Building a Landing Zone in Azure China with Terraform - Rahi

ANNOUNCEMENT: The Wesco Acquisition of Rahi has been finalized. Read More

ANNOUNCEMENT: The Wesco Acquisition of Rahi has been finalized.

Read More
Cloud Services

Building a Landing Zone in Azure China with Terraform

By Muktar SayedSaleh

June 13, 2023 - 8 min

Building a Landing Zone in Azure China with Terraform

As businesses increasingly move their operations to the cloud, it becomes essential to have a well-designed and secure cloud environment. This is where Cloud Landing Zones come in, providing a framework for businesses to build and manage their cloud infrastructure. A Landing Zone is a pre-built cloud environment that is designed to be scalable, secure, and compliant, allowing businesses to quickly deploy their workloads while adhering to their organizational policies and standards.

This article will explore the benefits of building a Landing Zone in Azure China, a specialized cloud environment for businesses operating in China. We will discuss how to leverage Terraform, a popular infrastructure as a code tool, to automate the creation and management of the Landing Zone infrastructure.

Benefits of Building a Landing Zone in Azure China

Building a Landing Zone in Azure China has several advantages:

  • Reduce time to market: You can deploy your workloads quickly and efficiently, accelerating the time to market and giving you a competitive advantage in the Chinese market.
  • Shift to DevOps and Automation: Shift to DevOps and automation to accelerate the development and delivery of your products. Businesses can automate their infrastructure, deployment, and testing processes, reducing errors and increasing efficiency allowing them to focus on delivering high-quality products and services to their customers.
  • Increase scalability: Efficiently scale resources up and down, reducing costs and improving performance for your customers. Azure China provides businesses with a reliable and scalable cloud platform that can handle even the largest workloads, ensuring that your applications can handle any demand.
  • Optimize your costs: Consolidate your billing for multiple Azure China accounts, giving you visibility of your accounts, costs, and payments. By consolidating your billing, you can simplify your accounting and reduce administrative overhead, allowing you to focus on growing your business in China.
  • Differences between a Landing Zone in Azure Global and Azure China

    There are several key differences between a Landing Zone in Azure Global and Azure China. Some of these differences include:

  • Separate accounts: Azure China and Azure Global are separate accounts, with different endpoints and APIs. This means that businesses operating in China must use Azure China, and cannot use Azure Global to deploy their workloads in China. Similarly, businesses operating outside of China must use Azure Global, and cannot use Azure China to deploy their workloads outside of China.
  • Different Compliance and Regulatory Requirements: China has strict data sovereignty laws and regulations that require businesses to keep their data within China’s borders. Azure China is designed to comply with these regulations, while Azure Global is not subject to the same requirements.
  • Availability of Certain Azure Services and Features: Some Azure services and features are not available in Azure China. For example, Azure Functions, Azure Batch, and Azure Stack are not currently available in Azure China.
  • Potential Impact on Network Latency and Performance: The greatest firewall between Azure Global and Azure China can result in higher network latency and lower performance for businesses that operate in China.
  • Setting up the Azure China Environment

    To build a Landing Zone in Azure China, you will first need to create an Azure China account and set up a subscription. Here are the steps to follow:

  • Create an Azure account in China: Note that you will need to provide specific documentation to verify your identity and business registration.
  • Set up a subscription: Create a subscription to start using Azure services.
  • Configure access policies and permissions: Set up access policies and permissions to ensure that only authorized users can access and manage your Azure resources. This includes defining roles and permissions for your team members, setting up multi-factor authentication, and implementing other security measures.
  • Enable Azure China services – Before you can start using Azure services in China, you may need to apply for specific licenses and approvals.
  • Understand compliance requirements – As mentioned earlier, Azure China is subject to different regulatory and compliance requirements than Azure Global. It is important to ensure that your workloads meet these requirements and are in compliance with local laws and regulations.
  • Understanding Terraform

    Terraform is an open-source tool that enables you to create, change, and version your infrastructure as code. With Terraform, you can define your infrastructure components using simple and declarative language, and then apply those definitions to create and manage your cloud resources. This approach offers several benefits over traditional manual processes, including:

  • Automation – Terraform automates the creation and management of your infrastructure components, reducing the time and effort required to provision and configure resources.
  • Consistency – By using Terraform, you can ensure that your infrastructure components are consistent across all environments, reducing the risk of errors and inconsistencies.
  • Versioning – Terraform allows you to version your infrastructure components, making it easy to track changes and roll back to previous versions if necessary.
  • Collaboration – Terraform enables collaboration between teams, allowing multiple team members to work on the same infrastructure components simultaneously.
  • To get started with Terraform, you will need to create a Terraform project and define your infrastructure components using the Terraform configuration language. This language is simple and declarative, making it easy to define your infrastructure components using a few lines of code.

    Setting Up Terraform for Azure China

    Terraform uses a concept called providers to interact with cloud platforms such as Azure. Providers are plugins that enable Terraform to interact with cloud resources using the cloud provider’s API. To use Terraform with Azure China, you will need to install the Azure provider plugin.

    The Azure Provider enables the configuration of infrastructure in Microsoft Azure through the utilization of the Azure Resource Manager API’s. However, connecting it to an Azure China account presents a challenge, specifically regarding authentication. It should be noted that attempting to establish a connection using the examples found in the documentation pages is unlikely to succeed. This is primarily due to the disparity between the APIs for Azure China and the international standard APIs. To overcome this obstacle, it is necessary to specify “environment = ‘china'” during the provider definition process, as shown below:

    Building a Landing Zone in Azure China with Terraform_1

    Additionally, if Azure CLI is being utilized, it is imperative to configure it to leverage the APIs of the China region. This can be achieved by executing the following command:

    $ az cloud set –name AzureChinaCloud

    Building a Landing Zone in Azure China with Terraform_2

    Creating the Azure China Landing Zone Infrastructure

    An Azure Landing Zone is an Azure cloud infrastructure environment designed to provide a standardized and secure foundation for deploying Azure resources. It typically includes a set of pre-defined subscriptions and associated services that are specifically chosen to address the needs of the organization.
    The Azure Landing Zone which we’ve created is being developed following the Microsoft-recommended Cloud Adoption Framework, which deploys infrastructure resources in Azure to establish foundational controls necessary for the effective management of an organization’s cloud estate.
    The framework enforces policies, deploys resources, and utilizes templates to instill confidence in organizations as they begin using Azure.

    Building a Landing Zone in Azure China with Terraform_3

    The subscription architecture for this Landing Zone will be simplified, consisting of a Tenant Root Group that will serve as the management group. Under the Tenant Root Group, the Contoso management group will be established, which will contain the following groups:

  • Platform: This management group will encompass Identity, Management, and Connectivity subscriptions.
  • Production Landing Zone: This management group will facilitate different production landing zones for multiple applications, such as app1-production and app2-production.
  • Staging Landing Zone: This management group will facilitate various staging landing zones for multiple applications, such as app1-staging and app2-staging.
  • Building a Landing Zone in Azure China with Terraform_4

    Within each Azure subscription, we have deployed pre-defined services that are tailored to support the specific area that the subscription is intended to cover. These pre-defined services are organized into categories, including:

  • Identity Subscription: This subscription contains services related to identity management and authentication, such as Azure Active Directory, Azure AD Domain Services, and Azure AD Privileged Identity Management.
  • Management Subscription: This subscription is dedicated to tools and services for managing Azure resources and operations, such as Azure Resource Manager, Azure Policy, Azure Monitor, and Azure Automation.
  • Connectivity Subscription: This subscription provides connectivity services that enable communication and data transfer between Azure resources and external networks. Examples of services in this category include Azure ExpressRoute, Azure Virtual Network, and Azure Firewall.
  • Apps Subscriptions: These subscriptions include services and tools for developing and deploying each application on Azure, such as Azure App Service, Azure Functions, and Azure Kubernetes Service, etc.
  • By deploying these pre-defined services within each subscription, we ensure that the specific needs and requirements of each area are adequately addressed, and resources are utilized efficiently.

    Deploying Workloads to the Landing Zone

    Once you have defined your infrastructure components using Terraform, you can apply those definitions to your cloud environment to create and manage your resources. Terraform offers several commands to help you manage your infrastructure, including plan, validate, apply, and destroy. With these commands, you can preview changes, validate code, apply changes, and tear down resources when you no longer need them.

    In addition to Terraform’s commands, we have taken an additional step towards streamlining our workflow by incorporating continuous integration and continuous deployment (CI/CD) pipelines and pre-commit hooks. This enables developers to automatically conform to writing valid, well-documented code. We use Bitbucket pipelines to automate our CI/CD process.

    In a nutshell, Our CI/CD pipeline consists of two steps, one for pull requests and one for the master branch. The pull request step validates the Terraform code, checks formatting, and ensures the required dependencies are installed. The master branch step does the same, but also applies the infrastructure changes to the cloud environment. This is achieved by setting the necessary environment variables and running the terraform apply command with the -auto-approve flag. The whole pipeline is explained in detail in the next section.

    Explaining the CI/CD Pipeline

    First, the pipeline defines the Docker image that will be used to run the pipeline. In this case, the image used is hashicorp/terraform:latest. This means that the pipeline will be run inside a Docker container based on the latest version of the HashiCorp Terraform image available on Docker Hub:

    image: hashicorp/terraform:latest

    Next, the pipeline defines two sections: one for pull requests and one for the master branch.

