Amazon brought landing zones to the forefront when it launched the AWS Landing Zone and subsequently introduced a highly automated approach to building them. They are commonly touted as the start of your cloud journey; however, the theme of a landing zone is common across the hybrid estate and equally applies to all cloud vendors. Certainly, it is a key component in the start of your cloud strategy but to consider it purely as such presents challenges for the future state of your environments.
The key components of a good landing zone are common to traditional environments hosted in your own data center as well as any cloud provider; we just have some unique constructs in the cloud to take into consideration:
- Standardized account or tenancy – How you define the account or tenancy and structure it to enforce both security and accountability across your organization as your consumption of cloud services grows. Tagging policies to ensure that you can control spend and properly attribute it across the organization.
- Identity and access management – Defining your user ID configurations, access, and password standards. Creating roles and policies to enforce access controls so users can only do what they need to and nothing more.
- Security – This cuts across all layers of a landing zone so it cannot simply be treated as a standalone subject; but there are some additional items that need to be considered, such as compliance and data residency. Secure by design and control needs to be at the heart of everything that is done. Plan for a centralized security and logging approach, giving you a single pane of glass over multiple accounts or environments.
- Networking – How you structure your networks, security groups, and connectivity requirements. Do you need elements such as web application firewalls in front of your infrastructure, is a cloud access security broker applicable to your use of the environment?
- Automation – Infrastructure-as-Code to ensure that your configurations are managed in a repeatable way, evolving via DevOps disciplines and tooling.
Having these items worked through before you start deploying, irrespective of your infrastructure, will mean that your first deployments can give the confidence that you are avoiding the all too often seen issues such as the recurrent inadvertent data release via publicly available storage buckets.
Automation (when done well) ensures that your infrastructure is set up in a way that is repeatable and can evolve as your use is refined and demands grow. Source control gives us traceability of changes to the code and automated testing should be applied to ensure that what is being built matches your security policies. It is all too easy to ignore automation when you have a small-scale deployment for your first steps, but as demand grows so does the pressure for consistency and repeatability. Not having a a good automated base will hamper your future deployments.
As your use of the cloud expands, the landing zone needs to be nurtured as all aspects of cloud environments move forward, from evolving best practice from the cloud providers themselves to new applications demanding new solutions and the evolving cyber threats that shape our response and infrastructure. Ensure that the structures you put in place are not too ridged. Otherwise, you may find that growth and evolution become more difficult to achieve.
Expanding into a multi-cloud environment increases the complexity of the environment as each cloud provider implements things in a different way, but the same concepts apply. Different cloud providers have varying levels of maturity of their best practices for the account configurations and their interpretations of what a landing zone is, AWS leads the pack but the absence of any formal automation from other providers to implement landing zones should not be a brake on development of your implementation that meets your specific requirements.
Ultimately a landing zone should not simply be the start of your journey into the cloud, but a constantly evolving core component of your infrastructure that should be well thought out and strategized.
Capgemini’s cohesive, end-to-end solutions help organizations leverage cloud technologies and methodologies and realize the full value of the cloud. Check out below for more details:
- Capgemini Cloud Platform (CCP)
- Migrating Workloads to the Cloud
- Capgemini Enterprise iPaaS
- Cloud with AWS – Reach Your Digital Reality
To learn more about the cloud landing zones, you can reach out to me via LinkedIn or Twitter, or email me at email@example.com.