azure infrastructure|Last Updated: 1/25/2026

The RedDog Landing Zone

The definitive reference architecture for secure, scalable Azure environments.

The RedDog Landing Zone

The RedDog Landing Zone is our opinionated, battle-tested blueprint for Azure environments. It prioritizes Zero-Trust security, cost observability, and imitable scale.

Core Philosophy

Zero-Trust by Default

We assume breach. Every component must authenticate and authorize every request, even inside the perimeter.

Identity First: Identity is the new perimeter. Rely on Entra ID (stats) for all access control.
Policy Driven: Governance is code. Use Azure Policy to enforce compliance (e.g., "No Public IPs").
Subscription Democratization: Treat subscriptions as units of management, not cost centers.

Architecture

The Landing Zone is composed of three core management groups:

Platform: Shared services (Identity, Connectivity, Management).
Landing Zones: Application workloads (Corp, Online, SAP).
Sandbox: Isolated playgrounds for R&D.

Connectivity Strategy

We purposefully avoid Hub & Spoke for smaller organizations, preferring a Virtual WAN topology when scaling beyond 5 regions.

module "vwan" {
  source  = "Azure/avm-ptn-vwan/azurerm"
  version = "0.1.0"
  location = "eastus"
}

Implementation

To deploy this standard, you need access to the RedDog Modules library.

Implement this Standard

Need help building this? Our pre-built solutions include this configuration out of the box.

View Solutions