AWS Landing Zone — Staring point for cloud migration journey!
Cloud Adoption is well recognized by enterprises by now where enterprises are already on move towards Cloud Migration journey. It is imperative for enterprises to have their cloud migration strategy in place. The number of enterprise workloads being moved to cloud is on a stepping rise, so is the number of cloud failures.
When planning the cloud migration strategy an effective governance and operational model is key to successful cloud migrations. Lack of attention to this can lead to longer migration cycles and operational challenges such as cross-team dependencies, high operational cost, chokepoints etc If the same is not well thought through, enterprises will fail in their cloud migration journeys with no flexibility, scalability and agility in place.
A Landing zone is typically the first step for enterprises in their cloud migration journey. It is the foundation which allows enterprises to have a well architected framework and best practices to be followed in order to have right scaling up the infrastructure up without leaving any chances of collapsing.
This is also the essential which can eventually lead to success or failure of cloud migration, and it behooves us to know more about why a landing zone is necessary.
What is AWS Landing Zone?
AWS Landing Zone is a foundational building block that enterprises need in place before performing their cloud migration journeys. AWS’s solution automatically provides a baseline environment as pre-configured environment with a “multi-account architecture, identity and access management, governance, data security, network design and logging” to save you time and effort.
Landing Zone is enterprises first-stop address to all their business considerations by having a baseline architecture in place where any first workload migrated will reside. It ensures that all critical services are present and properly configured before moving massive workloads to cloud.
A prime driver in adoption of Landing Zone is the Automation capabilities it brings to enterprises in their cloud migration journeys. It saves humongous efforts in setting up the right infrastructure boundaries in your initial setups to the cloud and bringing automation capabilities to its core. For example, AWS Landing Zone provides Out of the Box capabilities of compliance and governance for all accounts.
Following are the Landing Zone Best Practices:
1) Organization Master Account: — it is the root account access which is managed at the organization level under AWS Organization services. Enterprises as a start need to have Master Organization as Parent to manage all sub units as child OUs and accounts
2) Core Organization Units: — it is important to have all the accounts which are going to provide common guided services to other accounts to be organized into a single unit as Core. Example of such accounts are: log archival, security management, shared services such as directory services, network.
3) Team/Group Organization Units: — it is further important to have all teams and groups grouped into another logical unit named as Teams. Example of such accounts will be Shared Service Team, Production support teams, pre-prod etc
4) Developers Organization Units: -from the recommended and best practices point of view, enterprises should always have a separate logical separation of developer who will have only access to their required sandbox environment
5) Hybrid: — a default networking pattern among the accounts which will enable enterprises to have Hybrid or Multi-cloud driven cloud adoption.
Enterprises have different options for creating landing zone on AWS such as a managed service from AWS “AWS Control Tower, or orchestrate your own Landing zone. However, from the recommendation point of view, AWS control tower is a good starting point.
Benefits and trade-offs for each approach:
AWS Control Tower:
AWS Control Tower runs as an AWS managed service. It is a pre-packaged solution offering from amazon which enable enterprises to leverage the agility in setting up their first step of cloud migrations as Out of the box capability. The service tails the best practices for enterprises to follow multi account strategy which is further strengthened down by implementing the best security and governance guidelines and operations management. This enables enterprises with all pre-configured rules which any enterprise can bet upon.
Some of the blueprints implemented on AWS Control Tower include:
· A multi-account environment using AWS Organizations
· Identity management using AWS Single Sign-On (SSO) default directory
· Centralized logging from AWS CloudTrail, and AWS Config stored in Amazon Simple Storage Service (Amazon S3)
· Cross-account security audits using AWS Identity and Access Management (IAM) and AWS Single Sign-On (SSO)
Custom-Built Solution:
Custom built Solutions can leverage the AWS Cloud Formation capabilities to provision their infrastructure and built a baseline landing zone such as shown below. The AWS CloudFormation template enables AWS Organizations in an account, creates an Amazon Simple Storage Service (Amazon S3) bucket and Landing Zone configuration zip file, an AWS CodePipeline pipeline for creating and updating the landing zone baseline, and, if requested, automatically starts the pipeline to build out the landing zone implementation.
AWS Landing Zone deploys AWS Account Vending Machine (AVM) through which multiple accounts provisioning will happen automatically. Using AVM, Customer Single Sign On (SSO) solution can be integration for access management. This enables enterprises to accelerate and orchestrate their cloud migration journeys as it automates the initial baseline environment with a multi-account architecture, an initial security baseline, identity and access management, governance, data security, network design and logging.
In my view, when enterprises are already on a matured stage and understands the Zoning capabilities well, they should go for Custom-built zoning solution as it enables enterprises to follow loosely coupled design principal.
Conclusion:
Irrespective of the available options for enterprises, Landing Zone is a must have. A landing zone bundles three things — Agility, operational excellence and long-term self-sufficiency and business resiliency.
