Multi Cloud: Landing Zones

Multi Cloud Landing Zone:

What is a Landing Zone?

A landing zone is the underlying core configuration of any cloud adoption environment. Landing zones provide a pre-configured environment in Cloud service provider's ecosystem. It can be provisioned through code, templates and manual too. It is act as a base platform (blue print) to host workloads in private, hybrid, or public clouds. We don't want to hand our developers "naked" cloud tenants, completely unconfigured AWS accounts, Azure subscriptions, or GCP projects.

Here are 4 key aspects a landing zone can and should take care of in your cloud:

Security and Compliance

Standardized tenancy

Identity and access management

Networking.

What is Cloud Landing Zone Lifecycle?

It is not always a perfect one-shot creation of landing zone in any CSP ecosystem. We may need to follow the simple lifecycle for Landing Zone creation too,

Design -> Deployment -> Operations -> Feedback loop (Requirements and Update).

Designing a Landing Zone:

As the starting point of your cloud journey and the core component of your cloud environment landing zones should be well thought out and strategized.

Let's expand on the 4 aspects a well-designed landing zone should take care of in the cloud:

Security and Compliance: Centralize your security, monitoring, and logging approach. Company-wide compliance and data residency policies for example can be implemented with landing zones. This way you can ensure a base level of compliance over multiple tenants or environments.

Standardized tenancy: Enforce tagging policies across multiple cloud tenants and provide standardized tenants for different security profiles (dev/staging/prod).

Identity and access management: Implement the principle of least privilege by defining roles and access policies. Define your user ID configurations and password standards across tenants.

Networking: Provide IaaS network configurations, firewalls, and other basic networking parameters you want to have in place.

Deploying a Landing Zone:

Customizing and deploying a landing zone according to the design and specifications determined during Design Phase. The implementation of the landing zone concept is handled differently by every public cloud service provider.

Let's have a look at the big 3 CSPs:

Microsoft Azure: Within Microsoft's public cloud platform the concept of landing zones is implemented in the Cloud Adoption Framework. A major tool is Azure blueprints: You can choose and configure migration landing zone blueprints within Azure to set up your cloud environments. As an alternative, you can use third-party services like terraform.

Amazon Web Services: The landing zone solution provided by AWS is just called AWS Landing Zone. This solution includes a security baseline pre-configuring AWS services like CloudTrail, GuardDuty, and Landing Zone Notifications. The service also automates the setup of a landing zone environment thereby speeding up cloud migrations. Depending on your use case AWS offers Cloud Formation Templates to customize and standardize service or application architectures.

Google Cloud Platform: With GCP the Google Deployment Manager is the way to go to write flexible template and configuration files. You can use a declarative format utilizing Yaml - or Python and Jinja2 templates - to configure your deployments.

Operating a Landing Zone:

Cloud environments and their usage are never static. That means ongoing effort has to go into the management and operations of the underlying landing zones.

As your use of the cloud expands, the landing zones need to be well-maintained and updated as all aspects of cloud environments evolve: Implementing new best practices from the cloud providers, reacting to new needs that arise from new applications or responding to upcoming security threats. Make sure to keep your architecture flexible enough to be able to expand and update your landing zones during operations.