Azure Citadel
  • Blogs
  • Azure Arc
    • Overview
    • Azure Arc-enabled Kubernetes
      • Prereqs
      • Background
      • Deploy Cluster
      • Connect to Arc
      • Enable GitOps
      • Deploy Application
      • Enable Azure AD
      • Enforce Policy
      • Enable Monitoring
      • Enable Azure Defender
      • Enable Data Services
      • Enable Application Delivery
    • Azure Arc-enabled Servers
      • Prereqs
      • Scenario
      • Hack Overview
      • Azure Landing Zone
      • Arc Pilot resource group
      • Azure Monitoring Agent
      • Additional policy assignments
      • Access your on prem VMs
      • Create onboarding scripts
      • Onboarding using scripts
      • Inventory
      • Monitoring
      • SSH
      • Windows Admin Center
      • Governance
      • Custom Script Extension
      • Key Vault Extension
      • Managed Identity
    • Useful Links
  • Azure CLI
    • Install
    • Get started
    • JMESPATH queries
    • Integrate with Bash
  • Azure Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy an Azure Landing Zone
      • Create an initial ALZ config
      • Run through the CI/CD workflow
    • Example Library Configs
      • Azure Landing Zone library
      • Azure Landing Zone library with overrides
  • Azure Lighthouse
    • Minimal Lighthouse definition
    • Using service principals
    • Privileged Identity Management
  • Azure Policy
    • Azure Policy Basics
      • Policy Basics in the Azure Portal
      • Creating Policy via the CLI
      • Deploy If Not Exists
      • Management Groups and Initiatives
    • Creating Custom Policies
      • Customer scenario
      • Policy Aliases
      • Determine the logic
      • Create the custom policy
      • Define, assign and test
  • Marketplace
    • Introduction
      • Terminology
      • Offer Types
    • Partner Center
    • Offer Type
    • Publish a VM Offer HOL
      • Getting Started
      • Create VM Image
      • Test VM Image
      • VM Offer with SIG
      • VM Offer with SAS
      • Publish Offer
      • Other VM Resources
    • Publish a Solution Template HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Publish a Managed App HOL
      • Getting Started
      • Create ARM Template
      • Validate ARM Template
      • Create UI Definition
      • Package Assets
      • Publish Offer
    • Managed Apps with AKS HOL
    • Other Managed App Resources
    • SaaS Offer HOLs
    • SaaS Offer Video Series
      • Video 1 - SaaS Offer Overview
      • Video 2 - Purchasing a SaaS Offer
      • Video 3 - Purchasing a Private SaaS Plan
      • Video 4 - Publishing a SaaS Offer
      • Video 5 - Publishing a Private SaaS Plan
      • Video 6 - SaaS Offer Technical Overview
      • Video 7 - Azure AD Application Registrations
      • Video 8 - Using the SaaS Offer REST Fulfillment API
      • Video 9 - The SaaS Client Library for .NET
      • Video 10 - Building a Simple SaaS Landing Page in .NET
      • Video 11 - Building a Simple SaaS Publisher Portal in .NET
      • Video 12 - SaaS Webhook Overview
      • Video 13 - Implementing a Simple SaaS Webhook in .NET
      • Video 14 - Securing a Simple SaaS Webhook in .NET
      • Video 15 - SaaS Metered Billing Overview
      • Video 16 - The SaaS Metered Billing API with REST
  • Microsoft Fabric
    • Theory
    • Prereqs
    • Fabric Capacity
    • Set up a Remote State
    • Create a repo from a GitHub template
    • Configure an app reg for development
    • Initial Terraform workflow
    • Expanding your config
    • Configure a workload identity
    • GitHub Actions for Microsoft Fabric
    • GitLab pipeline for Microsoft Fabric
  • Packer & Ansible
    • Packer
    • Ansible
    • Dynamic Inventories
    • Playbooks & Roles
    • Custom Roles
    • Shared Image Gallery
  • Partner Admin Link
    • Understanding PAL
    • User IDs & PAL
    • Service principals & PAL
    • CI/CD pipelines & PAL
    • Creating a dedicated PAL service principal
    • Azure Lighthouse & PAL
    • PAL FAQ
  • REST API
    • REST API theory
    • Using az rest
  • Setup
  • Sovereign Landing Zones
    • ALZ Accelerator
      • Prereqs
      • Elevate
      • Bootstrap
      • Demote
      • Components
    • Deploy Sovereign Landing Zone
      • Create an initial SLZ config
      • Run through the CI/CD workflow
      • Sovereign Landing Zone
    • Example Library Configs
      • Sovereign Landing Zone
      • Sovereign Landing Zone library with overrides
  • Terraform
    • Fundamentals
      • Initialise
      • Format
      • Validate
      • Plan
      • Apply
      • Adding resources
      • Locals and outputs
      • Managing state
      • Importing resources
      • Destroy
    • Get set up for Terraform
      • Cloud Shell
      • macOS
      • Windows with PowerShell
      • Windows with Ubuntu in WSL2
    • Using AzAPI
      • Using the REST API
      • azapi_resource
      • Removing azapi_resource
      • azapi_update_resource
      • Data sources and outputs
      • Removing azapi_update_resource
  • Virtual Machines
    • Azure Bastion with native tools & AAD
    • Managed Identities
  • About
  • Archive
  1. Home
  2. Sovereign Landing Zones
  3. Example Library Configs
  4. Sovereign Landing Zone
Sovereign Landing Zone
Sovereign Landing Zone
Example Library Configs
Sovereign Landing Zone
Sovereign Landing Zone library with overrides
  • Description
  • Architecture and Archetypes
  • Provider block
  • Metadata
  • Library
  • Architecture file
  • Default policy values

