VAF·SA — Azure Cloud Reference

← Cloud Reference Layer

VAF·SA — Cloud Reference · Microsoft Azure

VENDOR REFERENCE
VAFSA-CRL-AZ · v1.0

MICROSOFT
AZURE

Cloud Adoption Framework · Well-Architected Framework · Azure Landing Zones · Azure Policy

Azure Cloud Adoption Framework Well-Architected Landing Zones Azure Policy

Overview

Azure Architecture Guidance

How Microsoft structures its architecture and adoption guidance for enterprise customers.

Microsoft's cloud architecture guidance is organised around two primary frameworks. The Microsoft Cloud Adoption Framework for Azure (CAF) addresses the end-to-end journey — strategy, planning, readiness, migration, governance, and management. The Azure Well-Architected Framework (WAF) focuses on workload quality across five pillars. Azure Landing Zones provide the reference architecture and implementation patterns for a governed Azure environment.

Azure Landing Zones distinguish between platform landing zones — the shared services and governance foundation — and application landing zones — the subscription and resource group structure for individual workloads. This two-layer model is important for enterprise architects to understand early, because it determines accountability boundaries and the pace of workload onboarding.

Azure engagements often surface ambiguity between what the CAF recommends and what the organisation has actually built. VAF·SA Module 02 (Intelligence) is the instrument for establishing the real gap — not the gap the vendor documentation implies.

Microsoft Cloud Adoption Framework

Eight Phases

End-to-end cloud adoption lifecycle for enterprise Azure environments.

The Microsoft CAF organises cloud adoption into eight phases, covering the full lifecycle from initial strategy through ongoing operations. The framework is iterative — organisations do not complete phases sequentially and then stop. Governance and management disciplines run in parallel with all other phases.

PHASE 01

Strategy

Motivations, business outcomes, financial justification, prioritisation.

PHASE 02

Plan

Digital estate assessment, skills readiness, cloud adoption plan.

PHASE 03

Ready

Landing zone design and deployment, environment readiness.

PHASE 04

Migrate

Workload migration, modernisation, first adoption project.

PHASE 05

Innovate

Cloud-native development, data and AI, application modernisation.

PHASE 06

Secure

Security posture, Zero Trust model, security operations.

PHASE 07

Govern

Policy, cost management, identity baseline, resource consistency.

PHASE 08

Manage

Business commitments, operations baseline, workload management.

Azure Well-Architected Framework

Five Pillars

Workload design quality assessment across five dimensions.

Reliability

Ability of a workload to recover from failures and continue to function as expected. Covers failure mode analysis, resiliency patterns, backup and recovery, and testing practices.

Security

Protecting workloads from threats — identity and access, data protection, network security, threat monitoring, incident response, and supply chain integrity.

Cost Optimisation

Delivering business value at the right cost — understanding expenditure, right-sizing, reserved capacity, cost allocation, and financial governance.

Operational Excellence

Operations processes that support the workload — monitoring, observability, deployment automation, change management, and incident response.

Performance Efficiency

Scaling to meet demand and maintaining efficiency — resource selection, performance testing, capacity planning, and scaling patterns.

Azure Landing Zones

Enterprise Foundation

Management groups, subscriptions, governance baseline, and platform controls.

Management groups

Hierarchical organisation of subscriptions for policy and RBAC inheritance. Azure Landing Zone reference architecture defines a standard management group hierarchy: Root, Platform, Landing Zones, Sandboxes, Decommissioned.

Subscriptions

The billing and isolation boundary. Platform subscriptions (Management, Connectivity, Identity) are separated from application landing zone subscriptions. Subscription design determines policy scope and cost allocation.

Identity baseline

Microsoft Entra ID (formerly Azure AD) as the identity foundation. Privileged Identity Management for just-in-time privileged access. Conditional Access policies. External identity federation for partner access.

Network topology

Hub-and-spoke or Virtual WAN model. Centralised connectivity subscription. Azure Firewall or equivalent for centralised inspection. ExpressRoute or VPN for on-premises connectivity. Private DNS resolver and DNS zones.

Azure Policy and governance

Policy assignments at management group level enforce baseline controls across all subscriptions. Initiative assignments apply multiple policies as a set. Audit, Deny, and DeployIfNotExists effect types for different enforcement needs.

Security operations

Microsoft Defender for Cloud for posture management and threat protection across subscriptions. Microsoft Sentinel for SIEM and SOAR capabilities. Unified security operations across the management group hierarchy.

VAF·SA Usage Notes

Applying VAF·SA in Azure Engagements

Where the practitioner method adds value in an Azure-heavy environment.

VAF·SA Practitioner Notes — Azure

CAF phase mismatch is a common presenting problem. Organisations frequently begin migration before the landing zone is ready, or begin governance before strategy is clear. Module 01 (Orientation) establishes which CAF phases have actually been completed — not which the project plan says are complete.
Management group design decisions are often undocumented. Module 04 (Artefacts) produces a landing-zone decision pack capturing why the management group hierarchy is structured as it is — what options were evaluated, what constraints drove the decision, and what the exception process is for workloads that do not fit the standard model.
Policy assignment rationale is frequently lost. Azure Policy assignments accumulate over time. Module 02 (Intelligence) surfaces which policies are enforced, which are in audit mode only, and which assignments have accumulated exceptions that are not tracked anywhere. The gap between policy intent and policy reality is a common source of governance failure.
Subscription design disputes. The separation between platform and application landing zone subscriptions creates ownership tension. Module 05 (Communication) frames the subscription design recommendation separately for the platform team, the application team, the security team, and the finance function — each audience has different concerns.
Well-Architected Review as a workload assessment instrument. The Azure WAF assessment tool structures evidence collection in Module 02 (Intelligence) and feeds directly into the Architecture Decision Record in Module 04 (Artefacts).

Official References

Microsoft Documentation

Official vendor sources — not affiliated with Microsoft.

CAF

Microsoft Cloud Adoption Framework for Azure

learn.microsoft.com/azure/cloud-adoption-framework/

WAF

Azure Well-Architected Framework

learn.microsoft.com/azure/well-architected/

Landing Zone

Azure Landing Zones

learn.microsoft.com/azure/cloud-adoption-framework/ready/landing-zone/

Policy

Azure Policy overview

learn.microsoft.com/azure/governance/policy/

Security

Microsoft Defender for Cloud

learn.microsoft.com/azure/defender-for-cloud/

← AWS Reference Google Cloud Reference →