Build a brand-new Azure environment from zero using Cloud Adoption Framework best practices. Complete landing zone setup with management groups, networking, identity, governance, and AI-ready infrastructure — the "Zero to Hero" approach.
The Greenfield Azure Deployment pattern is for organizations starting fresh on Azure with no existing cloud infrastructure. Following the Microsoft Cloud Adoption Framework (CAF), this pattern establishes a complete enterprise landing zone from scratch — management group hierarchy, hub networking, centralized identity, policy governance, and AI-ready spoke workloads.
| Strategy | Define |
| Plan | Assess |
| Ready | Landing Zone |
| Adopt | Deploy |
| Govern | Policy |
| Manage | Operate |
| Hub VNet | 10.0.0.0/16 |
| Spoke VNet | 10.1.0.0/16 |
| Firewall | Standard |
| Bastion | Standard |
Quick start, minimal governance
Enterprise-ready with governance
Full-scale with advanced security
Define objectives, business outcomes, financial model
Digital estate assessment, skills readiness, adoption plan
Landing zone setup, management groups, hub networking
Deploy workloads, migrate or innovate
Policy baselines, cost management, security baseline
Monitor, optimize, protect, operate
graph TB
subgraph MG["Management Group Hierarchy"]
ROOT["Tenant Root Group"]
ORG["Organization MG"]
PLAT["Platform MG"]
LZ["Landing Zones MG"]
MGMT["Management Sub"]
CONN["Connectivity Sub"]
IDENT["Identity Sub"]
CORP["Corp LZ Sub"]
ONLINE["Online LZ Sub"]
end
subgraph Hub["Hub VNet (Connectivity Sub) 10.0.0.0/16"]
FW["Azure Firewall<br/>Standard"]
BASTION["Azure Bastion<br/>Secure Access"]
VGW["VPN Gateway<br/>or ExpressRoute"]
DNS["Private DNS Zones<br/>Centralized"]
end
subgraph Spoke["Spoke VNet (Corp LZ) 10.1.0.0/16"]
subgraph AppSubnet["Application Subnet /24"]
APP["App Service<br/>or Container Apps"]
end
subgraph AISubnet["AI Subnet /24"]
AOAI["Azure OpenAI<br/>GPT-4o"]
SEARCH["AI Search<br/>Standard S1"]
end
subgraph DataSubnet["Data Subnet /24"]
SQL["Azure SQL<br/>Managed Instance"]
STOR["Storage Account<br/>ADLS Gen2"]
end
subgraph PESubnet["Private Endpoint Subnet /24"]
PE["Private Endpoints<br/>All PaaS Services"]
end
end
subgraph SharedSvc["Shared Services (Management Sub)"]
LAW["Log Analytics<br/>Central Workspace"]
POLICY["Azure Policy<br/>Governance"]
COST["Cost Management<br/>Budgets & Alerts"]
DEFENDER["Defender for Cloud<br/>Security Posture"]
end
ROOT --> ORG
ORG --> PLAT
ORG --> LZ
PLAT --> MGMT
PLAT --> CONN
PLAT --> IDENT
LZ --> CORP
LZ --> ONLINE
Hub -->|"Peering"| Spoke
FW -->|"Egress Filter"| Spoke
VGW -->|"Hybrid"| Hub
APP --> PE
PE --> AOAI
PE --> SEARCH
PE --> SQL
PE --> STOR
AOAI --> LAW
SEARCH --> LAW
SQL --> LAW
POLICY --> CORP
| # | Service | SKU / Tier | Purpose | Monthly Cost |
|---|---|---|---|---|
| 1 | Azure Firewall | Standard | Hub egress filtering & inspection | ~$912 |
| 2 | Azure OpenAI | S0 | GPT-4o + embeddings | ~$1,800 |
| 3 | Azure SQL MI | GP 4 vCores | Primary database | ~$1,100 |
| 4 | AI Search | Standard S1 | Vector + semantic search | ~$245 |
| 5 | App Service | P1v3 Linux | Application compute | ~$140 |
| 6 | Azure Bastion | Standard | Secure VM/resource access | ~$330 |
| 7 | VPN Gateway | VpnGw1 | Hybrid connectivity | ~$140 |
| 8 | Key Vault | Standard | Secrets, keys, certificates | ~$5 |
| 9 | Storage Account | Standard_LRS | ADLS Gen2, blobs, files | ~$50 |
| 10 | Log Analytics | PerGB2018 | Central monitoring workspace | ~$75 |
| 11 | Defender for Cloud | Plan 2 | CSPM + server protection | ~$100 |
| 12 | Azure Policy | Free | Governance (built-in) | Free |
| 13 | Cost Management | Free | Budgets & alerts (built-in) | Free |
| 14 | VNet + NSGs + PE | — | Hub + Spoke + 6 endpoints | ~$48 |
| Estimated Range (Medium Production) | $18,000 – $28,000/mo | |||
Central egress point for all spoke traffic. Application and network rules for AOAI, SQL, and internet access. DNS proxy enabled.
GPT-4o and text-embedding-3-large deployments. Private endpoint in AI subnet. Used for RAG, chat, and document processing.
VNet-native managed database. Auto-failover groups, TDE, Advanced Threat Protection. Entra ID auth enabled.
Secure access to all resources without public IPs. Supports RDP, SSH, and native client. Deployed in hub VNet.
Cloud Security Posture Management. Vulnerability assessment, regulatory compliance dashboard, just-in-time VM access.
Enforce CAF guardrails: require tags, allowed locations, require encryption, deny public endpoints. Initiative assignments at MG level.
Start on Azure with enterprise-grade governance from day one. No technical debt. Scale from 1 to 100 workloads with the same foundation.
Organization moving to cloud for the first time. Establish landing zone, migrate first workloads, and build AI capabilities simultaneously.
Healthcare, financial services, or government deploying to Azure. Built-in compliance (HIPAA, SOC 2, FedRAMP) from the foundation layer.
Build an AI platform from scratch with Azure OpenAI, AI Search, and modern data services. All CAF best practices baked in from the start.
| Constraint | Mitigation |
|---|---|
| Full landing zone setup takes 2-4 weeks | Use Azure Landing Zone Accelerator (Bicep/Terraform) to automate |
| Azure Firewall is the largest fixed cost (~$912/mo) | Use Firewall Basic ($274/mo) for smaller deployments |
| Management group design is hard to change later | Follow CAF recommended hierarchy; plan with stakeholders first |
| Skills gap — team new to Azure | Budget for Azure training (AZ-900, AZ-104, AZ-305); use this portal for guidance |
| Over-engineering for small workloads | Start with Small T-shirt size; add governance layers as you grow |
Generate a complete deployment spec sheet with GitHub Actions workflow, Bicep file structure, and prerequisite checklist.
Generate Deployment Spec Sheet