Ministry of Justice Azure Landing Zone (ALZ)
What is the Ministry of Justice Azure Landing Zone?
The Ministry of Justice (MoJ) Azure Landing Zone (ALZ) is a secure space within the MoJ Azure Enterprise Agreement (EA) where teams can host services and data up to classification OFFICIAL. It provides a compliant, ready-to-use environment for building and running workloads in Microsoft Azure.
Our ALZ Strategy is available for internal users Click here
What is a Spoke?
A spoke is a logical container within the MoJ Azure Enterprise Agreement. Each spoke contains one or more subscriptions that run workloads. These workloads include standard services to reduce lead time.
Key points about spokes:
- Paid for directly by the requesting service or project (no recharge model).
- Requires a purchase order (PO) before requesting.
- Created by the ALZ team and handed over to the spoke owner.
- The ALZ team provides fourth line support Click here for more info
Standard Services in a Spoke
Every spoke includes:
- One workload and associated subscription.
- Network connections to the ALZ Hub (mandatory for secure connectivity).
Spoke owners cannot modify or remove these core components.
Networking
All workloads in a spoke connect to the ALZ Hub, enabling:
- Secure internet access and identity management.
- Communication with other ALZ components or, in some cases, the wider MoJ.
- Access to ALZ services such as Azure Bastion for secure server access.
Additional connections can be requested through the demand process Click here for more info
Workload Resources
ALZ deploys resources to make it easy to opt into features. Most use a Pay As You Go (PAYG) model and incur minimal cost unless actively used.
Typical resources include:
- Key Vault – Secure storage for secrets and certificates. Click here for more info
- Log Analytics Workspace – Stores and queries logs (PAYG). External Link for more info
- Automation Account – Virtual machine automation and patching (opt-in).
- Azure Monitor – Pre-configured monitoring workbooks. External link for more info
- Recovery Services Vault – Backup and recovery for virtual machines.
- Storage Accounts – For diagnostics and virtual machine boot logs.
Cost Considerations
Most resources incur negligible costs if not actively used. Once features are enabled or resources are utilized, costs will increase. At a certain point, services can be moved from PAYG to a reserved or forecasted billing model to help reduce costs.
What Can I Do with a Spoke?
Spoke owners can:
- Authorize accounts to create, manage, or destroy workloads and resources.
- Build and host services securely while meeting compliance standards.
- Use ALZ connectivity for identity management.
Important:
With autonomy comes responsibility. Spoke owners manage spend, cost optimization, and best practices. ALZ provides guidance and tools, but global security policies cannot be bypassed. Any exceptions must be authorized and documented in collaboration with the ALZ team.
Spoke owners can use as many or as few of the standard features provided by ALZ once resources are deployed. Further information on opting in to these features is available. Click here for more info
The ALZ Hub
The ALZ Hub is a set of resources maintained by the ALZ team. It provides:
- Network routing to the internet.
- Connectivity to other ALZ resources or MoJ systems (by request).
- Transparent services for spokes without additional configuration.
All workloads within a spoke are peered to the hub, enabling secure communication and access to shared services.
Useful Links
- ALZ Strategy for Internal Users Only
- What the ALZ Team supports
- How to make a request for work
- Diagnostic settings in Azure Monitor
- Building VMs in ALZ
- Azure Activity Logs
- Monitoring in the ALZ
- Azure Monitoring pricing
- ALZ Do it Yourself Resources