Skip to main content

Multi Cloud: Landing Zones

Multi Cloud Landing Zone:

What is a Landing Zone?

A landing zone is the underlying core configuration of any cloud adoption environment. Landing zones provide a pre-configured environment in Cloud service provider's ecosystem. It can be provisioned through code, templates and manual too. It is act as a base platform (blue print) to host workloads in private, hybrid, or public clouds. We don't want to hand our developers "naked" cloud tenants, completely unconfigured AWS accounts, Azure subscriptions, or GCP projects.

Here are 4 key aspects a landing zone can and should take care of in your cloud:

Security and Compliance

Standardized tenancy

Identity and access management

Networking.


What is Cloud Landing Zone Lifecycle?

It is not always a perfect one-shot creation of landing zone in any CSP ecosystem. We may need to follow the simple lifecycle for Landing Zone creation too,

Design -> Deployment -> Operations -> Feedback loop (Requirements and Update).


Designing a Landing Zone:

As the starting point of your cloud journey and the core component of your cloud environment landing zones should be well thought out and strategized.

Let's expand on the 4 aspects a well-designed landing zone should take care of in the cloud:

Security and Compliance: Centralize your security, monitoring, and logging approach. Company-wide compliance and data residency policies for example can be implemented with landing zones. This way you can ensure a base level of compliance over multiple tenants or environments.

Standardized tenancy: Enforce tagging policies across multiple cloud tenants and provide standardized tenants for different security profiles (dev/staging/prod).

Identity and access management: Implement the principle of least privilege by defining roles and access policies. Define your user ID configurations and password standards across tenants.

Networking: Provide IaaS network configurations, firewalls, and other basic networking parameters you want to have in place.

Deploying a Landing Zone:

Customizing and deploying a landing zone according to the design and specifications determined during Design Phase. The implementation of the landing zone concept is handled differently by every public cloud service provider.

Let's have a look at the big 3 CSPs:

Microsoft Azure: Within Microsoft's public cloud platform the concept of landing zones is implemented in the Cloud Adoption Framework. A major tool is Azure blueprints: You can choose and configure migration landing zone blueprints within Azure to set up your cloud environments. As an alternative, you can use third-party services like terraform.

Amazon Web Services: The landing zone solution provided by AWS is just called AWS Landing Zone. This solution includes a security baseline pre-configuring AWS services like CloudTrail, GuardDuty, and Landing Zone Notifications. The service also automates the setup of a landing zone environment thereby speeding up cloud migrations. Depending on your use case AWS offers Cloud Formation Templates to customize and standardize service or application architectures.

Google Cloud Platform: With GCP the Google Deployment Manager is the way to go to write flexible template and configuration files. You can use a declarative format utilizing Yaml - or Python and Jinja2 templates - to configure your deployments.

Operating a Landing Zone:

Cloud environments and their usage are never static. That means ongoing effort has to go into the management and operations of the underlying landing zones.

As your use of the cloud expands, the landing zones need to be well-maintained and updated as all aspects of cloud environments evolve: Implementing new best practices from the cloud providers, reacting to new needs that arise from new applications or responding to upcoming security threats. Make sure to keep your architecture flexible enough to be able to expand and update your landing zones during operations.


Comments

Popular posts from this blog

Multi Cloud Intro

 What is Multi Cloud? Multicloud is a cloud approach made up of more than 1 cloud service, from more than 1 cloud vendor-public or private. For example, Availing different services from different provider (AWS/Azure/GCP), a s well as specialized platform-as-a-service (PaaS), infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS) providers. Major reason for MultiCloud approach, Price competition, Variety of features, Location diversity. Challenges with Implementing Multi-Cloud: Multi-cloud isn’t all rosy: there are some downsides, and complexity to deal with. When deciding on our personal architecture, balance these with the benefits and our goals. 1) Pricing: Public cloud typically becomes more expensive than operating on-premise over time, but volume discounts can soften that blow. By diversifying your application deployment across multiple clouds. 2) Multi-cloud expertise needed: Public clouds are all built very differently, and there’s a learning curve for deploying...

Azure Cost Reduction

Looking for the Cost Reduction opportunities post-migration or cloud adoption is a great challenge to do however we can follow the given practices to save the cost for the Customer, Azure Cost Reduction can be achieved by using the following practices: Azure Reservations: Purchase Azure services for 1 or 3 years in advance with significant discounts Reserved instances – Azure Virtual Machines Reserved capacity – Azure Storage, SQL Database vCores, Databricks DBUs, Cosmos DB RUs Software plans – Red Hat, Red Hat OpenShift, SUSE Linux, etc. Reservations are made for 1 or 3 years Azure Spot VMs: Purchase unused Virtual Machine capacity for a significant discount How does it work? Significant discounts for Azure VMs Capacity can be taken away at any time Customers can set maximum price after discount to keep or evict the machine Best for interruptable workloads (batch processing, dev/test environments, large compute workloads, non-critical tasks, etc.) Hybrid use Benefit: Use existing l...

AWS Messaging Services

The most important messaging services we need to know when it comes to Application Integration are the following: Remember these keywords against each messaging service SNS: PubSub (Like publisher, subscriber) SQS: Queueing (Like batch) Kinesis: Real-time data Kafka: BigData SWF: State tracker and task coordinator SNS - Amazon Simple Notification Service: SNS is commonly used for sending simple internal emails. So for example when someone sign-ups on a website, We can use the AWS SDK to send a message to an SNS topic which then sends a plain text email. Another way we use SNS is to trigger webhooks in our application. For example, let us say we have a web-app which needs to extract data out of a PDF so we need to use a PDFTK which we have to run in a custom runtime in a Lambda function because of legacy reasons. When that lambda has processed that pdf we want to notify our web-app to tell the user it's done. We can have Lambda tell SNS which will then send an HTTP request to an api...