    – step:
    – terraform init
    – terraform validate
    – terraform fmt –check
    – step:
    – apk update && apk add bash py-pip && apk add –virtual=build gcc libffi-dev musl-dev openssl-dev python-dev make && pip install azure-cli && apk del –purge build
    – terraform init
    – terraform validate
    – export TF_VAR_subscription_id=$ARM_SUBSCRIPTION_ID
    – export TF_VAR_tenant_id=$ARM_TENANT_ID
    – export TF_VAR_client_id=$ARM_CLIENT_ID
    – export TF_VAR_client_secret=$ARM_CLIENT_SECRET
    – export TF_VAR_region=$ARM_REGION
    – terraform apply -auto-approve

    The pull-requests section applies to any pull requests made to the repository, while the branches section applies only to the master branch.

    For both sections, the pipeline defines a step that contains the actual commands that will be run when the pipeline is triggered.

    The script section contains a series of Bash commands that will be run inside the Docker container.

    For both the pull request and master branch sections, the pipeline starts by updating the Alpine package index and installing some packages required for the subsequent steps. Specifically, the pipeline installs Bash, pip, and the Azure CLI.

    The pipeline then initializes Terraform using the terraform init command. This command initializes the Terraform working directory and downloads any required providers and modules:

    – terraform init

    The pipeline then runs the terraform validate command to check the validity of the Terraform configuration files.

    – terraform validate

    The pipeline also checks that the Terraform configuration files are properly formatted using the terraform fmt –check command.

    – terraform fmt –check

    For the master branch section, the pipeline sets some environment variables using values from the corresponding Azure environment variables. Specifically, the pipeline sets the TF_VAR_subscription_id, TF_VAR_tenant_id, TF_VAR_client_id, TF_VAR_client_secret, and TF_VAR_region variables to the values of $ARM_SUBSCRIPTION_ID, $ARM_TENANT_ID, $ARM_CLIENT_ID, $ARM_CLIENT_SECRET, and $ARM_REGION, respectively.

    Building a Landing Zone in Azure China with Terraform_5

    Finally, I would like to highlight that although we are using Bitbucket pipelines as our CI/CD provider in this context, the concept can certainly be replicated with other similar providers such as GitLab, GitHub, CircleCI, TravisCI, and others. The overall process and principles of CI/CD remain the same regardless of the specific tool or platform being used.

    Building a Landing Zone in Azure China with Terraform_6

    How Rahi Can Support Businesses Adopt Azure in China

    We are a global IT solutions provider that has extensive experience helping businesses adopt Azure in China.
    Our team of experts can provide a range of services to support your adoption of the Azure platform, including:

  • Cloud Assessment and Planning: Our experts can conduct a comprehensive assessment of your IT environment and business requirements to determine the best strategy for adopting Azure in China.
  • Cloud Migration: Our team can help you migrate your existing applications and data to Azure China, ensuring a smooth and efficient transition.
  • Managed Services: We provide ongoing managed services to ensure that your Azure China environments are optimized for performance and security and that any issues are quickly resolved.
  • Our team has already helped many Western companies successfully adopt and integrate Azure in China, and we can also bring that expertise to your business. With our support, you can leverage the power of Azure to drive your digital transformation and grow your business in China.


    Building a Landing Zone in Azure China with Terraform provides several benefits for businesses operating in China. By using Azure China, businesses can comply with local regulations, access services optimized for China’s unique needs, and benefit from enhanced security and privacy measures. Using Terraform to automate infrastructure as code makes it easier to manage and scale infrastructure, reduce errors, and increase efficiency.


    • Muktar is a full-stack engineer with a wealth of experience—over 19 years—and a passion for software development, which started at the age of 12 when he pondered if he could make a computer program. That passion grew into a career. Today Muktar is a Cloud Solutions Architect at Rahi Systems. He also has a master’s degree in web technologies and certifications in AWS, GCP, and Alibaba Cloud.

    , Cloud Solutions Architect

    Cloud Services
    Jun 23,2023
    Building an Enterprise Cloud-based File Sharing Platform between the US and Mainland China

    In today’s fast-changing world, businesses are no longer limited by borders. Thanks to advanced technology and...

    Cloud Services
    Jun 19,2023
    Seamlessly Deploy Resources to Alibaba Cloud using Azure DevOps

    As organizations look to expand their operations in the Chinese market, adopting a hybrid cloud environment that...

    Cloud Services
    Mar 15,2023
    Building an AI Powered Call-Center with AWS

    The rise of artificial intelligence technologies enables organizations to adopt and improve self-service capabilities...

    Get in touch with our experts for a free 30-minute strategy

    Let our experts design, develop, deploy and manage your requirements while you focus on what's important for your business

    Book a Consultation
    error: Content is protected !!