Cloud Landing Zone

  • Post author:
  • Reading time:8 mins read
5
(1)

Cloud Landing Zone

Cloud Landing Zone is a structured way to build Cloud Infrastructure, this provides best practices and guidelines for deploying workloads in a cloud environment. Cloud Landing Zone uses cloud adoption framework to perform Cloud Migration and Build new cloud environment which can be further customized to meet the requirements of an organization.

Landing Zone design provides specific guidance for building multi-account, resilient, scalable, modular and secure starting point to deploy workloads with any cloud service providers like Azure, AWS, Google, OCI etc

In this blog posts, we will explore few implementation options and benefits with Azure and AWS Landing Zones.

How it works?

If we are building new cloud environment or moving from Legacy, we can start Building Cloud Landing Zone. A Landing zone allows you to quickly set up a Cloud environment using automation including best practice configurations for security so you can focus on your core business.

Here the Enterprise and Cloud Architect have to integrate and work together and think thru the design areas process.

Below are few key components for consideration building Landing Zone strategy.

  1. Identify business goals, define business drivers and business outcomes.
  2. Account Provisioning: Organize Cloud resources in to logical resource groups, subscription limits, account based on Business Units, Resource isolation, Billing or access control level. Isolating resources improves security and better resource Management.
  3. Enforce Governance & Policy: Policy helps to set guardrails to all Cloud resources & services. This ensures centralized policy management and avoids mis configurations.
  4. IAM (identity and access management): Implement role-based access control (RBAC) to manage permissions and access to cloud services.
  5. Identify industry standards and regulations.
  6. Network: Identify Network Segmentations to handle network connectivity between on-premises resources and the cloud. This includes setting up virtual networks, subnets, VPN, gateways and appliances.
  7. Monitoring:  Landing Zone ensures the Performance and Reliability of Resources by Establishing Monitoring, Analyzing, logging and alerting mechanisms provided by native monitoring.
  8. IaC: Provisioning and Managing Resources are automated using Infrastructure as Code (IaC) tools like ARM Template, Terraform or AWS CloudFormation. These Templates are often used to deploy resources consistently across environment as per Business needs.
  9. Agility: Cloud Landing Zone helps Business to deploy workloads faster compared to manual deployment and Configuration.
  10. Scalability: Cloud landing zones are designed to scale resources easily and efficiently, ensuring that applications can handle varying types of workloads as the business needs evolve.
  11. Resilient: Landing Zone Templates helps organization to leverage Cloud native services and Build fault Tolerant System Quickly.

A well-executed cloud landing zone strategy helps organizations accelerate their cloud adoption journey, reduce security risks, optimize costs, and improve operational efficiency thereby organization can concentrate on innovation and their core business. Also, it provides a foundation for future cloud deployments and aligns the cloud environment with the business goals and requirements.

How to build a cloud landing zone?

A landing zone cannot be implemented as push of a button, landing zone is prepared differently for each organization based on the Organization Size, application portfolio, industry, regulatory compliance requirement and cloud provider. Organization can collaborate with CSP partner or build on their own with their inhouse expertise.

Organization implements the Cloud adoption framework for building Landing Zones provided by cloud providers like, AWS, Azure and GCP.These frameworks describe the key concepts, design principles, implementation options, best practices for designing and running workloads in the cloud.

Account Creations cane be Single or Multi Account. If you are new to Cloud start fresh with single account and grow based on future requirements. Multi Account is created if workload isolation is required for administrative purposes, data security, Billing, Resource provisioning Limits or any Specific Business needs.

In a Cloud adoption journey organization after doing an initial assessment of the Inventory application, we may plan to retire application which are no longer used and migrates rest of the application with modification or modernization approach (re-host, re-factor or re-architect). Organization should also decide if there is any requirement for replacing applications with SaaS applications.

Azure Landing Zone

Azure Landing Zone (ALZ) is implemented using Cloud Adoption Framework. Azure Landing Zone provides a readymade environment where we can start building the Architecture using best practices and migrate our workloads fast and secure. We can further configure and expand the environment based on Organization requirements. 

We can Create our First Landing Zone in Azure by using blueprints. Start with a Blank Blueprint or use the CAF (Cloud Adoption Framework) and Migration Landing Zone Template from the sample  in Azure Portal.

Provide the Location to set up the Landing Zone environment. Add Role, Policy and resource group assignment at the subscription Level. Once the Blueprint is Created, we can Edit the Blueprint and add required resources and artifacts.

Landing Zone Approach

Two Types of Approach

  1. Start small and expand

This approach is ideal for organisations that are planning to gradually expand their use of Microsoft Azure. Once the Foundation environment is built, we can start migrating non-Critical workloads first and after testing other workloads can be moved in phases.

  1. Enterprise ready Azure Landing Zones

Larger businesses may need a fully-fledged environment where you need to migrate all the mission critical workloads into Azure. This might involve organization which have presence in multiple location working in hybrid Models. Azure provides enterprise scale landing Zone for various deployment needs.

An Azure landing zone consists of platform landing zones and application landing zones. Platform landing Zone subscription provides shared services subscription with Identity controls, Network Connectivity subscription and Management subscription consisting for Monitoring Tools, Storage and Key vault. (Refer below image) An application landing zone is a subscription for hosting an application

Source : Azure Landing Zone Conceptual Architecture.

In this scenario we take an existing Azure environment with a single subscription, single vnet, applications deployed on separate resource group. As the Business grows there is a requirement to have multiple subscription to isolate the resources for various reasons like policy, security and connectivity. Now let’s migrate to Enterprise scale architecture approach.

Below is an example for existing Azure environment transitioning into the Azure landing zone conceptual architecture.

  • Review the Azure landing zone conceptual architecture
  • Review Azure landing zone design areas.
  • Deploy the Azure landing zone accelerator into the same Azure AD tenant
  • Migrate the workloads deployed in the original subscription into new Azure subscriptions.
  • Review the policy section.
  • Move the existing Azure subscription to the decommissioned management group.

AWS Landing Zones

AWS uses AWS Control Tower to create and provision landing zones. AWS Control Tower is an AWS managed service pre-packaged solution with multi-account environment, Pre-configured Security rules, Service catalog, guardrails and centralized dashboard for monitoring AWS resources. We can setup Control Tower for an existing or New Organization.

We can start building the Landing Zone with AWS Control Tower and we can add additional services on top of the Landing Zone deployment as per Business Needs.

AWS Creates 4 shared Account (Management Account, Log Archive Account, Security account and Provisioned account,4 Roles and around 20 guardrails. Once we setup AWS Control Tower, cost will be incurred for the resources deployed in the AWS Control Tower.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Reply