Martin Rylko
  • Services
  • Blog
  • About
  • Contact
  • Get in Touch
Martin Rylko

Senior Cloud Architect & DevOps Engineer. Specializing in Microsoft Azure, IaC, Cloud Security and AI.

Navigation

  • Services
  • Blog
  • About
  • Contact

Collaboration

Looking for an experienced architect for your Azure project? Get in touch.

rylko@cloudmasters.cz

© 2026 Martin Rylko. All rights reserved.

Built in the cloud. Deployed via Azure Static Web Apps.

Home/Blog/Azure Landing Zone with Bicep: Enterprise Setup
All articlesČíst česky

Azure Landing Zone with Bicep: Enterprise Setup

3/15/2025 2 min
#Azure#Bicep#Landing Zone#IaC

When you start building new infrastructure in the cloud, the Landing Zone is the absolute foundation. It defines network boundaries, security policies, identity management, and the overall subscription architecture. Translating this complex design into code using Microsoft Bicep brings tremendous advantages over manually clicking through the Azure Portal.

Traditional ARM Templates vs. Bicep

Historically, we all struggled with massive, unreadable ARM templates in JSON format, where writing a simple for-loop was an all-day task. With Bicep, we get an incredibly clean syntax, transparent dependencies, and massive modularity.

Here's a simple example of how elegantly the code looks:

param location string = 'westeurope'
param environmentType string = 'prod'
 
// Create Resource Group
resource vnetRg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
  name: 'rg-network-${environmentType}'
  location: location
}
 
// Virtual Network deployed as a called module
module hubVnet './modules/network.bicep' = {
  name: 'deploy-hub-vnet'
  scope: vnetRg
  params: {
    vnetName: 'vnet-hub-${location}'
    addressPrefix: '10.0.0.0/16'
  }
}

See how clean this is? Compared to a JSON definition, this is a massive step forward. We've gained type safety, full IntelliSense support in VS Code, and the ability to split complex monolithic code into hundreds of small, reusable logical units (e.g. hub.bicep, spoke.bicep, firewall.bicep, policies.bicep).

Key Principles for a Quality Implementation

  1. Keep it D.R.Y. (Don't Repeat Yourself). If you notice you're copying the same code 3 times (say, for creating a Storage Account), turn it into a Bicep module immediately!
  2. Strict Naming Convention: Follow the Cloud Adoption Framework abbreviation specifications (e.g. st for Storage, vnet for Virtual Network).
  3. Linter Validation: Always let the linter check the quality of your file before running a deployment.

Conclusion and Next Steps

If you're starting to develop your Azure Landing Zone today, try to maintain code modularity from the very first commit. Don't try to solve everything in a single massive main.bicep file. For the networking layer of your Landing Zone, see our detailed hub-spoke architecture guide.

A huge next step for properly running modern Enterprise Architecture is connecting these templates directly into fully automated CI/CD pipelines in Azure DevOps or GitHub Actions – which will be the main topic of our upcoming article! This will eliminate the so-called "Works on my machine" principle and establish a true DevOps culture. Explore our full Azure Landing Zone consulting services.

Tags:#Azure#Bicep#Landing Zone#IaC
LinkedInX / Twitter

About the author

Martin Rylko

Martin Rylko

Senior Cloud Architect & DevOps Engineer

14+ years in IT – from on-premises datacenters and Hyper-V clustering to cloud infrastructure on Microsoft Azure. I specialize in Landing Zones, IaC automation, Kubernetes and security compliance.

Email LinkedInFull profile

Frequently Asked Questions

What is the minimum Azure subscription setup needed for a Landing Zone?▾
At minimum you need two subscriptions -- one for connectivity (hub network, firewall, DNS) and one for your first workload. Enterprise-scale patterns recommend a Platform management group with dedicated Identity, Management, and Connectivity subscriptions, plus a Landing Zones management group for workload subscriptions. You can start with two and expand later.
How does Bicep compare to ARM Templates for Landing Zone deployments?▾
Bicep compiles down to ARM JSON but offers dramatically cleaner syntax -- about 50-60% fewer lines of code for the same deployment. Bicep modules support native dependency resolution, type checking at authoring time, and direct Azure Resource Manager integration without a state file. For pure Azure environments, Bicep eliminates the complexity overhead of ARM JSON.
How long does it typically take to deploy a Landing Zone with Bicep?▾
A basic Landing Zone with hub-spoke networking, governance policies, and identity integration takes 2-3 weeks for initial deployment. The Bicep module structure means subsequent environments (staging, DR) can be spun up in hours. Budget an additional 1-2 weeks for CI/CD pipeline integration and team onboarding.
Can I migrate from an existing ARM Template Landing Zone to Bicep?▾
Yes. The az bicep decompile command converts ARM JSON to Bicep, though you will need to clean up parameter references and module structure afterward. I recommend a phased approach: decompile, refactor into modules, validate with what-if deployments, then swap the pipeline. Expect 3-5 days for a typical Landing Zone decompilation.

You might also like

Azure Landing Zone Networking: Hub-Spoke with Firewall

Deploy hub-spoke network topology for Azure Landing Zone with Azure Firewall, Private DNS Zones, and VNet peering automation using Bicep modules.

Read

Bicep CI/CD: GitHub Actions Pipeline for Azure

Build a production Bicep deployment pipeline with GitHub Actions. Covers what-if previews, environment approvals, OIDC authentication, and rollback strategies.

Read

Terraform Azure Modules: Private Registry and Testing

Build reusable Terraform modules for Azure with private registry publishing, automated testing with Terratest, and versioned module consumption in production.

Read