Mission Landing Zone - Design
February 12, 2026 ยท View on GitHub
Home | Design | Add-Ons | Resources | Costs
Scope
Mission LZ has the following scope:
- Hub and spoke networking intended to comply with SCCA controls
- Predefined spokes for identity, operations, shared services, and workloads
- Ability to create multiple, isolated workloads or team subscriptions
- Remote access
- Compatibility with SCCA compliance (and other compliance frameworks)
- Security using standard Azure tools with sensible defaults
- Azure Policy initiatives
Networking
Networking is set up in a hub and spoke design, separated by tiers: T0 (Identity and Authorization), T1 (Infrastructure Operations), T2 (DevSecOps and Shared Services), and multiple T3s (Workloads). Access control can be configured to allow separation of duties between all tiers.
Each virtual network has been given a default address prefix to ensure they fall within the default super network. Refer to the Networking page for all the default address prefixes.
Identity Services
Mission Landing Zone optionally supports Active Directory Domain Services (ADDS) deployment in the identity tier. This feature enables single-click deployment scenarios that require on-premises-style domain services, such as:
- Azure NetApp Files integration with SMB shares
- Legacy applications requiring domain authentication
- Hybrid identity scenarios with on-premises Active Directory
When enabled via the deployActiveDirectoryDomainServices parameter, MLZ deploys:
- Two Windows Server 2022 domain controllers in an availability set
- PowerShell DSC configuration for ADDS role installation
- DNS forwarding configuration for hybrid connectivity
- Proper network security group rules for domain controller communication
For detailed configuration options, see Active Directory Domain Services.
Subscriptions
Most customers will deploy each tier to a separate Azure subscription, but multiple subscriptions are not required. A single subscription deployment is good for a testing and evaluation, or possibly a small IT Admin team.
Firewall
All network traffic is directed through the firewall residing in the Network Hub resource group. The firewall is configured as the default route for all the T0 (Identity and Authorization) through T3 (workload/team environments) resource groups as follows:
| Name | Address prefix | Next hop type | Next hop IP address |
|---|---|---|---|
| default_route | 0.0.0.0/0 | Virtual Appliance | 10.0.128.68 |
The default firewall configured for MLZ is Azure Firewall Premium. The Azure Firewall Premium SKU includes the IDPS feature necessary to satisfy the SCCA VDSS requirement. However, if you do not require IDPS, you can optionally deploy Azure Firewall Standard by settings the firewallSkuTier parameter to Standard.
Presently, there is one rule collection group configured to allow spoke access to the log analytics workspace in the operations spoke. Below is the default collection group configured for Azure Commercial and Azure Government clouds:
| Collection Group | Rule Collection Priority | Rule Collection Name | Rule Name | Source | Destination | Port | Protocol |
|---|---|---|---|---|---|---|---|
| MLZ-NetworkCollectionGroup | 150 | AzureMonitor | AllowMonitorToLAW | 10.0.128.0/23, 10.0.132.0/24, 10.0.130.0/24 (Identity spoke, if present) | 10.0.131.4 | 443 | Tcp |
Rules can be added, removed, or changed during deployment by passing in a value to the customFirewallRulesCollectionGroups parameter. Multiple collection groups can be defined as needed. If the parameter has no value, the template will use the default firewall rules for a secure by default configuration.
Please review Command Line Tools for more on how to use command line deployments.
To deploy Mission LZ using Azure Stack Hub and an F5 BIG-IP Virtual Edition instead of Azure Firewall Premium, there is an alternate repository with instructions found here.
Azure Firewall Public IP Addresses
The MLZ Bicep deployment allows you to provision multiple static public IP addresses for Azure Firewall using the additionalFwPipCount parameter. This enables advanced NAT rule scenarios and supports robust, static egress IP requirements.
- Parameter:
additionalFwPipCount(int, default: 0) - Purpose: Number of additional static public IP addresses to create for the Azure Firewall. All PIPs are static and receive identical diagnostic logging.
- Backward Compatibility: If not set, the deployment defaults to a single static PIP as before.
Example:
param additionalFwPipCount int = 3
See networking.md for more technical details.
Product Roadmap
See the Projects page for the release timeline and feature areas.
Here's a summary of what Mission Landing Zone deploys of as of April 2024:
