Architecting Landing Zones - Course Curriculum

Hexadigitall Academy (Hexadigitall Technologies)

www.hexadigitall.com

Scan for course page, admissions, and mentorship details.

Course Snapshot

Design, implement, and operate enterprise-grade cloud landing zones with governance, security, networking, and operational excellence baked in from day one.

Welcome to Architecting Landing Zones! 🎓

This 14-week advanced curriculum is designed for cloud engineers and platform teams responsible for building enterprise landing zones that are secure, governable, and scalable from day one.

You will move from strategy and architecture through identity, networking, policy-as-code, observability, compliance, and onboarding operations, producing practical deliverables each week that mirror real platform engineering work.

Your success is our priority. By the end of this course, you will be able to design and deliver a production-ready landing zone with clear governance controls, operational guardrails, and audit-ready documentation.

Prerequisites & What You Should Know

Working knowledge of cloud fundamentals and virtual networking.
Basic understanding of IAM concepts and policy-based access control.
Comfort with infrastructure automation concepts and CLI-based workflows.
Readiness to document architecture decisions and operational runbooks.

Recommended Complementary Courses

Enterprise Cloud Solutions Architect: Extend landing zone patterns into enterprise-wide platform governance and multi-account architecture strategy.
DevOps Engineering & Cloud Infrastructure: Operationalize your platform design with CI/CD, Kubernetes, Terraform, and delivery automation.
Advanced Ansible Automation: Add configuration and lifecycle automation for platform services and baseline controls.
Azure Security Technologies (AZ-500): Deepen identity, network, and workload security controls that underpin secure landing zones.

Essential Learning Resources

Microsoft Cloud Adoption Framework and Azure Landing Zone reference architecture.
AWS multi-account and control tower governance guidance for cross-cloud comparison.
Terraform documentation for policy checks, modules, and remote state controls.
Well-Architected frameworks and platform engineering operating model references.

Your Learning Roadmap

Weeks 1-3 (Foundation): Strategy, identity model, and hierarchy design.
Weeks 4-6 (Platform Core): Networking blueprint, hybrid integration, and security baselines.
Weeks 7-10 (Operations): Observability, FinOps controls, IaC modules, and platform CI/CD.
Weeks 11-14 (Governance to Delivery): Workload onboarding, compliance, resilience, and capstone defense.

Learning Outcomes

Design enterprise landing zone architecture aligned to governance and security standards.
Implement identity, networking, policy, and observability foundations for cloud platforms.
Operationalize platform changes with IaC and CI/CD guardrails.
Onboard workloads using standardized platform contracts and controls.
Produce audit-ready evidence and resilience plans for production operations.

Detailed Weekly Curriculum

Week 1 2 hours + labs

The "Why" of Landing Zones

Concept Scope

Cloud adoption framework phases and landing zone operating model.
Business, security, and compliance drivers translated to platform requirements.
Reference architecture decisions for enterprise foundations.

Hands-On Scope

Initialize textbook-aligned repository structure (docs + projects/week-01-foundations).
Document pre-landing-zone risks and blast-radius constraints in baseline assessment.
Create first architecture decision record for landing-zone adoption.

Expected Deliverables

Week-01 baseline package and folder evidence.
Current-state risk assessment report.
Landing-zone rationale ADR.

Week 2 2 hours + labs

Identity at Scale

Concept Scope

Identity source-of-truth and tenant design principles.
Privileged access model, role separation, and break-glass strategy.
RBAC policy inheritance across management hierarchy.

Hands-On Scope

Design identity hierarchy and role boundaries for platform/security/workload teams.
Implement least-privilege mappings and privileged access workflow.
Validate inheritance and exception handling across scopes.

Expected Deliverables

Identity/RBAC model and role matrix.
Privileged workflow evidence bundle.
Access validation report with exceptions log.

Week 3 2 hours + labs

Governance & Guardrails

Concept Scope

Management group strategy for platform, landing, and sandbox scopes.
Subscription/account segmentation by environment and business domain.
Policy inheritance and scope boundaries.

