Engagement 01 · Foundation Build
A production-ready Azure landing zone in 5–7 days. Identity, networking, policy, logging, and Terraform-based infrastructure-as-code — built right the first time, owned by your team from day one.
Why this exists
Teams move fast and end up with a tenant full of orphaned subscriptions, ad-hoc role assignments, no consistent network design, and zero infrastructure-as-code. Six months in, every change is a guess. The Launchpad gives you a clean, opinionated foundation — landing zone, identity, networking, policy, and an IaC repo — so the next thousand resources are deployed correctly by default.
What's included
Management group hierarchy, subscription model (per-environment or per-workload), naming standards, and tagging policy. Set up to scale without rework.
Privileged Identity Management, break-glass accounts, custom roles, group-based access, and a documented access model. Least privilege from day one.
Virtual networks, peering, route tables, Azure Firewall or NVA pattern, private DNS zones, and a clear path for adding workloads. No flat VNets.
Built-in and custom policies to enforce region, tagging, allowed SKUs, encryption, and key compliance requirements. Drift becomes visible immediately.
Log Analytics workspace, diagnostic settings rolled out via policy, baseline alerts, and a starter Azure Monitor workbook. You see everything from week one.
A working Terraform repository with module structure, remote state, and a pipeline-ready layout. Everything we build is in code — and stays in code.
Deliverables
Timeline
Half-day workshop. Existing state, constraints, compliance requirements, and what success looks like for your team.
Tenant configuration, Terraform modules, networking, policy, and logging — built and validated in your environment.
Documentation pack, walkthrough session, and a clear set of next steps for your team to take it from here.
FAQ
We already have an Azure tenant — can you still help?
Yes. If your tenant has minimal usage we can layer the Launchpad on top. If it's a full brownfield environment, the Azure Audit & Drift Control or Brownfield Terraform Migration engagements are a better fit.
Why Terraform and not Bicep?
Both are good. We default to Terraform because it's portable across clouds and works well with multi-team workflows. If your team has a strong Bicep preference, we'll deliver in Bicep — the IaC choice doesn't change the architecture.
What's not included?
Application workloads, custom application architecture, data platform design, and AI/OpenAI workloads are separate engagements. The Azure OpenAI Landing Zone covers AI infrastructure; the Launchpad gets the general foundation right.
Where does the price land in the $5k–$12k range?
Lower end for single-subscription single-region greenfield builds. Higher end for multi-subscription, multi-region, or where there's existing complexity to integrate with. We confirm scope and price before any commitment.
Do we own the code?
Yes. Everything we deliver is in your repository, under your licence, with no lock-in to us. The Launchpad ends when the handover is complete — ongoing support via Ongoing Platform Support is optional.
Next step
Book a 30-minute discovery call. We'll talk through your current state, what you need, and confirm whether the Launchpad is the right engagement before any commitment.
Free download
25 things your Azure environment should have before you scale. Work through it in an afternoon — free, no spam.
Related engagements