Greenfield Azure Deployment

Build a brand-new Azure environment from zero using Cloud Adoption Framework best practices. Complete landing zone setup with management groups, networking, identity, governance, and AI-ready infrastructure — the "Zero to Hero" approach.

$18,000 – $28,000/mo*
14
Azure Services
$18K–$28K
Monthly Est.*
6 CAF Phases
Strategy → Manage
99.95%
Composite SLA

Overview

The Greenfield Azure Deployment pattern is for organizations starting fresh on Azure with no existing cloud infrastructure. Following the Microsoft Cloud Adoption Framework (CAF), this pattern establishes a complete enterprise landing zone from scratch — management group hierarchy, hub networking, centralized identity, policy governance, and AI-ready spoke workloads.

Key Characteristics
  • CAF Enterprise-Scale Landing Zone architecture
  • Management Group hierarchy (Platform + Landing Zones)
  • Hub-Spoke networking with Azure Firewall
  • Centralized identity via Entra ID with Conditional Access
  • Policy-as-Code governance with Azure Policy initiatives
  • Cost Management with budgets and alerts from day one
  • AI-ready spoke with Azure OpenAI, AI Search, and Key Vault
CAF Pillars
StrategyDefine
PlanAssess
ReadyLanding Zone
AdoptDeploy
GovernPolicy
ManageOperate
Hub-Spoke
Hub VNet10.0.0.0/16
Spoke VNet10.1.0.0/16
FirewallStandard
BastionStandard

T-Shirt Sizing

Small (Startup/MVP)

Quick start, minimal governance

  • 1 subscription, no management groups
  • Single VNet (no hub-spoke)
  • Azure OpenAI + Key Vault + Storage
  • Basic NSGs, no Firewall
$10,000 – $15,000/mo

Medium (Production)

Enterprise-ready with governance

  • 3 subscriptions (Platform, Corp, Online)
  • Hub-spoke with Azure Firewall Standard
  • Entra ID P1, Conditional Access
  • Azure Policy baseline, Cost Management
$18,000 – $28,000/mo

Large (Enterprise)

Full-scale with advanced security

  • 10+ subscriptions, full MG hierarchy
  • Hub-spoke with Firewall Premium + ExpressRoute
  • Entra ID P2, PIM, Defender for Cloud P2
  • Full Azure Policy initiatives, Sentinel SIEM
$35,000 – $50,000/mo

CAF Journey

Phase 1: Strategy

Define objectives, business outcomes, financial model

Phase 2: Plan

Digital estate assessment, skills readiness, adoption plan

Phase 3: Ready

Landing zone setup, management groups, hub networking

Phase 4: Adopt

Deploy workloads, migrate or innovate

Phase 5: Govern

Policy baselines, cost management, security baseline

Phase 6: Manage

Monitor, optimize, protect, operate

Architecture Diagram

graph TB
    subgraph MG["Management Group Hierarchy"]
        ROOT["Tenant Root Group"]
        ORG["Organization MG"]
        PLAT["Platform MG"]
        LZ["Landing Zones MG"]
        MGMT["Management Sub"]
        CONN["Connectivity Sub"]
        IDENT["Identity Sub"]
        CORP["Corp LZ Sub"]
        ONLINE["Online LZ Sub"]
    end
    subgraph Hub["Hub VNet (Connectivity Sub) 10.0.0.0/16"]
        FW["Azure Firewall<br/>Standard"]
        BASTION["Azure Bastion<br/>Secure Access"]
        VGW["VPN Gateway<br/>or ExpressRoute"]
        DNS["Private DNS Zones<br/>Centralized"]
    end
    subgraph Spoke["Spoke VNet (Corp LZ) 10.1.0.0/16"]
        subgraph AppSubnet["Application Subnet /24"]
            APP["App Service<br/>or Container Apps"]
        end
        subgraph AISubnet["AI Subnet /24"]
            AOAI["Azure OpenAI<br/>GPT-4o"]
            SEARCH["AI Search<br/>Standard S1"]
        end
        subgraph DataSubnet["Data Subnet /24"]
            SQL["Azure SQL<br/>Managed Instance"]
            STOR["Storage Account<br/>ADLS Gen2"]
        end
        subgraph PESubnet["Private Endpoint Subnet /24"]
            PE["Private Endpoints<br/>All PaaS Services"]
        end
    end
    subgraph SharedSvc["Shared Services (Management Sub)"]
        LAW["Log Analytics<br/>Central Workspace"]
        POLICY["Azure Policy<br/>Governance"]
        COST["Cost Management<br/>Budgets & Alerts"]
        DEFENDER["Defender for Cloud<br/>Security Posture"]
    end
    ROOT --> ORG
    ORG --> PLAT
    ORG --> LZ
    PLAT --> MGMT
    PLAT --> CONN
    PLAT --> IDENT
    LZ --> CORP
    LZ --> ONLINE
    Hub -->|"Peering"| Spoke
    FW -->|"Egress Filter"| Spoke
    VGW -->|"Hybrid"| Hub
    APP --> PE
    PE --> AOAI
    PE --> SEARCH
    PE --> SQL
    PE --> STOR
    AOAI --> LAW
    SEARCH --> LAW
    SQL --> LAW
    POLICY --> CORP
          