Hands-On Scope

Define governance guardrails for naming, tagging, region, and service use.
Apply policies at hierarchy scopes and test inheritance behavior.
Simulate violations and verify deny/audit controls.

Expected Deliverables

Guardrail policy catalog and scope map.
Policy inheritance test evidence.
Violation simulation and remediation log.

Week 4 2 hours + labs

Hub-and-Spoke Networking

Concept Scope

Hub-spoke or transit architecture trade-offs.
Address space planning, segmentation, and overlapping CIDR risks.
Ingress/egress and east-west traffic controls.

Hands-On Scope

Design hub-and-spoke network architecture with segmentation boundaries.
Implement routing, firewall, and DNS patterns for shared/workload planes.
Validate connectivity and isolation across traffic paths.

Expected Deliverables

Network topology blueprint and CIDR plan.
Routing/firewall implementation artifacts.
Connectivity/isolation validation matrix.

Week 5 2 hours + labs

Shared VPCs & Private Link

Concept Scope

Site-to-site and private connectivity patterns.
DNS, identity, and trust boundaries in hybrid designs.
Failover patterns for branch and on-prem integration.

Hands-On Scope

Implement shared network services and private endpoint exposure model.
Disable unnecessary public paths and enforce private access.
Test cross-account/subscription private connectivity and DNS resolution.

Expected Deliverables

Shared service network architecture package.
Private endpoint configuration evidence.
Private connectivity validation report.

Week 6 2 hours + labs

Centralized Security

Concept Scope

Guardrails using policy frameworks and control objectives.
Security baseline controls for compute, data, and networking.
Policy lifecycle management and exception handling.

Hands-On Scope

Deploy centralized security controls across all landing-zone scopes.
Aggregate findings and prioritize remediation by severity and ownership.
Re-test and close critical findings with evidence.

Expected Deliverables

Central security baseline checklist.
Findings triage board with SLAs.
Critical remediation closure report.

Week 7 2 hours + labs

Centralized Logging

Concept Scope

Platform telemetry architecture and log taxonomy.
Centralized monitoring, alerting, and correlation strategy.
Detection engineering principles for platform signals.

Hands-On Scope

Implement centralized logging pipeline with retention and access controls.
Normalize identity/network/workload telemetry for investigations.
Create and test detections for high-risk admin/network events.

Expected Deliverables

Logging architecture and retention policy doc.
Normalized schema/parser configuration set.
Detection query library with sample alerts.

Week 8 2 hours + labs

The Account Factory

Concept Scope

Resource governance standards and mandatory metadata.
Budget controls, chargeback/showback model.
Cost anomaly detection and optimization loops.

Hands-On Scope

Automate account/subscription provisioning with baseline controls at creation.
Implement request-approval workflow and SLA tracking.
Validate policy/tag compliance of provisioned environments.

Expected Deliverables

Account factory automation workflow package.
Approval and SLA evidence records.
Provisioning compliance validation output.

Week 9 2 hours + labs

Account Customizations

Concept Scope

IaC module design for reusable platform components.
State management and environment promotion strategy.
Secure secrets and configuration management in IaC.

Hands-On Scope

Build reusable account customization modules for baseline standards.
Apply customizations to multiple environments consistently.
Detect and remediate drift across customized accounts.

Expected Deliverables

Customization module repository and version notes.
Multi-environment rollout evidence.
Drift remediation report.

Week 10 2 hours + labs

Deep Dive: AFT

Concept Scope

Release flow for platform changes and guardrails.
Automated validation, approvals, and rollback standards.
Change management governance for platform teams.

Hands-On Scope

Configure AFT pipeline with approvals and quality gates for account provisioning.
Automate post-provision baseline modules and compliance checks.
Run full onboarding flow from request to compliant account state.

Expected Deliverables

AFT pipeline config and workflow diagram.
Baseline deployment execution logs and gate outcomes.
End-to-end onboarding report with remediation notes.

