CLOUD LANDING ZONE & IT’S COMPONENTS
Whenever an organization decides to move to cloud from on-premise environment as part of digitalization process (or due to other reasons), the first question naturally comes “How does my target environment look” or “How are my resources isolated or arranged” in cloud. This is specifically important as there is no physical image/view/boundary visible for cloud based resources. This article tries to answer these questions by explaining Landing Zone and some of its key components.
Let’s first understand “what is Landing Zone?”. Actually this term comes from Aircraft & Military technology and means a strong foundational place where aircraft or helicopters lands. Similarly, you need a place in cloud to keep your resources that is secure & complaint, scalable & resilient and adaptable & flexible. This place is called “Landing Zone”.
Landing Zone is pre-configured networking environment where workloads (server, applications, storage, database, access privilege etc) from on-premise is placed in cloud after migration. A good design of Landing Zone is basic building block for successful migration and efficient operations in cloud.
We will go through the different components of Landing Zone in below sections. Although I have used technical terms from AWS in this article, the generic concept remains same and can be used with any cloud provider.
Let’s start with the typical components of Landing Zone:
Multi-Account Structure: Account is a container for your resources and provides administrative capabilities and billing of cloud resources.
Landing Zone normally consists of multiple accounts as this caters to the needs of different teams, specific security controls required for each account, isolation of resources, business process and billing information.
The creation of account doesn’t incur any cost and hence multiple account can be created as per your requirement. The main goal is to place resources in an organized and isolated way which can be managed effectively even if the number of resources grows in future.
For example, you may create accounts as per department, business units, teams and/or based on SDLC (Dev, QA, Production etc). There may be separate account for common function such as security, logging, shared services, network, finance, audit etc.
This ensures that every team or business unit has independent and complete access to their working environments. This also gives protection and limit the impact (blast radius) if there is any security breach occurs in one of account.
AWS provides multiple services related to multi-account structure & landing zone creation such as AWS Organization, AWS Landing Zone, AWS Control Tower etc. These can be used to create multi account structure as per the business requirement.
Identity & Access Management: One of the most important component of landing zone is how you manage identity and access to various resources in cloud. Most of times, you may re-use identity from on-premise such as Microsoft AD (or any other form of directory service which your organization is using) and assign requisite privilege mapping in cloud.
Every group/user/identify should be given minimum privilege needed to perform specific action. Ex: Developers should get complete privilege to development account, but should have only limited (or no) access to production environment. Similarly, finance team should have access to billing related information from all accounts, but should not have access to any other resources. Security Audit team should have read only access to each account to check logs, check security related patch status etc. Cross-account roles and privileges should be baselined for each group or function.
You may also implement additional protection by rotating your secrets regularly, protecting your secrets with MFA tokens, using strong passwords, using encryption technology to protect your data at rest (or in transit) etc.
This component is very important for safe and secure operation of your cloud environment. You may relate this to AWS services such as AWS IAM, AWS SSO, AWS Cognito.
Network Design: This component of landing zone explains how is your network IP range is selected, how is traffic from on-premise to cloud routed, how is traffic between different resources routed, which resources should be/should not be accessible from internet, how the network traffic should be monitored etc. This also provides the guidance how your resources are placed within an account so that high availability (HA) can be achieved ex: by distributing resources in multiple availability zones.
Landing zone should provide a baseline of network design for your organization.
If you are working with AWS, you may related this to VPC, Subnet, AZ, NACL, Security Groups, Routing tables, VPC peering, NAT, VPN, Direct Connect, Endpoints etc.
Security: This component is very important in today’s situation and considered as non-negotiable CTQ (critical to quality) parameter for every business. The impact of security breach can be enormous in term of financial claims, loss of reputation and many more.
The landing zone should be designed to support continuous security compliance by effective data gathering and efficient enforcement of rules.
Data gathering includes continuous collection of logs from each resource, application, network, services. If you are using AWS, you may relate this to CloudTrail logs, VPC flow logs, Access logs etc.
The enforcement can be done by using automated security services (ex: AWS Guardduty) or based on identification of specific event (ex: using AWS Cloudwatch event, AWS Config Rules, CloudTrail etc).
Landing Zone should provide a baseline approach for secure operation in cloud.
Shared Services, Automation & Change Management: This component may contain services which are common to your cloud environment. This may consist of monitoring need of your business, Application code repository, Infrastructure code repository, templates of Machine Images, automation documents repository etc. This increases the operational efficiency, repeatability, governance, consistency etc.
If you are using AWS, you may consider to put services related to Cloudwatch, Cloudformation, Code Commit, Service Catalog, SSM Automation Documents, latest AMI (Amazon Machine Image) etc in this component.
Finally, any one model of landing zone may not fit-for-all situation and it needs some tailoring primarily based on below factors:
Business Need: The landing zone should be tailored as per specific business need. For example, a business for high performance computing (HPC) may need to keep resources in close proximity to minimize latency whereas a critical life-saving system may have requirement to keep resources further so that all resources don’t face outage at the same time due to any network/electricity/software/zone failure.
So, you need to consider specific business need for compliance, data protection, legal regulations etc while planning for landing zone.
Cost Optimization: Needless to say, every project has limited resources & budget and cost optimization should be considered for long term sustainability and efficient operation.
The landing zone should be created to keep the cost low for future operation. For example, there is cost associated with every data transfer between two accounts (or two VPC) and there may be impact on cost if these data transfers are in high volume. So, every action which incur costs should be optimized and baselined in your landing zone design.
Overall, creation of effective Landing Zone is critical pre-requisite of cloud migration. This should be designed considering the long term cloud journey of your organization because any short term consideration may hinder the flexibility and growth of your future cloud adaption.
