Overview of the Sovereign Landing Zone

The Sovereign Landing Zone (SLZ) is a variant of the enterprise scale Azure Landing Zone intended for organizations that need advanced sovereign controls. The SLZ helps these organizations meet their regulatory compliance requirements through Azure-native Infrastructure-as-Code (IaC) and Policy-as-Code (PaC) capabilities. Using a configurable landing zone empowers organizations with tools to address their sovereignty needs by enforcing resources to be compliant with policies created in Azure Policy.

Why use the Sovereign Landing Zone?

Data sovereignty in Azure ensures that the data owner has exclusive control over their data, which includes:

  • Granting permissions for users and workloads to access and process the data.

  • Approving regions for workload deployments.

  • Implementing technical controls to protect against unauthorized data access, including explicit access for cloud and managed service provider operators.

The Sovereign Landing Zone is a variant of the Azure Landing Zone (ALZ), meaning it includes additional Landing Zone Management Groups and Policy Assignments which help meet sovereignty requirements for public sector customers, partners, and independent software variants (ISVs). The SLZ uses the same code base as ALZ and comes with additional orchestration and deployment automation capabilities.

The SLZ also provides an opinionated architecture that enables an organization to meet their sovereignty needs while being configured via a singular configuration file and entirely deployable by a singular script.

Your organization can meet the sovereignty needs by performing the following tasks:

For more information on how to deploy and configure the SLZ, see the Sovereign Landing Zone documentation on GitHub and Tailor the Azure landing zone architecture to meet requirements.

Should I deploy the Sovereign Landing Zone with Bicep or Terraform?

The Bicep-based deployment of Sovereign Landing Zone (SLZ) is generally available and it's a variant of the Azure Landing Zone (ALZ) Bicep repository. The Bicep implementation for the SLZ is available on GitHub.

The Terraform-based deployment of the SLZ is in Public Preview and is based off the Azure Verified Modules. The Terraform implementation for the SLZ is available on GitHub.

The Terraform-based deployment of the SLZ might not be as feature-complete as the Bicep-based version until it becomes generally available. However, organizations can use the deployment language that best suites their skill set.

When to use Sovereign Landing Zone instead of Azure Landing Zone?

A common question related to SLZ is when an organization should use one landing zone over the other. Both the ALZ and SLZ teams recommend the following guidance:

Use ALZ when you prioritize:

  • Default option for most customers across various industries that can be built upon.

  • Detailed configuration and customization options over the entire environment.

  • Multiple deployment options such as through the Portal.

Use SLZ when you prioritize:

See also