Week 11 2 hours + labs

Standardization & Blueprints

Concept Scope

Landing zone onboarding process for new product teams.
Shared services, platform contracts, and ownership boundaries.
Security and networking onboarding controls.

Hands-On Scope

Define standardized blueprints for recurring workload onboarding patterns.
Encode mandatory controls and optional extensions per blueprint tier.
Pilot blueprint onboarding and capture feedback for refinement.

Expected Deliverables

Blueprint catalog with control mappings.
Template implementation package.
Pilot onboarding evaluation notes.

Week 12 2 hours + labs

Landing Zone Drift & Lifecycle Management

Concept Scope

Mapping technical controls to regulatory requirements.
Audit evidence collection and control attestation model.
Continuous compliance monitoring architecture.

Hands-On Scope

Implement drift detection across identity, policy, and network baselines.
Plan lifecycle upgrades/deprecations with governance approvals.
Execute controlled remediation and verify post-change stability.

Expected Deliverables

Drift detection dashboard and alert rules.
Lifecycle change calendar with approvals.
Remediation execution and validation logs.

Week 13 2 hours + labs

State Management & Scaling Strategies

Concept Scope

Resilience objectives (RTO/RPO) for platform services.
Cross-region and backup strategy for landing zone components.
Incident escalation and recovery governance.

Hands-On Scope

Design scalable remote-state isolation strategy for multi-team operations.
Optimize pipeline concurrency and dependency orchestration.
Stress-test parallel rollout safety and state integrity.

Expected Deliverables

State management architecture and guardrails.
Pipeline scaling configuration evidence.
Parallel rollout simulation report.

Week 14 2 hours + labs

Final Project: The Corporate Handover

Concept Scope

End-to-end landing zone architecture defense.
Governance, security, observability, and operations integration.
Executive communication of platform value and risks.

Hands-On Scope

Assemble final corporate handover package (architecture, controls, operations).
Conduct executive walkthrough and technical defense using portfolio evidence.
Complete transition checklist with ownership transfer sign-off.

Expected Deliverables

Corporate handover dossier and runbooks.
Executive walkthrough deck and Q&A transcript.
Transition sign-off record and next-phase roadmap.

Capstone Projects

Project 1: Landing Zone Specialist Curriculum Foundation Build

Deliver a concrete foundation implementation covering the first phase of the curriculum.

Implement and validate The "Why" of Landing Zones.
Integrate Identity at Scale with reusable workflow standards.
Publish evidence for Governance & Guardrails with test and quality artifacts.

Project 2: Landing Zone Specialist Curriculum Integrated Systems Build

Combine mid-program competencies into a production-style integrated workflow.

Build an end-to-end flow around Shared VPCs & Private Link and Centralized Security.
Add controls, observability, and rollback paths for reliability.
Document architecture decisions and trade-offs tied to Centralized Logging.

Project 3: Landing Zone Specialist Curriculum Capstone Delivery

Ship a portfolio-ready capstone with measurable outcomes and stakeholder-ready presentation.

Deliver a complete implementation centered on Standardization & Blueprints.
Validate readiness for Landing Zone Drift & Lifecycle Management using objective acceptance checks.
Present final defense and roadmap based on State Management & Scaling Strategies outcomes.

Study Tips for Success

Maintain an architecture decision record (ADR) for every key platform trade-off.
Validate every governance control with evidence, not assumption.
Treat documentation as a first-class deliverable, especially runbooks and onboarding guides.
Use weekly retrospectives to refine naming, policy, and environment standards.
Practice presenting design decisions to both technical and executive stakeholders.

About This Course

The Landing Zone Specialist Curriculum focuses on enterprise cloud platform foundations. It is built for engineers who must establish secure, compliant, and scalable cloud environments that support multiple product teams without sacrificing governance.

Best fit roles: Cloud Platform Engineer, Landing Zone Architect, Cloud Governance Engineer, Enterprise Infrastructure Engineer.
Primary outcome: Deliver a production-grade landing zone blueprint and implementation package.
Portfolio value: Architecture artifacts, policy baselines, onboarding playbooks, and resilience evidence.