Cloud Landing Zone Guide

By March 26, 2021 April 8th, 2021 Powerlearnings

Written by Aparna M, Associate Solutions Architect at Powerupcloud Technologies

The Cloud is the backbone and foundation of digital transformation in its many forms. When planning a cloud migration and an adoption strategy, it is important to create an effective operational and governance model that is connected to business goals and objectives. At this point, building an efficient cloud landing zone plays a big role. In this article, we will take a deeper look into why having a cloud landing zone is a key foundation block in the cloud adoption journey.

What is Cloud Landing Zone?

Landing Zone is defined as, ‘A configured environment with a standard set of secured cloud infrastructure, policies, best practices, guidelines, and centrally managed services.’. This helps customers to quickly set up a secure, multi-account Cloud environment based on industry best practices. With a large number of design choices, setting up a multi-account environment can take a significant amount of time, involving the configuration of multiple accounts and services, which requires a deep understanding of cloud provider services(AWS/GCP/Google).

This solution can help to save time by automating the set-up of an environment for running secure and scalable workloads while implementing an initial security baseline through the creation of core accounts and resources.

Why a Landing Zone?

As large customers are moving towards cloud one of the main concern is on the security, time constraints and the cost. AWS Landing Zone is a service that helps in setting up a secure and multi-account AWS environment maintaining the best practices. Having many design choices, it’s good to start without wasting your time for configuration with minimal costs. It helps you save time by automating the setup of an environment to run secure and scalable workloads.

Fundamentals of the Landing Zone when Migrating to the Cloud:

Before you even deciding on which Cloud provider to use (like AWS, GCP, Azure Cloud) it’s important to assess certain basic considerations like:

1. Security & Compliance

A landing zone allows you to enforce security at the global and account level. Security baseline with preventative and detective control. Company-wide compliance and data residency policies can be implemented with landing zones. As part of this process, consistent architecture is deployed for concerns such as Edge Security, Threat Management, Vulnerability Management, Transmission Security, and others.

2. Standardized Tenancy

Landing Zone provides a framework for creating and baselining a multi-account. Automated environment for the multi-account helps to save the time for setup, while also implementing that initial security baseline for any digital environment you are going to use. The automated multi-account structure includes security, audit, and shared service requirements. Enforce tagging policies across multiple cloud tenants and provide standardized tenants for different security profiles (dev/staging/prod).

3. Identity and Access Management

Implementing the principle of least privilege by defining roles and access policies. Implement the principle of least privilege by defining roles and access policies. Implementing SSO for Cloud logins.

4. Networking

Designing and implementing cloud networking capabilities is a critical part of your cloud adoption efforts. Networking is composed of multiple products and services that provide different networking capabilities. Network Implementation measures to ensure the network is highly available, resilient, and scalable.

5. Operations

Centralized logging from various accounts leveraging different services from the cloud provider. Configuring automate backup and setting up DR using various cloud native tools. Configuring monitoring and alerts for cost management, reactive scalability, and reliability. Automated regular patching of servers.

Benefits of the Cloud Landing Zone:

  • Automated environment setup
  • Speed and scalability and governance in a multi-account environment 
  • Security and compliance
  • Flexibility
  • Reduced operational costs
  • Automated environment setup
  • Speed and scalability and governance in a multi-account environment 
  • Security and compliance
  • Flexibility
  • Reduced operational costs

