go build something amazing. 🚀


Thanks for reading the entire Cloud Landing Zone 101 series. If you found this valuable, share it with your team. Questions? Reach out on LinkedIn or open a GitHub issue.

- Your Author

Last updated