Howdy Of us!
Welcome again to my protection of the Microsoft Azure Infra Summit 2026. This session is one I’ve been wanting ahead to, as a result of when you’ve got ever stood up an Azure Touchdown Zone (ALZ) by hand, you recognize it may well eat weeks. Administration teams, coverage assignments, Hub-and-Spoke networking, log analytics, Defender for Cloud, identities, pipelines, ruled branches. There’s quite a lot of plumbing.
On this session Jack Tracy (he leads the Azure Touchdown Zones group) and Jarrod Holgate (tech lead on Azure Touchdown Zones and Azure Verified Modules) stroll by way of the ALZ Infrastructure as Code Accelerator. Then they really run it, and a bootstrap that was a multi-week journey wraps up in about twelve minutes of typing and ticking containers.
📺 Watch the session:
If you’re the one that has to ship a safe, ruled Azure platform earlier than your dev groups can land their first workload, this issues to you. Right here is the brief model of why:
- It bakes within the Cloud Adoption Framework “begin proper, keep proper” sample so that you shouldn’t have to invent it.
- It helps each Bicep and Terraform, and it bootstraps GitHub or Azure DevOps for you (with a neighborhood file system choice for GitLab, Bitbucket, or no matter else you run).
- It covers roughly 80% of widespread buyer situations out of the field. You shouldn’t have to put in writing modules from scratch.
- It’s open supply, each module is revealed, and you may fork or compose as you see match.
- It’s now constructed completely on Azure Verified Modules (AVM), so what you deploy is aligned with the Properly-Architected Framework by default.
Briefly, when you’ve got been hand-crafting administration group hierarchies and coverage assignments within the portal, cease. There’s a higher method, and the group that designs ALZ ships it as code you may really learn.
A fast recap, as a result of it’s value getting the vocabulary proper.
The Azure Touchdown Zone lives contained in the CAF Prepared methodology. It’s the shared platform (networking, identification, logging, coverage, administration teams) that helps the numerous utility touchdown zones your workload groups eat. Jack makes use of an excellent analogy within the session: consider a metropolis. Earlier than residents and companies can transfer in, you want water, fuel, electrical energy, and roads. The platform touchdown zone is the utilities layer. The applying touchdown zones are the buildings.
The ALZ IaC Accelerator is the tooling that deploys and manages that platform layer utilizing declarative infrastructure as code. It’s composed of:
- A set of IaC modules in Bicep and Terraform (all of them constructed on AVM).
- A bootstrap layer for GitHub or Azure DevOps (or native file system).
- The ALZ PowerShell module, revealed to the PowerShell Gallery, which orchestrates every thing.
- Complete docs protecting prereqs, situations, and choices.
The accelerator is a Microsoft-supported, open supply path to a production-grade touchdown zone. You need to take a look at it earlier than you resolve to roll your personal.
The accelerator runs in 4 phases. Jarrod walks by way of every of them within the demo.
Part 0: Plan. You make selections: Bicep or Terraform, GitHub or Azure DevOps, single or multi-region, Hub-and-Spoke or Digital WAN, Azure Firewall or NVA, DDoS on or off, and so forth.
Part 1: Prereqs. Earlier than the accelerator runs, you want two issues in place: an identification to run the bootstrap, and the platform subscriptions. Historically this was 4 (connectivity, identification, administration, safety). There’s now a brand new lighter choice that wants solely two subscriptions for smaller environments.
Part 2: Bootstrap. That is the place the magic occurs. You feed it a bootstrap configuration file plus a platform touchdown zone configuration file, then run the Deploy-Accelerator command. The PowerShell module deploys identities, non-compulsory Terraform state storage with personal networking, non-compulsory self-hosted container-instance runners, after which units up your repositories, pipelines, environments, ruled pipeline templates, and OIDC-based service connections utilizing Workload Identification Federation. No handbook steps after Part 2.
Part 3: Deploy. Run the CD pipeline. The platform touchdown zone deploys. Executed.
