Good day Of us!
Welcome again to my protection of the Microsoft Azure Infra Summit 2026. This session is one I’ve been wanting ahead to, as a result of if in case you have ever stood up an Azure Touchdown Zone (ALZ) by hand, you recognize it could actually eat weeks. Administration teams, coverage assignments, Hub-and-Spoke networking, log analytics, Defender for Cloud, identities, pipelines, ruled branches. There may be loads of plumbing.
On this session Jack Tracy (he leads the Azure Touchdown Zones workforce) and Jarrod Holgate (tech lead on Azure Touchdown Zones and Azure Verified Modules) stroll by the ALZ Infrastructure as Code Accelerator. Then they really run it, and a bootstrap that was a multi-week journey wraps up in about twelve minutes of typing and ticking bins.
📺 Watch the session:
In case you are the one that has to ship a safe, ruled Azure platform earlier than your dev groups can land their first workload, this issues to you. Right here is the brief model of why:
- It bakes within the Cloud Adoption Framework “begin proper, keep proper” sample so that you do not need to invent it.
- It helps each Bicep and Terraform, and it bootstraps GitHub or Azure DevOps for you (with a neighborhood file system possibility for GitLab, Bitbucket, or no matter else you run).
- It covers roughly 80% of widespread buyer eventualities out of the field. You do not need to put in writing modules from scratch.
- It’s open supply, each module is revealed, and you’ll fork or compose as you see match.
- It’s now constructed solely on Azure Verified Modules (AVM), so what you deploy is aligned with the Nicely-Architected Framework by default.
Briefly, if in case you have been hand-crafting administration group hierarchies and coverage assignments within the portal, cease. There’s a higher manner, and the workforce that designs ALZ ships it as code you may truly learn.
A fast recap, as a result of it’s value getting the vocabulary proper.
The Azure Touchdown Zone lives contained in the CAF Prepared methodology. It’s the shared platform (networking, id, logging, coverage, administration teams) that helps the various utility touchdown zones your workload groups devour. Jack makes use of a terrific analogy within the session: consider a metropolis. Earlier than residents and companies can transfer in, you want water, fuel, electrical energy, and roads. The platform touchdown zone is the utilities layer. The appliance touchdown zones are the buildings.
The ALZ IaC Accelerator is the tooling that deploys and manages that platform layer utilizing declarative infrastructure as code. It’s composed of:
- A set of IaC modules in Bicep and Terraform (all of them constructed on AVM).
- A bootstrap layer for GitHub or Azure DevOps (or native file system).
- The ALZ PowerShell module, revealed to the PowerShell Gallery, which orchestrates the whole lot.
- Complete docs protecting prereqs, eventualities, and choices.
The accelerator is a Microsoft-supported, open supply path to a production-grade touchdown zone. It is best to take a look at it earlier than you determine to roll your individual.
The accelerator runs in 4 phases. Jarrod walks by every of them within the demo.
Section 0: Plan. You make choices: Bicep or Terraform, GitHub or Azure DevOps, single or multi-region, Hub-and-Spoke or Digital WAN, Azure Firewall or NVA, DDoS on or off, and so forth.
Section 1: Prereqs. Earlier than the accelerator runs, you want two issues in place: an id to run the bootstrap, and the platform subscriptions. Historically this was 4 (connectivity, id, administration, safety). There may be now a brand new lighter possibility that wants solely two subscriptions for smaller environments.
Section 2: Bootstrap. That is the place the magic occurs. You feed it a bootstrap configuration file plus a platform touchdown zone configuration file, then run the Deploy-Accelerator command. The PowerShell module deploys identities, non-obligatory Terraform state storage with non-public networking, non-obligatory self-hosted container-instance runners, after which units up your repositories, pipelines, environments, ruled pipeline templates, and OIDC-based service connections utilizing Workload Identification Federation. No guide steps after Section 2.
Section 3: Deploy. Run the CD pipeline. The platform touchdown zone deploys. Performed.
