← Cloud Reference Layer
VAF·SA — Cloud Reference · Enterprise Landing Zone Blueprint
VENDOR-NEUTRAL
VAFSA-CRL-LZ · v1.0
ENTERPRISE
LANDING ZONE
Vendor-Neutral Blueprint · 14 Domains · AWS · Azure · Google Cloud · OCI Mapping
Vendor-Neutral 14 Domains Identity Network Security Governance VAF·SA
01
Overview
What is an Enterprise Landing Zone?
A pre-configured, governed foundation that every workload deploys into.

An enterprise landing zone is the pre-built, governed cloud foundation into which workloads are deployed. It is not a workload — it is the environment a workload expects to find. A well-designed landing zone means teams deploying workloads do not need to solve identity, network, security, or compliance problems from scratch. Those decisions have been made, documented, and enforced at the foundation level.

Every major cloud vendor publishes its own landing zone guidance — AWS Landing Zone (via Control Tower), Azure Landing Zones (via CAF), Google Cloud Landing Zones, and OCI Landing Zone patterns. These differ in terminology, tooling, and structure. The 14 domains below describe what a landing zone must address regardless of vendor. The vendor mapping in Section 03 shows how each platform implements those domains.

A landing zone is an architecture decision, not a deployment script. The script is an output of that decision. Decisions made here — about account structure, network topology, identity federation, and security policy — are extremely difficult to change once workloads are running. They warrant ADRs, not just configurations.

VAF·SA treats the landing zone as an artefact-producing engagement, not a deployment task. Module 04 (Artefacts) is the primary instrument. Each domain below should be traceable to a recorded decision — not assumed to be inherited from a vendor template.
02
Blueprint Domains
14-Domain Enterprise Blueprint
The decisions that every enterprise landing zone must address, regardless of vendor.
01
Identity and access
How users, service accounts, and workloads authenticate and receive permissions. Covers the identity provider (federated or native), group structure, role definitions, and the principle of least privilege as an enforced baseline — not an aspiration. This domain governs both human access (operators, developers, administrators) and machine access (workloads calling cloud APIs).
02
Account / subscription / project / tenancy structure
The logical boundary model for cloud resources. This is the primary isolation mechanism: AWS uses accounts, Azure uses subscriptions, Google Cloud uses projects, OCI uses compartments within a tenancy. The hierarchy — and the rationale for it — determines policy inheritance, billing boundaries, blast radius of an incident, and the scope of governance controls. Changing this structure after workloads are running is expensive and disruptive.
03
Network topology
The network architecture that connects workloads, shared services, on-premises environments, and the internet. Typically a hub-and-spoke model with centralised inspection and routing. Decisions include: CIDR allocation strategy (non-overlapping ranges across all environments), transit model (Transit Gateway, Virtual WAN, Cloud Interconnect, DRG), internet ingress and egress points, and DNS resolution strategy. Network topology decisions are effectively permanent — re-IPing a live environment is a major project.
04
Security baseline
The minimum security controls applied to every workload in the landing zone by default. Includes: encryption at rest and in transit (enforced, not optional), secrets management (no plaintext credentials), vulnerability scanning, endpoint detection, and network traffic inspection. The security baseline is not a checklist to be completed at deployment — it is an enforced architectural constraint that workloads must satisfy to be accepted into the landing zone.
05
Policy and governance
The mechanism by which the enterprise enforces architectural and security standards across all accounts, subscriptions, or projects. This includes preventive controls (deny non-compliant resource configurations at the API level), detective controls (identify drift from baseline), and corrective controls (automated remediation or alert-and-track). Policy scope, exceptions process, and the governance body responsible for policy changes must be defined and documented.
06
Logging and monitoring
Centralised collection, retention, and analysis of logs — API activity, platform events, network traffic, and application logs. Logging is a governance requirement, not a technical preference. Decisions: what is logged, where logs are stored, retention period, who can access logs, and how logs are used for security investigation and compliance evidence. The logging architecture must be independent of the workloads it observes — workloads must not be able to disable or modify their own audit trail.
07
Backup and resilience
The policy for protecting data and workloads from loss or failure. Covers backup schedules, retention periods, restore testing, cross-region or cross-zone replication, and Recovery Time Objective (RTO) and Recovery Point Objective (RPO) requirements by workload criticality tier. Backup and resilience decisions are made at the landing zone level — workloads onboarded to the zone inherit the applicable tier unless an explicit exception is recorded.
08
Cost management
How cloud spend is attributed, monitored, and controlled across accounts or projects. Includes: tagging policy (mandatory cost allocation tags, enforced at the account boundary), budget alerts, cost anomaly detection, chargeback or showback model, and the governance process for commitment purchases (Reserved Instances, Savings Plans, Committed Use Discounts). Cost management is a landing zone function — it cannot be delegated to individual workload teams without a shared foundation.
09
Shared services
Centralised capabilities that workloads consume rather than build. Typically includes: DNS resolution, centralised logging pipeline, secrets management, certificate authority, patch management, and container image registry. Shared services are deployed into the landing zone foundation — workloads reference them rather than replicating them. Decisions about what becomes a shared service and what remains workload-local are architectural decisions with cost, operational, and governance implications.
10
Deployment pipelines
How infrastructure and application code moves from source control to cloud environments. Includes: the CI/CD tooling approved for use in the landing zone, the deployment patterns (infrastructure-as-code standard, code review gates, approval workflows), environment promotion sequence (development → test → staging → production), and the access model for deployment automation (role assumptions, federated identity for pipelines, no static credentials). Deployment pipeline design is a security and governance control, not just a developer convenience.
11
Workload onboarding
The process by which a new workload or team is admitted to the landing zone. Covers: the request and approval workflow, the standard account or project structure provisioned for new workloads (account vending machine or project factory), mandatory baseline controls that must be in place before go-live, and the handover checklist. Onboarding is a governance gate — it enforces the landing zone standards at the point where workloads enter the environment, not retrospectively.
12
Operations model
How the landing zone itself is operated, maintained, and evolved over time. Includes: ownership of the landing zone components (who is responsible for the network hub, the logging pipeline, the policy engine), the change process for landing zone components, incident response responsibilities for shared services, and the cadence and process for landing zone upgrades. The operations model is an organisational decision as much as a technical one — unclear ownership of the landing zone is a recurring governance failure pattern.
13
Exception handling
The formal process for requesting, approving, documenting, and reviewing deviations from landing zone standards. Exceptions are inevitable — the absence of a formal process does not prevent exceptions, it prevents them from being tracked. The exception register is an architecture artefact: it records what the deviation is, why it was approved, who approved it, what compensating controls are in place, and when it will be reviewed. Exceptions without a review date become permanent technical debt.
14
Compliance evidence
The structured collection of evidence that demonstrates the landing zone meets applicable regulatory, contractual, or organisational requirements. Not a one-time audit artefact — continuous compliance means the evidence is generated automatically from the environment (policy compliance reports, configuration snapshots, log archives) and is available on demand. The compliance evidence model must be designed into the landing zone — retrofitting auditability into a running environment is difficult and incomplete.
03
Vendor Mapping
How Each Platform Implements the Foundation
Key services and concepts per vendor — not an exhaustive feature comparison.

