Principles and Implementations of the Cloud Landing Zone
How we can managed cloud multiple account with proper from the start?
Some of you who have played the game METAL GEAR SOLID V: THE PHANTOM PAIN, must be familiar and of course text that can be heard. Every time we complete a mission, there must be a Pequod and his helicopter that will pick us up at the Landing zone point to return to Mother Base.
However, the Landing Zone that we will discuss is slightly different :)
What is Cloud Landing Zone?
A Cloud Landing Zone is an architecture design that consist of multiple account for organization that running workload on cloud environment. LZ (stand for Landing Zone) designed to ensure that the cloud deployment is secure, scalable, and well-governed. Cloud LZ is a foundation for an organization cloud environment, providing a centralized management console, security and compliance controls and automated processes for managing the cloud environment.
That’s “only” an multiple account, why do we have to do it?
LZ is becoming important as organizations or corporate look to adopt cloud technologies to support digital transformation initiatives. As we know that cloud offers many benefits, including increased agility, scalability, and cost savings, but these benefits can only be realized if the cloud environment is properly set up and managed.
Here is the benefit
If design can executed and implement in accordance with the principles and best practices, we can achieve :
- Increased security: Cloud LZ provides a baseline to secure architecture that includes network isolation, role-based access control, and encryption of data at rest and in transit.
- Scalability: Cloud LZ is designed to accommodate growth and can be easily expanded to include new cloud services and resources as needed.
- Improved governance: Cloud LZ includes a set of best practices and automated processes for account and resource management, auditing and compliance and also cost optimization. This helps organizations implement governance controls and maintain a high level of visibility and control over cloud environment.
- Streamlined operations: Cloud LZ provides a centralized management console, making it easier for organizations to manage cloud environment from a single location.
Landing Zone Lifecycle
Implementing Cloud LZ in an organization environment requires a thorough understanding of the organization’s requirements and existing infrastructure.
Some steps we need to build the Cloud LZ are :
- Design: Determine the number of cloud accounts required, services and resources that need to be included.
- Deployment: Create cloud accounts and configure the networking, security and governance controls as defined and created in the plan.
- Testing: Verify that the cloud landing zone environment is functioning as expected and meets the organization’s requirements.
- Operations: Establish processes and procedures for managing and monitoring the cloud landing zone environment.
- Improvement Process: This process requires a continuous process, the organization will find something that can be improved and implemented over the time.
What about the LZ structure?
The account structure for a Cloud LZ depending on the specific requirements and use cases of an organization. However, I will breakdown in high level that we have implemented in Telkomsel for organizing accounts in a Cloud LZ :
- Multi-Account Structure: This approach involves creating multiple accounts for different purposes such as development, staging, pre-productionand production, to isolate resources and ensure better security and governance.
- Manage Organizations: Cloud Service Provider (CSP) provide certain services allow the IT organization to consolidate multiple accounts into a single management structure. This makes it easier to manage multiple accounts and apply policies to resources in a consistent manner.
- Role-Based Access Control: Access to resources in the Cloud LZ can be restricted through the use of IAM roles and policies, ensuring that only authorized users have access to sensitive data and resources.
- Logging and Monitoring: A centralized logging and monitoring solution can be set up to provide visibility into the activities across all accounts, making it easier to detect and respond to security incidents and compliance violations.
- Network and Routing: Manage network and routing for connections between onpremise and cloud, especially for organizations that are still in the transition stage or adopting hybrid cloud.
- Cost Optimization: Cost optimization is a critical aspect of the Cloud LZ, and can be achieved through the use of tools. For example in AWS there are some tools, such as AWS Cost Explorer and AWS Savings Plans, which allow organizations to monitor and control cloud spending.
But again, it is important to note that the specific account structure for a Cloud LZ will depend on the specific requirements and use cases of each organization and many factors such as security and compliance needs, organizational structure, and desired level of control.
Pequod and his helicopter are our saviors!
The time when we called Pequod and when we were picked up by the Pequod at the LZ by helicopter, that’s where we felt safe, secure, make sure no enemies could follow and chase us. Only us could get in the helicopter and know the location of LZ, we can control the mission log or history and pick up via our device, and it can also save more time because we don’t have to walk to return to Mother Base. It’s almost same philosophy and principles in Cloud LZ :)
In conclusion, a Cloud LZ is a pre-configured architecture for an organization’s cloud environment that provides a secure, scalable, and well-governed foundation for the cloud deployment. By following best practices for implementation, organizations can realize the benefits of the cloud and ensure that their cloud environment is properly managed from the start.
Reference(s) :
Cloud Landing Zone Lifecycle explained (meshcloud.io)