Just a few issues value highlighting concerning the bootstrap:
- The accelerator deploys two identities: one with read-only for plan / what-if, one with write for apply / deploy. Least privilege, out of the field.
- Pipelines are ruled. The precise deployment pipeline lives in a separate template repository, so modifications to it require an approval.
- A CI pipeline runs on pull requests robotically. You get the engineering hygiene with out configuring it.
Jarrod calls these “situations” and “choices”. They’re the distinction between selecting a beginning sample (situation) and tuning it (choices).
Situations. There are 11 of them out of the field. Decide the one which matches your beginning state:
- Single area, Hub-and-Spoke, Azure Firewall.
- Multi-region, Hub-and-Spoke, Azure Firewall.
- Single or multi-region with Digital WAN.
- Single or multi-region with a third-party NVA.
- No-connectivity (governance solely, no Hub networking) for organizations who will not be prepared for centralized networking but.
- New situations 10 and 11, that are cost-optimized for small and medium companies with round 10 workloads. Identical modules, similar orchestration, only a smaller, cheaper beginning form.
- Sovereign touchdown zone for purchasers with knowledge sovereignty and confidential compute necessities.
Choices. When you decide a situation, you may tune it. The 16 documented choices are those the group sees prospects ask about most frequently: customizing useful resource names, customizing administration group names, turning the DDoS safety plan on or off, selecting the sovereign baseline, and extra. Behind these, Terraform alone exposes lots of of variables.
Trustworthy tradeoffs (as a result of Pierre at all times tells you the tough edges):
- OpenTofu shouldn’t be supported at present. Simply Bicep and Terraform.
- Private Entry Tokens are nonetheless required for Azure DevOps and self-hosted brokers on the time of the session. The group has confirmed CLI / managed identification help is on the roadmap.
- Brownfield is “it relies upon”. The accelerator is greenfield-friendly. Retrofitting an present tenant is feasible however goes to rely in your present state and your threat urge for food.
- You continue to personal selections. The Girl Justice slide within the session is a superb reminder: balancing dev group freedom with central governance is your job. The accelerator provides you the controls; it doesn’t decide your coverage posture for you.
If you wish to do that with out ready, right here is the trail Jarrod really demoed:
- Set up the ALZ PowerShell module from the PowerShell Gallery.
- Create your platform subscriptions (two minimal, 4 for the traditional format) and an identification for the bootstrap.
- Run Deploy-Accelerator with no parameters. It would immediate you interactively for every thing: area, dad or mum administration group, subscriptions, naming conference, self-hosted brokers sure or no, personal networking sure or no, PAT, mission title, and approvers.
- Overview the 2 generated configuration information: the bootstrap config and the platform touchdown zone tfvars (or Bicep params).
- Affirm. The bootstrap runs Terraform behind the scenes and wires up Azure plus your repos.
- Run the CD pipeline. Approve on the apply stage. Your platform deploys.
If you’re not able to drive Terraform straight, the Azure Migrate AI agent (in preview) wraps the very same accelerator codebase behind a guided chat expertise. You reply questions, it produces a zipper with the identical two config information plus a design doc explaining the selections it made. Then you definitely hand that off to the identical pipeline. The Azure MCP server has matching tooling for VS Code, so day-two modifications like “flip off the DDoS safety plan” know to additionally uncomment the dependent coverage assignments within the archetype information. That’s the form of context-aware modifying that saves you from breaking your personal deployment.
If you happen to discovered this handy, the complete Microsoft Azure Infra Summit 2026 playlist has much more: deployment stacks, Bicep past the fundamentals, IaC CI/CD finest practices, AVM with GitHub Copilot, and loads of AKS and storage periods. Seize the playlist right here: Microsoft Azure Infra Summit 2026 on YouTube.
Hit the ALZ group within the feedback on the session, or open a difficulty on the repo. The group is genuinely lively there.
Cheers!
Pierre Roman
