The Cloud is the backbone and foundation of digital transformation in its many forms. The - quite literal - foundation for a successful transformation to the cloud is the concept of landing zones. This post will cover the management of landing zones over their lifetime. But let's start with a brief definition of what a landing zone is and does:
What is a Landing Zone?
A landing zone is the underlying core configuration of any cloud adoption environment. Landing zones provide a pre-configured environment - provisioned through code - to host workloads in private, hybrid or public clouds. You don't want to hand your developers "naked" cloud tenants - completly unconfigured AWS accounts, Azure subscriptions or GCP projects.
Here are 4 key aspects a landing zone can and should take care of in your cloud:
- Security & Compliance
- Standardized tenancy
- Identity and access management
A landing zone is certainly the starting point of your cloud journey - but it is also a constantly evolving core component of your infrastructure.
Benefits of Landing Zones:
Landing Zones allow you to standardize cloud environments that are provisioned to DevOps teams. They offer consistency across all tenants in naming, scaling and access control. With that comes a security baseline that preemts (accidental) non compliant or unauthorized configurations.
So let's talk about the differnt phases of a landing zones lifecycle!
Design, Deploy, Operate: 3 "Days" in the life of a landing zone
In software development you often hear the terms "Day 0/Day 1/Day 2". Those refer to different phases in the life of a software: From specifications and design (Day 0) to development and deployment (Day 1) to operations (Day 2). For the purpose of this blog post we're going to use this terminology to describe the phases of the landing zone lifecycle.
Day 0: Designing a Landing Zone
As the starting point of your cloud journey and the core component of your cloud environment landing zones should be well thought out and strategized - certainly with Day 1 and 2 in mind. Let's expand on the 4 aspects a well-designed landing zone should take care of in the cloud:
- Security and Compliance: Centralize your security, monitoring and logging approach. Company wide compliance and data residency policies for example can be implemented with landing zones. This way you can ensure a base level of compliance over multiple tenants or environments.
- Standardized tenancy: Enforce tagging policies across multiple cloud tenants and provide standardized tenants for different security profiles (dev/staging/prod).
- Identity and access management: Implement the principle of least privilege by defining roles and access policies. Define your user ID configurations and password standards across tenants.
- Networking: Provide IaaS network configurations, firewalls and other basic networking parameters you want to have in place.
Day 1: Deploying a Landing Zone
On Day 1 it comes to customizing and deploying a landing zone according to the design and specifications determined on Day 0. The implementation of the landing zone concept is handled differently by every public cloud service provider.
Let's have a look at the big 3 CSPs:
Microsoft Azure: Within Microsofts public cloud platform the concept of landing zones is implemented in the Cloud Adoption Framework. A major tool are Azure blueprints: You can choose and configure migration landing zone blueprints within Azure to set up your cloud environments. As an alternative you can use third party services like terraform.
Amazon Web Services: The landing zone solution provided by AWS is just called AWS Landing Zone. This solution includes a security baseline pre-configuring AWS services like CloudTrail, GuardDuty and Landing Zone Notifications. The service also automates the setup of a landing zone environment thereby speeding up cloud migrations. Depending on your use case AWS offers Cloud Formation Templates to customize and standardize service or application architectures.
Google Cloud Platform: With GCP the Google Deployment Manager is the way to go to write flexible template and configuration files. You can use a declarative format utilizing Yaml - or Python and Jinja2 templates - to configure your deployments.
Day 2: Operating a Landing Zone
Cloud environments and their usage are never static. That means ongoing effort has to go into the management and operations of the underlying landing zones.
As your use of the cloud expands, the landing zones need to be well-maintaned and updated as all aspects of cloud environments evolve: Implementing new best practices from the cloud providers, reacting to new needs that arise from new applications or responding to upcoming security threats. Make sure to keep your architecture flexible enough to be able to expand and update your landing zones during operations.
The meshcloud take on Landing Zones
We at meshcloud have our own take on the landing zone concept: With meshLandingzones we support native tooling provided by the different cloud platforms and vendors. This way we ensure seamless integration of existing operational capabilities and leverage the most powerful and best-integrated tooling available for each platform. In most instances, this tooling follows an infrastructure-as-code paradigm that fits naturally with meshcloud's multi-cloud orchestration approach.
On day 0, the design of the landing zones is done by native tools of the respective providers.
On day 1 meshcloud comes into play for the deployment. For example, previously created Azure blueprints can be integrated into meshLandingzones. meshLandingzones rely on the various native tools of the providers: In the case of AWS these are in particular OU Assignments, Lambda Invocations and Cloud Formation Templates.
For day 2 operations meshcloud offers various mechanisms for landing zone management. With fast updates of landing zones across many projects, it is possible to react to short-term security risks. The long-term development of landing zones to comply with new regulations and requirements is made possible by versioning the landing zones. With meshcloud you always have a cross-platform overview of which projects use which landing zone (and in which version).