New here?
Learn what this repo solves and how the hub-spoke pattern is wired together. Read the architecture →
🚀 Azure Launchpad (SMB / SMEC Edition)
Launch an Azure Landing Zone (ALZ) based on Microsoft’s Cloud Adoption Framework—preconfigured with hub-spoke networking, governance, identity, and observability from day one. Designed for SMB and SMEC organizations so small platform teams can deploy, manage, and scale with confidence.
Pick your path
Ready to deploy
Answer a few questions and walk away with a ready-to-use parameter file
(Terraform .tfvars or Bicep .bicepparam) and the exact CLI commands to
run. Open the wizard →
Already deployed
Day-2 ops: monitoring, backup verification, cost tracking, teardown. Day-2 operations →
Four sizes, one architecture
Baseline
~$48 / month
Hub-spoke VNets, NAT gateway, Private DNS, Key Vault with PE, Log Analytics, Recovery Services.
Firewall
~$336 / month
Adds Azure Firewall (Basic) for managed egress filtering. Replaces NAT, forces 0.0.0.0/0 through the firewall.
VPN
~$327 / month
Adds a zone-redundant VPN Gateway for hybrid connectivity to the customer’s on-premises network.
Full
~$616 / month
Firewall + VPN combined. Highest-control deployment for regulated workloads.
Built on Azure Verified Modules
Every resource is provisioned through Azure Verified Modules — AVM-TF on the Terraform side and AVM-Bicep on the Bicep side. Modules are pinned to specific versions and updated by Dependabot. Terraform state lives in an Azure Storage backend with Entra ID auth (no SAS keys, no shared secrets); Bicep deployments are tracked natively in Azure Resource Manager — pick the workflow your team prefers.