Sovereign Landing Zone

Simple example for deploying the standard Sovereign Landing Zone.

Table of Contents

  • Description
  • Architecture and Archetypes
  • Provider block
  • Metadata
  • Library
  • Architecture file
  • Default policy values

Description

The Sovereign Landing Zone (SLZ) is stacked on top of the core Azure Landing Zone (ALZ) library, and includes additional management groups and sovereign policy initiatives. Both libraries are maintained and provided by Microsoft.

Note that we recommend the next example which adds a local custom override library.

Architecture and Archetypes

The architecture name is slz - as defined in the slz.alz_architecture_definition.json - and has the extended set of architectures needed for Sovereign Landing Zone.

flowchart TD slz["Sovereign Landing Zone (root, sovereign_root)"] slz --> decommissioned decommissioned["Decommissioned (decommissioned)"] slz --> landingzones landingzones["Landing zones (landing_zones)"] landingzones --> confidential_corp confidential_corp["Confidential Corp (confidential_corp)"] landingzones --> confidential_online confidential_online["Confidential Online (confidential_online)"] landingzones --> corp corp["Corp (corp)"] landingzones --> online online["Online (online)"] landingzones --> public public["Public (public)"] slz --> platform platform["Platform (platform)"] platform --> connectivity connectivity["Connectivity (connectivity)"] platform --> identity identity["Identity (identity)"] platform --> management management["Management (management)"] platform --> security security["Security (security)"] slz --> sandbox sandbox["Sandbox (sandbox)"]

Note:

  • the additional management groups (and corresponding archetypes) under landing_zones for
    • confidential_corp
    • confidential_online
    • public
  • the additional sovereign_root archetype at the top

Provider block

As per the Azure Landing Zone example, the path and ref arguments point at a semantic version release of the Microsoft maintained platform/slz library.

provider "alz" {
  library_overwrite_enabled = true
  library_references = [
    {
      path = "platform/slz"
      ref  = "2025.10.1"
    }
  ]
}

Refer to the main page of aka.ms/alz/library for up to date release version information.

Metadata

Remember that the Sovereign Landing Zone library is stacked on top of the Azure Landing Zone library.

The metadata file for the Sovereign Landing Zone library shows the dependency on the Azure Landing Zone library. The SLZ and ALZ releases are kept (and tested) in lockstep.

{
  "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/library_metadata.json",
  "name": "SLZ",
  "display_name": "Sovereign Landing Zone",
  "description": "This library provides the reference set of Sovereign Landing Zone (SLZ) policies, archetypes, and management group architecture.",
  "path": "platform/slz",
  "dependencies": [
    {
      "path": "platform/alz",
      "ref": "2025.09.3"
    }
  ]
}

Library

The path and the ref (semantic version) in the provider block form parts of the url to the specific platform and release for the library. For example:

https://github.com/Azure/Azure-Landing-Zones-Library/tree/platform/slz/2025.10.1/platform/slz

The Sovereign Landing Zones library contains the additional assets. The README page has a list of the archetypes, policy definitions, policy assignments and custom RBAC role definitions. This is useful as a reference for your low level design documentation, or a reference when overriding archetypes. Usefully it is a superset of both the Sovereign Landing Zone and Azure Landing Zone repos.

You can get here more naturally by:

  • aka.ms/alz/library
  • navigate to platform/slz

By default you will see the information for the most recent release. You can also select a specific release:

  • click on the main branch drop down
  • switch to tags
  • select the release

Note the URL in the address bar.

Architecture file

The slz.alz_architecture_definition.json architecture definition mirrors the mermaid diagram above.

