Landing Zone (Cloud)
A cloud landing zone is a pre-configured, well-governed multi-account or multi-subscription environment that provides the baseline networking, identity, security, and policy controls a new workload can be deployed into.
Definition
A cloud landing zone is a pre-configured, well-governed multi-account or multi-subscription environment that provides the baseline networking, identity, security, and policy controls a new workload can be deployed into.
Overview
A landing zone is the answer to a question every organization eventually asks when adopting cloud at scale: instead of every team configuring its own account, networking, and security controls from scratch, what if there were a standardized, pre-built environment that already has identity federation, logging, network connectivity, and security guardrails in place, so new workloads simply "land" into a compliant environment from day one? That standardized environment is the landing zone. A typical landing zone separates concerns into a small set of foundational accounts or subscriptions — for identity, centralized logging, network hub connectivity, and security tooling — alongside a repeatable "account factory" or template that provisions new workload accounts pre-wired to those foundations with the correct guardrails already applied. On AWS this is commonly built using AWS Organizations together with AWS Control Tower; on Azure it is built using Management Groups following the Cloud Adoption Framework; and on Google Cloud it follows the enterprise foundations blueprint on top of Resource Manager folders. Regardless of cloud, the landing zone typically enforces things like mandatory tagging, centralized log aggregation, network segmentation, and preventive guardrails (via service control policies, Azure Policy, or organization policies) that block non-compliant configurations before they can be deployed. Landing zones matter because they turn governance from something bolted on after the fact into something built into the platform every workload runs on, which is far more reliable at scale than relying on every individual team to remember and correctly implement security best practices. They are also a prerequisite for many compliance certifications, since auditors want to see consistent, centrally enforced controls rather than ad hoc per-team configuration.
Key Concepts
- Pre-configured baseline for identity, networking, logging, and security across an organization
- Repeatable account or subscription provisioning ('account factory') with guardrails pre-applied
- Preventive guardrails enforced through policy engines (SCPs, Azure Policy, organization policies)
- Centralized logging and monitoring wired into every new workload automatically
- Network hub-and-spoke or similar segmentation model connecting workloads to shared services
- Alignment with cloud-provider frameworks such as AWS Control Tower or the Azure Cloud Adoption Framework
- Designed to scale to hundreds of accounts or projects without reconfiguring governance each time
Use Cases
Frequently Asked Questions
From the Blog
Cloud Computing for Beginners: A Complete Guide
A comprehensive guide to cloud computing for beginners: a complete guide — written for learners at every level.
Read More Cloud & CybersecurityAWS vs Azure vs Google Cloud: Which to Learn?
A comprehensive guide to aws vs azure vs google cloud: which to learn? — written for learners at every level.
Read More Cloud & CybersecurityAWS for Beginners: Cloud Computing Fundamentals
Amazon Web Services is the world's most widely used cloud platform. This guide covers the core services every developer needs — EC2 (virtual servers), S3 (storage), IAM (access control), VPC (networking), and RDS (databases) — with practical setup instructions and free tier guidance.
Read More Cloud & CybersecurityInfrastructure as Code Explained: Terraform Basics
Clicking through cloud consoles doesn't scale. Infrastructure as Code (IaC) lets you define, version, and automate your cloud resources in code. This guide explains IaC concepts and walks you through Terraform — the most widely used IaC tool.
Read More