Building an Azure Landing Zone with Bicep
Building an Azure Landing Zone with Bicep
When you start building new infrastructure in the cloud, the Landing Zone is the absolute foundation. It defines network boundaries, security policies, identity management, and the overall subscription architecture. Translating this complex design into code using Microsoft Bicep brings tremendous advantages over manually clicking through the Azure Portal.
Traditional ARM Templates vs. Bicep
Historically, we all struggled with massive, unreadable ARM templates in JSON format, where writing a simple for-loop was an all-day task. With Bicep, we get an incredibly clean syntax, transparent dependencies, and massive modularity.
Here's a simple example of how elegantly the code looks:
param location string = 'westeurope'
param environmentType string = 'prod'
// Create Resource Group
resource vnetRg 'Microsoft.Resources/resourceGroups@2021-04-01' = {
name: 'rg-network-${environmentType}'
location: location
}
// Virtual Network deployed as a called module
module hubVnet './modules/network.bicep' = {
name: 'deploy-hub-vnet'
scope: vnetRg
params: {
vnetName: 'vnet-hub-${location}'
addressPrefix: '10.0.0.0/16'
}
}See how clean this is? Compared to a JSON definition, this is a massive step forward. We've gained type safety, full IntelliSense support in VS Code, and the ability to split complex monolithic code into hundreds of small, reusable logical units (e.g. hub.bicep, spoke.bicep, firewall.bicep, policies.bicep).
Key Principles for a Quality Implementation
- Keep it D.R.Y. (Don't Repeat Yourself). If you notice you're copying the same code 3 times (say, for creating a Storage Account), turn it into a Bicep module immediately!
- Strict Naming Convention: Follow the Cloud Adoption Framework abbreviation specifications (e.g.
stfor Storage,vnetfor Virtual Network). - Linter Validation: Always let the linter check the quality of your file before running a deployment.
Conclusion and Next Steps
If you're starting to develop your Azure Landing Zone today, try to maintain code modularity from the very first commit. Don't try to solve everything in a single massive main.bicep file.
A huge next step for properly running modern Enterprise Architecture is connecting these templates directly into fully automated CI/CD pipelines in Azure DevOps or GitHub Actions – which will be the main topic of our upcoming article! This will eliminate the so-called "Works on my machine" principle and establish a true DevOps culture.
About the author
Martin Rylko
Senior Cloud Architect & DevOps Engineer
14+ years in IT – from on-premises datacenters and Hyper-V clustering to cloud infrastructure on Microsoft Azure. I specialize in Landing Zones, IaC automation, Kubernetes and security compliance.
You might also like
5 Terraform Best Practices for Production Azure Projects
Common mistakes and proven practices when working with Terraform in Azure – from state management to modularization and drift detection.
ReadNIS2 and Azure: A Practical Compliance Checklist for Architects
How to prepare your Azure environment for the NIS2 directive – concrete steps from Azure Policy through Defender for Cloud to logging and incident response.
ReadAKS for Production: A Checklist for Cloud Architects
What you need to address before deploying Azure Kubernetes Service to production – from networking through RBAC and scaling to monitoring and backup.
Read