Sovereign Landing Zones architecture 
{
  "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/architecture_definition.json",
  "name": "slz",
  "management_groups": [
    {
      "archetypes": [
        "root",
        "sovereign_root"
      ],
      "display_name": "Sovereign Landing Zone",
      "exists": false,
      "id": "slz",
      "parent_id": null
    },
    {
      "archetypes": [
        "platform"
      ],
      "display_name": "Platform",
      "exists": false,
      "id": "platform",
      "parent_id": "slz"
    },
    {
      "archetypes": [
        "landing_zones"
      ],
      "display_name": "Landing zones",
      "exists": false,
      "id": "landingzones",
      "parent_id": "slz"
    },
    {
      "archetypes": [
        "public"
      ],
      "display_name": "Public",
      "exists": false,
      "id": "public",
      "parent_id": "landingzones"
    },
    {
      "archetypes": [
        "corp"
      ],
      "display_name": "Corp",
      "exists": false,
      "id": "corp",
      "parent_id": "landingzones"
    },
    {
      "archetypes": [
        "online"
      ],
      "display_name": "Online",
      "exists": false,
      "id": "online",
      "parent_id": "landingzones"
    },
    {
      "archetypes": [
        "confidential_corp"
      ],
      "display_name": "Confidential Corp",
      "exists": false,
      "id": "confidential_corp",
      "parent_id": "landingzones"
    },
    {
      "archetypes": [
        "confidential_online"
      ],
      "display_name": "Confidential Online",
      "exists": false,
      "id": "confidential_online",
      "parent_id": "landingzones"
    },
    {
      "archetypes": [
        "sandbox"
      ],
      "display_name": "Sandbox",
      "exists": false,
      "id": "sandbox",
      "parent_id": "slz"
    },
    {
      "archetypes": [
        "security"
      ],
      "display_name": "Security",
      "exists": false,
      "id": "security",
      "parent_id": "platform"
    },
    {
      "archetypes": [
        "management"
      ],
      "display_name": "Management",
      "exists": false,
      "id": "management",
      "parent_id": "platform"
    },
    {
      "archetypes": [
        "connectivity"
      ],
      "display_name": "Connectivity",
      "exists": false,
      "id": "connectivity",
      "parent_id": "platform"
    },
    {
      "archetypes": [
        "identity"
      ],
      "display_name": "Identity",
      "exists": false,
      "id": "identity",
      "parent_id": "platform"
    },
    {
      "archetypes": [
        "decommissioned"
      ],
      "display_name": "Decommissioned",
      "exists": false,
      "id": "decommissioned",
      "parent_id": "slz"
    }
  ]
}

The architecture files are uniquely identified and standalone. When you specify slz as the architecture_name then it matches against slz.alz_architecture_definition.json. If your module still specified alz then it would still match up against the alz.alz_architecture_definition.json in the underlying Azure Landing Zone library.

Default policy values

Default policy values are defined in alz_policy_default_values.json.

SLZ Policy Default Values 
{
  "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/default_policy_values.json",
  "defaults": [
    {
      "default_name": "allowed_locations",
      "description": "Allowed Azure locations for Sovereign Landing Zone policies",
      "policy_assignments": [
        {
          "parameter_names": [
            "listOfAllowedLocations"
          ],
          "policy_assignment_name": "Enforce-Sovereign-Conf"
        },
        {
          "parameter_names": [
            "listOfAllowedLocations"
          ],
          "policy_assignment_name": "Enforce-Sovereign-Global"
        }
      ]
    }
  ]
}

These value are used for consistency across multiple policy and policy initiatives in the archetypes.

Note that you would need to check the same alz_policy_default_values.json file for the underlying Azure Landing Zone library.

