Leapp<\/a><\/strong> is the tool we use every day to fulfill this need: it is an open-source tool used to manage the access credentials to Cloud environments in a secure and automated way.<\/p>\n\n\n\nNetworking<\/h2>\n\n\n\n
The reachability of the Cloud environment is fundamental. From the connections of business users or collaborators to the connections of our external users, such as integrators or public users.<\/p>\n\n\n\n
First of all, it is necessary to structure the subnetting of private networking by defining the CIDRs<\/strong> to be assigned to the various virtual networks present in the different accounts defined in the Organizations section. In this phase, it is important to avoid overlapping<\/strong> to avoid running into complicated scenarios in terms of implementation and management. Centralizing your endpoints and controlling their routes is important to ease connections’ management and creation.<\/p>\n\n\n\nVirtual Networks are defined through the service AWS VPC<\/strong>, and they should be configured taking into account some critical aspects like the Provider\u2019s physic infrastructure and the infrastructures\u2019 availability requirements. Internet connectivity is delivered by the managed Internet Gateway<\/strong> and AWS Managed NAT Gateways implementation.<\/strong><\/p>\n\n\n\nAWS Transit Gateway<\/strong> is another essential service in the AWS ecosystem for connecting different environments. It enables centralized management and set up of connections – both physically via Direct Connect<\/strong> and virtually – leveraging on AWS SiteToSite Managed VPN. AWS SiteToSite Managed<\/strong> VPN<\/strong> allows connections to company on-prem environments and data centers, and to partners, customers or system integrators. AWS Transit Gateway also allows inter-VPC connections.<\/p>\n\n\n\nIt is common for companies to have users accessing remotely to virtual networks on a daily basis from all around the world. In this case, implementing a VPN Dial Up<\/strong> by taking advantage of AWS Client VPN<\/strong> and its integration with Transit Gateway should be taken into account.<\/p>\n\n\n\nDNS and domains management is another aspect that a properly designed Landing Zone can manage to govern. AWS Route 53<\/strong> and its peculiarities such as DNS Resolver can be used to manage both private, and public domains and determine which records are resolved from specific networks.<\/p>\n\n\n\nSecurity <\/h2>\n\n\n\n
Today, security practices affect IT as a whole. For these reasons, it should be integrated into every aspect and methodology, as already happened with DevSecOps<\/strong> (security applied to DevOps practices).<\/p>\n\n\n\nTraceability<\/strong>, in-transit<\/strong> and at-rest data protection<\/strong>, and implementation of isolation<\/strong> and identity principles<\/strong> are particularly critical foundational aspects on which a well-design Landing Zone should rely on. Speaking about isolation and identity, a careful design of the organization and centralized users management make it easy to comply with best practices.<\/p>\n\n\n\nAs already explained, the AWS Cloud is based on authenticated APIs (used by the console itself). AWS CloudTrail<\/strong> is able to track each API call and consolidate all the logs in a single place.<\/p>\n\n\n\nThe inbound traffic can be routed through centralized handling of rules in AWS WAF<\/strong>, the web firewall managed by the provider.<\/p>\n\n\n\nSecurity groups and Network ACL, instead, help to get more granular control over communication protocols and specific connections between networks. These tools allow to determine which communications between users and company workloads are licit.<\/p>\n\n\n\n
Regardless of the just mentioned features, it is a good rule to encrypt all public communications over the internet. Managing SSL certificates connected to our domains from a single point undoubtedly ease their control and distribution.<\/p>\n\n\n\n
Governance e Compliance<\/h2>\n\n\n\n
While Governance<\/strong> identifies the roles and responsibilities of those who are in charge of making decisions, the Compliance<\/strong> refers to a set of regulatory requirements, legislation, procedures, and codes of conduct applied to a company.<\/p>\n\n\n\nAs each organization has its own policies, it must be able to implement controls also in a Cloud environment easily. The introduction of these rules, anyway, should still ensure a certain space for DevOps to act and operate freely according to specific guardrails.<\/p>\n\n\n\n
As described in a few paragraphs above, using security best practices is essential to secure every company procedure. Data, for example, should always be encrypted at-rest. It must be ensured an effective way to verify that workloads remain compliant over time. Another important standard to enforce is preventing unintended firewall rules that could expose infrastructures to risks. Exposing known vulnerabilities protocols is one of the most common examples. <\/p>\n\n\n\n
We can rely on the AWS Config service to automatically apply all the rules we went through and implement remediations. <\/p>\n\n\n\n
Although AWS offers many services designed for different goals, companies usually leverage on a specific subset of them. The same goes for the global regions in which to deploy new workloads. Service Control Policies<\/strong> allow organizations to define guardrails and prevent this kind of unwanted actions.<\/p>\n\n\n\nRecommended checks also include a classification of the resources placed in each AWS environment. To achieve this, tagging strategies are the only choice. Tags enable effective costs sharing and provide the possibility to manage permissions on ABAC<\/strong> (Attribute-based Access Control) base. In addition, Tag Policies allow resource tagging enforcement and centralized tag management.<\/p>\n\n\n\nAny company should also define the deprovisioning practices for unused resources to reduce complexity and simplify cost attribution, analysis, and understanding.<\/p>\n\n\n\n
Costs control<\/h2>\n\n\n\n
Organizations need an easy and immediate way to access AWS billing information<\/strong>, including a summary of expenses<\/strong>, a breakdown of all service costs<\/strong> incurred by accounts within the organization, along with discounts <\/strong>and credits<\/strong>.<\/p>\n\n\n\n\u200b\u200bBoth invoices consolidation (consolidated billing) and adequate guardrails provisioning are fundamental for keeping control over costs, governance, and security. AWS enables organizations to balance freedom and control by enabling granular user permission governance.<\/p>\n\n\n\n
Making informed decisions requires complete, near real-time visibility of costs and usage information. AWS provides tools for organizing resources as needed and viewing and analyzing cost and usage data in a single pane. As well as centrally controlling costs, real-time cost information can be provided to all the different teams. Detailed, allocable cost data allow teams to gain visibility and information to report spending.<\/p>\n\n\n\n
AWS Cost Explorer<\/strong> provides an easy-to-use interface that allows you to view, analyze, and manage AWS costs and usage over time. AWS Budget<\/strong> is used to set custom budgets to track costs and usage from the simplest to the most complex use cases.<\/p>\n\n\n\nDisaster Recovery<\/h2>\n\n\n\n
\u201cEverything fails all the time\u201d<\/em> – Werner Vogel. <\/p>\n\n\n\nFailures are just around the corner. Designing with failure in mind is the key to building resilient infrastructures. For this reason, Disaster Recovery<\/strong> is a strategy that has to be considered from the very beginning of the Landing Zone design process. <\/p>\n\n\n\nThe typologies of disasters that can happen in the Cloud, and widely speaking, are divided into three groups:<\/p>\n\n\n\n