Best Practices of the Cloud Landing Zone

  • Organizations Master Account: It is the root account that provisions and manages member accounts at the organization level under Organizations Services.
  • Core Accounts in an Organizational Unit: This provides essential functions that are common to all the accounts under the Organization, such as log archive, security management, and shared services like the directory service.
  • Team/Group Accounts in Organizational Units: Teams and groups are logically grouped under Teams. These are designated for individual business units at the granularity of the team or group level. For example, a set of Team accounts may consist of the team’s shared services account, development account, pre-production account, and production account.
  • Developer Accounts: Enterprises should have separate “sandboxes” or developer accounts for individual learning and experimentation, as a best practice.
  • Billing: An account is the only way to separate items at a billing level. The multi-account strategy helps create separate billable items across business units, functional teams, or individual users.
  • Quota Allocation: Service provider quotas are set up on a per-account basis. Separating workloads into different accounts gives each account (such as a project) a well-defined, individual quota.
  • Multiple Organizational Units (OUs): These are designated for individual business units at the granularity of the team or group level. For example, a set of Team accounts may consist of the team’s Shared Services account, Development account, Pre-Production account, and Production account.
  • Connectivity: You can also choose the type of connection you want to use. By setting up networking patterns and combining it with external data centers, you can create a hybrid system or a multi-cloud-driven adoption.
  • Security Baseline:
    •  All accounts sending logs to a centrally managed log archival account.
    • Central VPC for all the account and using peering when applicable
    • Configuring password policy
    • Cross account access with limited permissions
    • Alarms/ events configured to send notification on root account login, api authentication failures
  • Automation: Automation ensures that your infrastructure is set up in a way that is repeatable and can evolve as your use is refined and demands grow.
  • Tagging:  Tagging resources can help the customer in many ways for example: cost analysis, optimization etc.

Cloud Landing Zone Life Cycle

let’s talk about the different phases of a landing zones lifecycle!

  • Design
  • Deploy
  • Operate

In software development you often hear the terms

“Day 0/Day 1/Day 2”

Those refer to different phases in the life of a software: From specifications and design (Day 0) to development and deployment (Day 1) to operations (Day 2). For this blog post, we’re going to use this terminology to describe the phases of the landing zone lifecycle.

Designing a Landing Zone (Day 0)

Regardless of the deployment option, you should carefully consider each design area. Your decisions affect the platform foundation on which each landing zone depends. 4 aspects a well-designed landing zone should take care of in the cloud:

  1. Security and Compliance
  2. Standardized tenancy
  3. Identity and access management
  4. Networking

Deploying a Landing Zone (Day 1)

When it comes to customizing and deploying a landing zone according to the design and specifications determined during the design phase, the implementation of the landing zone concept is handled differently by every public cloud service provider.

Amazon Web services: The solution provided by AWS is called the AWS Landing Zone. This solution helps customers more quickly set up a multi-account architecture, with an initial security baseline, identity and access management, governance, data security, network design, and logging. AWS has three options for creating your landing zone: a service-based landing zone using AWS Control Tower, a CloudFormation solution, and a customized landing zone that you can build. 

Microsoft Azure: The solution provided by Azure is called as the Cloud Adoption Framework. A major tool is Azure blueprints: You can choose and configure migration, landing zone blueprints within Azure to set up your cloud environments. As an alternative, you can use third-party services like terraform.

Google Cloud Platform: The solution provided by the google cloud is called as Google Deployment Manager. You can use a declarative format utilizing Yaml – or Python and Jinja2 templates – to configure your deployments.

Operations (Day 2):

It’s an ongoing effort onto how you manage and operate using landing zones. The objective of the operations workstream is to review your current operational model and develop an operations integration approach to support future-state operating models as you migrate to Cloud. Infrastructure-as-Code is used to ensure that your configurations are managed in a repeatable way, evolving via DevOps disciplines and tooling. And leveraging various logging solutions like Splunk, Sumo Logic, ELK, etc. Implementing various backup and patching using Cloud provider services or tools. Planning and designing disaster recovery plays a very important role to ensure high availability of the infrastructure.

Our Experience with Cloud Landing Zone:

We at Powerup ensure seamless Migration to the cloud used trusted and best cloud migration tools, and integration of existing operational capabilities, and leverage the most powerful and best-integrated tooling available for each platform.

Many of our customers use the Landing Zone concept, once such example is where customers wanted to set up separate AWS accounts so they can meet the different needs of their organization. Although multiple organizations have simplified the operational issues and provide isolation based on the functionality, it takes manual efforts to configure the baseline security practices. To save time and effort in creating the new account, we use “Account Vending Machine”. The Account Vending Machine (AVM) is an AWS Landing Zone key component. The AVM is provided as an AWS Service Catalog product, which allows customers to create new AWS accounts pre-configured with an account security baseline. Monitoring, logging, security, and compliance will be pre-configured during account setup. This helps the customs to reduce costs in Infra setup and Operations cost, takes minimum effort to set up the infrastructure.

Leave a Reply