ALZ Policy Default Values 
{
  "$schema": "https://raw.githubusercontent.com/Azure/Azure-Landing-Zones-Library/main/schemas/default_policy_values.json",
  "defaults": [
    {
      "default_name": "private_dns_zone_subscription_id",
      "description": "The subscription id that hosts the private link DNS zones.",
      "policy_assignments": [
        {
          "parameter_names": [
            "dnsZoneSubscriptionId"
          ],
          "policy_assignment_name": "Deploy-Private-DNS-Zones"
        }
      ]
    },
    {
      "default_name": "private_dns_zone_resource_group_name",
      "description": "The resource group name that hosts the private link DNS zones.",
      "policy_assignments": [
        {
          "parameter_names": [
            "dnsZoneResourceGroupName"
          ],
          "policy_assignment_name": "Deploy-Private-DNS-Zones"
        }
      ]
    },
    {
      "default_name": "private_dns_zone_region",
      "description": "The region short name (e.g. `westus`) that should be used for the region specific private link DNS zones.",
      "policy_assignments": [
        {
          "parameter_names": [
            "dnsZoneRegion"
          ],
          "policy_assignment_name": "Deploy-Private-DNS-Zones"
        }
      ]
    },
    {
      "default_name": "ama_user_assigned_managed_identity_id",
      "description": "The user assigned managed identity id that should be used for the AMA deployment.",
      "policy_assignments": [
        {
          "parameter_names": [
            "userAssignedIdentityResourceId"
          ],
          "policy_assignment_name": "Deploy-VM-ChangeTrack"
        },
        {
          "parameter_names": [
            "userAssignedIdentityResourceId"
          ],
          "policy_assignment_name": "Deploy-VMSS-ChangeTrack"
        },
        {
          "parameter_names": [
            "userAssignedIdentityResourceId"
          ],
          "policy_assignment_name": "Deploy-VM-Monitoring"
        },
        {
          "parameter_names": [
            "userAssignedIdentityResourceId"
          ],
          "policy_assignment_name": "Deploy-VMSS-Monitoring"
        },
        {
          "parameter_names": [
            "userAssignedIdentityResourceId"
          ],
          "policy_assignment_name": "Deploy-MDFC-DefSQL-AMA"
        }
      ]
    },
    {
      "default_name": "ama_user_assigned_managed_identity_name",
      "description": "The user assigned managed identity name that is used for the deny action policy to prevent the accidental deletion of the AMA identity.",
      "policy_assignments": [
        {
          "parameter_names": [
            "resourceName"
          ],
          "policy_assignment_name": "DenyAction-DeleteUAMIAMA"
        }
      ]
    },
    {
      "default_name": "ama_vm_insights_data_collection_rule_id",
      "description": "The data collection rule id that should be used for the VM Insights deployment.",
      "policy_assignments": [
        {
          "parameter_names": [
            "dcrResourceId"
          ],
          "policy_assignment_name": "Deploy-VM-Monitoring"
        },
        {
          "parameter_names": [
            "dcrResourceId"
          ],
          "policy_assignment_name": "Deploy-VMSS-Monitoring"
        },
        {
          "parameter_names": [
            "dcrResourceId"
          ],
          "policy_assignment_name": "Deploy-vmHybr-Monitoring"
        }
      ]
    },
    {
      "default_name": "ama_mdfc_sql_data_collection_rule_id",
      "description": "The data collection rule id that should be used for the SQL MDFC deployment.",
      "policy_assignments": [
        {
          "parameter_names": [
            "dcrResourceId"
          ],
          "policy_assignment_name": "Deploy-MDFC-DefSQL-AMA"
        }
      ]
    },
    {
      "default_name": "ama_change_tracking_data_collection_rule_id",
      "description": "The data collection rule id that should be used for the change tracking deployment.",
      "policy_assignments": [
        {
          "parameter_names": [
            "dcrResourceId"
          ],
          "policy_assignment_name": "Deploy-VM-ChangeTrack"
        },
        {
          "parameter_names": [
            "dcrResourceId"
          ],
          "policy_assignment_name": "Deploy-vmArc-ChangeTrack"
        },
        {
          "parameter_names": [
            "dcrResourceId"
          ],
          "policy_assignment_name": "Deploy-VMSS-ChangeTrack"
        }
      ]
    },
    {
      "default_name": "ddos_protection_plan_id",
      "description": "The DDoS protection plan id that should be used for the DDoS protection plan deployment. If this is invalid or you do not use DDoS protection, make sure to change the enforcement mode of the Enable-DDoS-VNET policy to 'DoNotEnforce'.",
      "policy_assignments": [
        {
          "parameter_names": [
            "ddosPlan"
          ],
          "policy_assignment_name": "Enable-DDoS-VNET"
        }
      ]
    },
    {
      "default_name": "log_analytics_workspace_id",
      "description": "The Log Analytics workspace id that should be used for centralized log collection.",
      "policy_assignments": [
        {
          "parameter_names": [
            "logAnalytics"
          ],
          "policy_assignment_name": "Deploy-AzActivity-Log"
        },
        {
          "parameter_names": [
            "logAnalyticsWorkspaceId"
          ],
          "policy_assignment_name": "Deploy-AzSqlDb-Auditing"
        },
        {
          "parameter_names": [
            "logAnalytics"
          ],
          "policy_assignment_name": "Deploy-Diag-LogsCat"
        },
        {
          "parameter_names": [
            "logAnalytics"
          ],
          "policy_assignment_name": "Deploy-MDFC-Config-H224"
        },
        {
          "parameter_names": [
            "userWorkspaceResourceId"
          ],
          "policy_assignment_name": "Deploy-MDFC-DefSQL-AMA"
        }
      ]
    }
  ]
}
Source: https://icy-island-077f0c303-135.westeurope.4.azurestaticapps.net/slz/examples/core_slz/
Published: 03 Dec 2025
Printed:
Example Library Configs Sovereign Landing Zone Sovereign Landing Zone library with overrides