A couple of issues value highlighting in regards to the bootstrap:
- The accelerator deploys two identities: one with read-only for plan / what-if, one with write for apply / deploy. Least privilege, out of the field.
- Pipelines are ruled. The precise deployment pipeline lives in a separate template repository, so modifications to it require an approval.
- A CI pipeline runs on pull requests mechanically. You get the engineering hygiene with out configuring it.
Jarrod calls these “eventualities” and “choices”. They’re the distinction between choosing a beginning sample (state of affairs) and tuning it (choices).
Situations. There are 11 of them out of the field. Decide the one which matches your beginning state:
- Single area, Hub-and-Spoke, Azure Firewall.
- Multi-region, Hub-and-Spoke, Azure Firewall.
- Single or multi-region with Digital WAN.
- Single or multi-region with a third-party NVA.
- No-connectivity (governance solely, no Hub networking) for organizations who aren’t prepared for centralized networking but.
- New eventualities 10 and 11, that are cost-optimized for small and medium companies with round 10 workloads. Similar modules, similar orchestration, only a smaller, cheaper beginning form.
- Sovereign touchdown zone for patrons with knowledge sovereignty and confidential compute necessities.
Choices. When you decide a state of affairs, you may tune it. The 16 documented choices are those the workforce sees clients ask about most frequently: customizing useful resource names, customizing administration group names, turning the DDoS safety plan on or off, selecting the sovereign baseline, and extra. Behind these, Terraform alone exposes lots of of variables.
Sincere tradeoffs (as a result of Pierre at all times tells you the tough edges):
- OpenTofu just isn’t supported immediately. Simply Bicep and Terraform.
- Private Entry Tokens are nonetheless required for Azure DevOps and self-hosted brokers on the time of the session. The workforce has confirmed CLI / managed id assist is on the roadmap.
- Brownfield is “it relies upon”. The accelerator is greenfield-friendly. Retrofitting an present tenant is feasible however goes to rely in your present state and your danger urge for food.
- You continue to personal choices. The Girl Justice slide within the session is a good reminder: balancing dev workforce freedom with central governance is your job. The accelerator provides you the controls; it doesn’t decide your coverage posture for you.
If you wish to do this with out ready, right here is the trail Jarrod truly demoed:
- Set up the ALZ PowerShell module from the PowerShell Gallery.
- Create your platform subscriptions (two minimal, 4 for the traditional structure) and an id for the bootstrap.
- Run Deploy-Accelerator with no parameters. It should immediate you interactively for the whole lot: area, guardian administration group, subscriptions, naming conference, self-hosted brokers sure or no, non-public networking sure or no, PAT, venture identify, and approvers.
- Evaluate the 2 generated configuration recordsdata: the bootstrap config and the platform touchdown zone tfvars (or Bicep params).
- Verify. The bootstrap runs Terraform behind the scenes and wires up Azure plus your repos.
- Run the CD pipeline. Approve on the apply stage. Your platform deploys.
In case you are not able to drive Terraform immediately, the Azure Migrate AI agent (in preview) wraps the very same accelerator codebase behind a guided chat expertise. You reply questions, it produces a zipper with the identical two config recordsdata plus a design doc explaining the selections it made. Then you definitely hand that off to the identical pipeline. The Azure MCP server has matching tooling for VS Code, so day-two modifications like “flip off the DDoS safety plan” know to additionally uncomment the dependent coverage assignments within the archetype recordsdata. That’s the form of context-aware modifying that saves you from breaking your individual deployment.
For those who discovered this convenient, the total Microsoft Azure Infra Summit 2026 playlist has much more: deployment stacks, Bicep past the fundamentals, IaC CI/CD greatest practices, AVM with GitHub Copilot, and loads of AKS and storage classes. Seize the playlist right here: Microsoft Azure Infra Summit 2026 on YouTube.
Hit the ALZ workforce within the feedback on the session, or open a problem on the repo. The workforce is genuinely lively there.
Cheers!
Pierre Roman
