Azure Spring Clean 2025 – A Foundation for Hybrid Cloud – how Landing Zones change with Hybrid Cloud

· · , , , , , , , , , , , ,

Tagged: , , , , , , , , , , , , , , ,

This year for Azure Spring Clean, I wanted to focus on an area that is becoming increasingly common with Clients I work with, and a key technology trend I regularly see – the need for Hybrid considerations within Landing Zones, considering not only Cloud based resources, but also those that are an extension of your Cloud environment (Cloud networking, Hybrid deployments via Azure Local, Azure Arc workloads, and more). When I refer to “Hybrid Landing Zones” I am referring to the aspects that extend beyond our Cloud environment within a Landing Zone – for example the use of Azure Arc and Azure Policy.

Firstly – a huge thank you to the organisers of Azure Spring Clean, please do check out all of the other awesome sessions here: https://www.azurespringclean.com/

In this post, I will run through 4 key areas that I feel need consideration, as well as providing wider reading and links to help continue your own learning in this area. Please note, this post is by no means exhaustive, and all environments vary – so do consult relevant documentation when planning your own environment needs.

The changing needs of Landing Zones

It’s important to recognise that as we extend our cloud environments beyond a traditional cloud only operation, this brings with it a number of additional considerations and areas that require focus. Consider a well architected Azure estate, operating in line with best practise – this is great, but an extension of this environment to additional locations or geographies outside of Azure Regions, would mean additional considerations needed. Key areas to consider here are:

  • The use of Azure Policy and Governance
  • Azure Arc and Azure Local
  • Security
  • Monitoring
  • Networking
  • Compliance
  • Infrastructure as Code

These are just a handful – but present us with a number of key topics that need exploration and consideration. I’m going to run through a few of these in more detail below.

Also well worth a read here are the following links – covering MS guidance on hybrid and multicloud scenarios, and an Arc specific accelerator for hybrid and multicloud:

Azure Policy and Governance

One of the key aspects in a hybrid landscape, is that of Azure Policy and Governance. In a well-architected Azure environment, Policy is used to control aspects of the environment, providing the ability to work within guardrails and ensure compliance with frameworks, standards, and governance aspects. When operating in a hybrid manner, this can be overlooked, usually as management elements and control planes aren’t extended to the various locations, and thus aspects of control and compliance are degraded or not present as a result.

Microsoft Learn summarises one of the key factors that is essential for Hybrid environments – the ability to extend beyond Cloud only:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/unified-operations?WT.mc_id=AZ-MVP-5004974#primary-cloud-platform
https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/unified-operations#primary-cloud-platform

Thankfully – Azure is extremely well equipped  for these types of environments and operations. However, it is important to consider the hybrid and multicloud guidance from Microsoft – aiming for a unified operational approach, that covers all operating environments and locations:

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/unified-operations?WT.mc_id=AZ-MVP-5004974#unified-operations
Image from: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/unified-operations?#unified-operations

Well worth a read here is the Microsoft Guidance on Unified operations for hybrid, multicloud, and edge – https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/scenarios/hybrid/unified-operations#primary-cloud-platform

So we understand the challenge to solvehow do we achieve the necessary control and governance?

Centralised control is a key aspect to ensure compliance and governance – with a service like Azure Arc, extending our Cloud control plane out to edge, hybrid, and multicloud, we can ensure control and compliance across these estates, regardless of type and location. It’s likely that if you are already working with Azure, you have a Policy and Control baseline in place – so below I’ve shared a few links that provide wider reading and context around Azure Arc and Policy, specifically relating to hybrid environments and operating models:

Extending the Platform with Arc and Local

It’s also clear that whilst many workloads can run in public Cloud environments, not all should. There are many reasons for workloads to remain in on-premises, hybrid, and edge locations, from compliance, to latency, to connecting to nearby equipment for example. However, just because we can’t move a workload, does not mean we can’t extend a platform to provide for that workload. This is where Azure Arc and Azure Local can really help! 😊

https://learn.microsoft.com/en-us/azure/azure-arc/overview?WT.mc_id=AZ-MVP-5004974
Azure Arc Overview. Image from: https://learn.microsoft.com/en-us/azure/azure-arc/overview

If you’re unfamiliar with Azure Arc and Azure Local – the below links will help you with an overview, and I’ve provided some insight into how these servers allow the extension of your Azure operating environment, into hybrid environments:

  • Azure Arc Overview – https://azure.microsoft.com/en-us/products/azure-arc
    • Azure Arc provides a platform to extend the Azure control plane into your hybrid, on-premises, and edge locations. By deploying Azure Arc you can bring Azure benefits (like licensing, Change Tracking, Inventory, Admin Centre, Remote Support, and more), as well as providing access to new sources of data (your machines providing data into Azure Monitor for example), ensure compliance by using Azure Policy, and much more!
  • Azure Local Overview – https://azure.microsoft.com/en-gb/products/local
    • Azure Local, formerly, Azure Stack HCI, provides a platform to run workloads in your own sites and locations. Azure Local provides the core infrastructure services needed to run virtualised workloads, whilst extending the necessary control aspects to Azure – allowing management and control of these workloads via the Azure Portal and Azure Resource Manager. By utilising Azure Local, we can take advantage of Cloud-based operations, centralised management, clustering, and more.

Within our Landing Zone designs – we need to account for the extended control aspects that Azure Arc enables, and the services that Azure Local can provide. In many cases, it is about evaluating the specific organisational needs, and ensuring the correct control and supporting aspects are in place. This could be as simple as ensuring compliance with Arc, or could extend to providing Azure Backup and Recovery services to Azure Local, for example (https://learn.microsoft.com/en-us/azure/backup/back-up-azure-stack-hyperconverged-infrastructure-virtual-machines).

Networking Considerations

I’m not going to reinvent the wheel in this section – I’ve recently blogged about how networking changes, and additional considerations that are required in a hybrid world. There are a number of key takeaways here I covered my recent post:

  • VPN / Private connectivity is not always required – hybrid environments do not always require a full mesh connectivity approach, especially with operations governed and managed by services like Azure Arc.
  • Arc and Local are key for Edge Locations – Arc and Local can enable edge locations to operate without the need for complex connectivity, taking advantage of localised operations, supported by Azure Services.
  • High Security with Disconnected Operations – Disconnected operations with Azure Local, currently in preview, provides a high-security approach should this be required.
  • Going Local to solve latency challenges – latency challenges can be solved with Azure Local, with workloads running locally, and supported by Azure services for management, compliance and more.

Please do check out my post shared above for a full overview of the networking aspects!

Extending the use of Infrastructure as Code

It wouldn’t be right for me to discuss key Azure aspects without touching on Infrastructure as Code (IAC) – and this is also an area that needs additional consideration in a hybrid landscape. Many organisations deploying using IAC will be doing so from a cloud-based IAC platform, like GitHub with Actions, or Azure DevOps with Pipelines, into a public Cloud environment. Extending the IAC environment to hybrid locations sometimes presents the need for changes to this approach.

Self Hosted Agents are usually the answer here – allowing you to run tasks within your own infrastructure. Different platforms have a number of ways to achieve this type of configuration – I’ve summarised a few below with links to help out:

It’s also important to note, that Azure Verified Modules can help out here too – providing a supported and MSFT driven initiative to help adopt IAC. There are a range of pattern and resource modules that can also help here – including a number for Arc and Azure Local. You can read more about AVM here: https://azure.github.io/Azure-Verified-Modules/

I hope this post has been helpful. Until next time! 😊

Skip to content