SMBs don't need a "big enterprise landing zone." They need the essentials done well.
The essentials
- Subscription boundaries: at minimum, separate production from non-production
- RBAC model: least privilege; avoid "Owner" sprawl
- Policies/guardrails: tagging, allowed regions, encryption, public exposure rules
- Logging baseline: activity logs and diagnostics for critical services
- Naming convention: predictable, searchable resource naming
- Backup and recovery posture: defined retention + tested restore
Common overkill
- Over-engineered hub/spoke early (unless you truly need it)
- Too many subscriptions before governance is mature
- Policies so strict that teams work around them
A good outcome
A good landing zone means:
- You can answer "who owns this resource?"
- You can see costs per app/environment
- You can deploy safely without creating security debt