Bill of Materials

#ServiceSKU / TierPurposeMonthly Cost
1Azure FirewallStandardHub egress filtering & inspection~$912
2Azure OpenAIS0GPT-4o + embeddings~$1,800
3Azure SQL MIGP 4 vCoresPrimary database~$1,100
4AI SearchStandard S1Vector + semantic search~$245
5App ServiceP1v3 LinuxApplication compute~$140
6Azure BastionStandardSecure VM/resource access~$330
7VPN GatewayVpnGw1Hybrid connectivity~$140
8Key VaultStandardSecrets, keys, certificates~$5
9Storage AccountStandard_LRSADLS Gen2, blobs, files~$50
10Log AnalyticsPerGB2018Central monitoring workspace~$75
11Defender for CloudPlan 2CSPM + server protection~$100
12Azure PolicyFreeGovernance (built-in)Free
13Cost ManagementFreeBudgets & alerts (built-in)Free
14VNet + NSGs + PEHub + Spoke + 6 endpoints~$48
Estimated Range (Medium Production)$18,000 – $28,000/mo

Service Breakdown

Azure Firewall
Standard~$912/mo

Central egress point for all spoke traffic. Application and network rules for AOAI, SQL, and internet access. DNS proxy enabled.

Azure OpenAI
S0~$1,800/mo

GPT-4o and text-embedding-3-large deployments. Private endpoint in AI subnet. Used for RAG, chat, and document processing.

Azure SQL MI
GP 4 vCores~$1,100/mo

VNet-native managed database. Auto-failover groups, TDE, Advanced Threat Protection. Entra ID auth enabled.

Azure Bastion
Standard~$330/mo

Secure access to all resources without public IPs. Supports RDP, SSH, and native client. Deployed in hub VNet.

Defender for Cloud
Plan 2~$100/mo

Cloud Security Posture Management. Vulnerability assessment, regulatory compliance dashboard, just-in-time VM access.

Azure Policy
FreeFree

Enforce CAF guardrails: require tags, allowed locations, require encryption, deny public endpoints. Initiative assignments at MG level.

Security & Networking

Network
  • Hub-Spoke topology with VNet peering
  • Azure Firewall as central egress (UDR 0.0.0.0/0)
  • Azure Bastion in hub for secure access
  • Private Endpoints for all PaaS services in spoke
  • Private DNS Zones in hub (centralized resolution)
  • NSGs on every subnet (deny-all-inbound default)
Identity & Data
  • Entra ID as sole identity provider
  • Conditional Access: require MFA for Azure management
  • PIM (Privileged Identity Management) for just-in-time admin access
  • Managed Identity for all service-to-service auth
  • Zero stored secrets — Key Vault for external integrations only
  • Microsoft Defender for Cloud on all subscriptions

Use Cases

Cloud-First Startup

Start on Azure with enterprise-grade governance from day one. No technical debt. Scale from 1 to 100 workloads with the same foundation.

Digital Transformation

Organization moving to cloud for the first time. Establish landing zone, migrate first workloads, and build AI capabilities simultaneously.

Regulated Industry Entry

Healthcare, financial services, or government deploying to Azure. Built-in compliance (HIPAA, SOC 2, FedRAMP) from the foundation layer.

AI-First Platform Build

Build an AI platform from scratch with Azure OpenAI, AI Search, and modern data services. All CAF best practices baked in from the start.

Constraints & Considerations

ConstraintMitigation
Full landing zone setup takes 2-4 weeksUse Azure Landing Zone Accelerator (Bicep/Terraform) to automate
Azure Firewall is the largest fixed cost (~$912/mo)Use Firewall Basic ($274/mo) for smaller deployments
Management group design is hard to change laterFollow CAF recommended hierarchy; plan with stakeholders first
Skills gap — team new to AzureBudget for Azure training (AZ-900, AZ-104, AZ-305); use this portal for guidance
Over-engineering for small workloadsStart with Small T-shirt size; add governance layers as you grow
Ready to Deploy This Pattern?

Generate a complete deployment spec sheet with GitHub Actions workflow, Bicep file structure, and prerequisite checklist.

Generate Deployment Spec Sheet