Azure Landing Zone Scaffolder (CAF)

Build a complete Azure Landing Zone in 10 minutes, not 10 weeks.

What Is This?

Think of Azure like a giant building. Before you move your apps and data in, you need:

• Floors and rooms (networks, subscriptions)
• Security guards (firewalls, policies, Defender)
• A front desk (identity, access control)
• Cameras and alarms (logging, monitoring, alerts)
• A blueprint that follows building codes (Microsoft best practices)

This extension is your architect. It asks you a few questions, then generates all the blueprints (Bicep code) you need to build your Azure building — following Microsoft's official Cloud Adoption Framework and Well-Architected Framework.

Who Is This For?

How to Use It (Step by Step)

Step 1: Install

1. Open VS Code
2. Press Ctrl+Shift+X (opens Extensions)
3. Search for "Azure Landing Zone Scaffolder"
4. Click Install

Step 2: Launch the Wizard

1. Press Ctrl+Shift+P (opens Command Palette)
2. Type: Azure Landing Zone: Create Landing Zone
3. Press Enter

Step 3: Answer the Questions

The wizard walks you through 7 simple steps:

Step 1: Pick your persona      → Sandbox, Dev/Test, or Production
Step 2: Name your organization → e.g. "contoso" or "mycompany"
Step 3: Pick your archetype    → Online (internet-facing), Corp (private), or Sandbox
Step 4: Pick your network      → Hub & Spoke (most common) or Virtual WAN (large enterprise)
Step 5: Pick governance level  → Starter (few rules), Intermediate, or Advanced (strict compliance)
Step 6: Toggle options         → Firewall? VPN? Bastion? Sentinel? DDoS?
Step 7: Review & Generate!     → See everything before creating files

Step 4: Deploy to Azure

After generating, follow the included DEPLOYMENT-GUIDE.md in your output folder.

Brand new to Azure? Follow these steps first:

1. Get an Azure account — Create a free account (includes $200 credit)
2. Install Azure CLI — Download here, then open a terminal
3. Sign in — Run az login (a browser window opens — sign in with your Azure account)
4. Pick your subscription — Run az account list --output table to see your subscriptions, then az account set --subscription "YOUR-SUBSCRIPTION-NAME" to select one
5. Check your permissions — Run az role assignment list --assignee $(az ad signed-in-user show --query id -o tsv) --output table. You need Owner on the subscription. If you don't see it, ask your Azure admin.
6. Install Bicep — Run az bicep install (one-time setup, takes 30 seconds)

That's it — now run the deploy commands below.

Quick deploy (sandbox/devtest):

cd landing-zone
chmod +x scripts/deploy-all.sh
./scripts/deploy-all.sh

Production deploy (3 stages):

cd landing-zone
./scripts/deploy-stage1-tenant.sh     # Management groups & policies
./scripts/deploy-stage2-platform.sh   # Hub network, firewall, logging
./scripts/deploy-stage3-spokes.sh     # Spoke networks for your apps

Note for production: Stage 1 requires tenant-level access to create management groups. If you're new, ask your Azure admin to grant you "Owner" at the tenant root management group. Learn more: Elevate access to manage all Azure subscriptions

Or use Azure Developer CLI:

cd landing-zone
azd up

What Gets Generated?

For Every Persona

Dev/Test Adds

Production Enterprise Adds Everything Above Plus

Growing from Sandbox to Production

You don't have to start big. Here's the upgrade path:

  Sandbox (PoC)          Dev / Test              Production Enterprise
  ─────────────    →    ──────────────     →    ──────────────────────
  
  Hub VNet               Hub + 1 Spoke           Hub + Multiple Spokes
  Log Analytics           + Firewall              + Management Groups
  Basic tags              + Policies (CIS)        + Advanced Policies
                          + Private DNS           + RBAC
                          + Network Watcher       + Sentinel + Defender
                                                  + DDoS + Budget Alerts
                                                  + ExpressRoute
                                                  + Enterprise Tags
                                                  + Multi-Stage Deploy

How to upgrade: Simply re-run the wizard and select a higher persona. The new output includes everything the previous persona had, plus the additional components.

The generated DEPLOYMENT-GUIDE.md includes a detailed "Path from Dev/Test to Production" table showing exactly what to add at each step.

File Structure (Production)

landing-zone/
├── main.bicep                                    # Main orchestrator
├── DEPLOYMENT-GUIDE.md                           # How to deploy (read this first!)
├── README.md                                     # Your landing zone documentation
├── azure.yaml                                    # Azure Developer CLI config
│
├── modules/
│   ├── managementGroups/
│   │   └── managementGroups.bicep                # Organization hierarchy
│   ├── policy/
│   │   └── policyAssignments.bicep               # Security & compliance rules
│   ├── networking/
│   │   ├── hubNetwork.bicep                      # Central hub network
│   │   ├── spoke-prod.bicep                      # Production spoke (peered to hub)
│   │   ├── spoke-staging.bicep                   # Staging spoke (peered to hub)
│   │   ├── firewall.bicep                        # Azure Firewall
│   │   ├── vpnGateway.bicep                      # VPN Gateway (if enabled)
│   │   ├── expressRouteGateway.bicep             # ExpressRoute (if enabled)
│   │   ├── bastion.bicep                         # Secure remote access
│   │   ├── privateDnsZones.bicep                 # Private endpoint DNS
│   │   └── networkWatcher.bicep                  # Network monitoring
│   ├── logging/
│   │   └── logAnalytics.bicep                    # Central logging + Sentinel
│   ├── security/
│   │   └── defenderForCloud.bicep                # Threat protection
│   ├── identity/
│   │   └── rbacAssignments.bicep                 # Who can do what
│   └── costmanagement/
│       └── budgetAlerts.bicep                    # Spending alerts
│
├── parameters/
│   └── main.bicepparam                           # All your settings
│
└── scripts/
    ├── deploy-all.sh                             # One-command deploy
    ├── deploy-stage1-tenant.sh                   # Stage 1: Management groups
    ├── deploy-stage2-platform.sh                 # Stage 2: Platform resources
    └── deploy-stage3-spokes.sh                   # Stage 3: App landing zones

Requirements

Extension Settings

To change these: File → Preferences → Settings → search "Azure Landing Zone"

Input Validation

The wizard validates your inputs to prevent deployment errors:

Frequently Asked Questions

Q: Do I need to know Bicep to use this? A: No! The wizard generates all the code for you. You just click through the steps and deploy.

Q: Can I customize the generated code? A: Absolutely. The generated Bicep files are standard Azure Bicep — edit them in VS Code with full IntelliSense.

Q: What if I start with Sandbox and want to go to Production later? A: Re-run the wizard with the Production persona. The DEPLOYMENT-GUIDE.md has a step-by-step upgrade path.

Q: Does this cost money? A: The extension is free. Azure resources have costs — the production persona includes budget alerts to help you track spending. Azure Firewall alone is ~$900/month, so review the Azure Pricing Calculator before deploying.

Q: Where do I put my actual app? A: In a spoke VNet! The Dev/Test and Production personas generate spoke networks specifically for your workloads. Deploy your app into the snet-*-workload subnet.

Q: I got a permissions error during deployment. A: Sandbox/DevTest needs Subscription Owner. Production Stage 1 needs Tenant Root access (for management groups). Ask your Azure admin to grant you the right permissions.

Official Microsoft Documentation

Every generated Bicep file includes clickable links to the official Microsoft Learn documentation. Here are the key references:

Cloud Adoption Framework Design Areas

Well-Architected Framework Pillars

Compliance & Reference

Contributing

Contributions welcome! File issues and PRs on GitHub.

License

MIT