The table below maps the primary services and constructs each vendor uses for the landing zone foundation. This is a practitioner reference — it names what to look for, not how to configure it. Official vendor documentation (linked from each vendor page in this reference) covers configuration detail.

Domain AWS Azure Google Cloud OCI
Account structure OrganizationsAccountsOUsControl Tower Management groupsSubscriptionsResource groups OrganisationFoldersProjects TenancyCompartments
Identity and access IAMIAM Identity Center Entra IDPIM Cloud IAMCloud Identity Identity DomainsIAM Policies
Policy and governance Service Control PoliciesAWS Config Azure PolicyPolicy Initiatives Org PolicyOrg Policy constraints IAM PoliciesSecurity Zones
Logging and monitoring CloudTrailCloudWatchConfig Azure MonitorActivity LogLog Analytics Cloud LoggingCloud Audit Logs OCI AuditOCI LoggingService Connector Hub
Security baseline GuardDutySecurity Hub Defender for CloudSentinel Security Command Center Cloud GuardSecurity Zones
Network topology VPCTransit GatewayNetwork Firewall VNetVirtual WANAzure Firewall VPCShared VPCCloud Interconnect VCNDRGFastConnect
Workload onboarding Account FactoryControl Tower Subscription vendingAzure Blueprints Project factoryOrg Policy Compartment patternsResource Manager
Deployment pipelines CodePipelineCloudFormationCDK Azure DevOpsBicepGitHub Actions Cloud BuildCloud DeployTerraform Resource ManagerOCI DevOps
Vendor mapping is a starting point, not a prescription. The correct set of services for any engagement depends on what is already deployed, what the client's teams know how to operate, and what governance constraints apply. VAF·SA does not recommend vendor tooling — it helps practitioners work with what is in front of them.
04
VAF·SA Usage Notes
Applying VAF·SA in Landing Zone Engagements
Where the practitioner method adds value when landing zones are the subject of the engagement.
VAF·SA Practitioner Notes — Landing Zone
  • Landing zones are rarely built from zero. Most engagements involve a landing zone that already exists — built by a previous team, modified over time, and partially documented. Module 02 (Intelligence) is the instrument for establishing what is actually deployed versus what the vendor template assumed. Do not document the template; document the deviation from it.
  • The 14 domains are decision prompts, not a deployment checklist. Each domain surfaces a decision that should be recorded as an Architecture Decision Record (ADR) under Module 04 (Artefacts). If a landing zone engagement cannot produce an ADR for each domain, the decisions have been made implicitly — which is the condition VAF·SA exists to address.
  • Account structure and network topology decisions are foundational constraints. Changes to these domains after workloads are running are high-risk and expensive. Module 01 (Orientation) establishes whether the landing zone is in a greenfield, brownfield, or contested state before any recommendations are made. The engagement type determines what VAF·SA can actually change versus what it can only document.
  • Exception handling is an indicator of governance health. A landing zone with no formal exception register does not have no exceptions — it has undocumented ones. Module 05 (Communication) includes communicating exception risk to the appropriate stakeholders. The exception register produced in Module 04 (Artefacts) is often the most actionable governance output of a landing zone engagement.
  • The Velocity Loop applies to landing zone drift. A landing zone that was correct at build time will drift unless there is a mechanism to detect and correct it. Module 06 (The Velocity Loop) is the practitioner framework for maintaining posture across engagement cycles — applicable to ongoing landing zone health reviews as much as to workload delivery engagements.
← OCI Reference Cloud Ref Overview →
VAF·SA — Enterprise Landing Zone Blueprint
Cloud Ref · AWS · Azure · Google Cloud · OCI