{"id":4706,"date":"2022-07-22T09:00:00","date_gmt":"2022-07-22T07:00:00","guid":{"rendered":"https:\/\/blog.besharp.it\/?p=4706"},"modified":"2022-07-22T10:54:38","modified_gmt":"2022-07-22T08:54:38","slug":"examples-of-landing-zone-implementations","status":"publish","type":"post","link":"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/","title":{"rendered":"Examples of Landing Zone implementations"},"content":{"rendered":"\n<p>Our previous articles discussed what a Landing Zone is and why it is important for any company to implement. Then, we detailed which fundamental pillars to build it.<\/p>\n\n\n\n<p>In the following paragraphs, we\u2019ll propose two different examples of Landing Zone implementations based on two radically different company types:<\/p>\n\n\n\n<ul><li><strong>Small IT<\/strong>: companies with few workloads and small IT teams<\/li><li><strong>Large IT<\/strong>: companies with thousands of workloads and multiple distributed and specialized IT teams<\/li><\/ul>\n\n\n\n<p>For each of these, we will apply the pillars described in a general way in <a href=\"\/landing-zone-on-aws-design-strategies-and-best-practices\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>part two<\/strong><\/a> of our series.<\/p>\n\n\n\n<p>These implementations are not ready-to-use frameworks, but they are a perfect way to highlight how radically different organizations with different business needs are all sharing the same criticality: AWS environments governance.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Small IT<\/h2>\n\n\n\n<p><strong>Organization<\/strong><\/p>\n\n\n\n<p>Simplification must be the key. In these cases, a light organization can be envisaged with a main Organizational Unit (OU) in which there are one or two Foundational accounts. An account dedicated to billing and access management, in charge of managing our organization. Another account could be used to manage the networking and security part.<\/p>\n\n\n\n<p>An excellent initial structure, therefore, could be based on two OUs, one for internal services and one for services aimed at the public in which to create accounts dedicated to production and accounts dedicated to non-productive environments.<\/p>\n\n\n\n<p><strong>Identity and Access management<\/strong><\/p>\n\n\n\n<p>To start with ease in managing access, you can think of directly leveraging the AWS IAM service. IAM users could be listed in a centralized account and IAM roles could be created in the accounts containing the workloads (production and development environments). If you want to think about an initial integration with your IdP, you can proceed by federating it directly with AWS IAM.<\/p>\n\n\n\n<p>If you are interested in this topic, we already covered it in <a href=\"\/single-sign-on-with-g-suite-on-the-amazon-web-services-console\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>this article<\/strong><\/a>, describing how it is possible, for example, to federate GSuite with AWS IAM.<\/p>\n\n\n\n<p><strong>Networking<\/strong><\/p>\n\n\n\n<p>In these cases, connections from the office and our users to the Cloud infrastructures must be provided. We recommend that you take advantage of the <strong>Transit Gateway<\/strong> service to centralize management and connections. This object also allows us to save money without sacrificing high availability by implementing a configuration that includes <a href=\"\/hybrid-cloud-networking-centralized-nat-gateway-through-aws-transit-gateway\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>centralized NAT Gateways<\/strong><\/a>.<\/p>\n\n\n\n<p><strong>Security<\/strong><\/p>\n\n\n\n<p>As for traceability, it is imperative to centralize all Audit Logs from the various AWS accounts.<\/p>\n\n\n\n<p>As far as infrastructure security is concerned, we must try to reduce the attack surface as much as possible, keeping all data private and avoiding exposing publicly weak and vulnerable exchange protocols.<\/p>\n\n\n\n<p>Proper backup management of data and configurations is essential to protect the company from attacks directed against our services.<\/p>\n\n\n\n<p><strong>Governance and compliance<\/strong><\/p>\n\n\n\n<p>In order to distribute centrally and in a standard way the basic configurations of the various accounts, <strong>the Infrastructure-as-Code<\/strong> (<strong>IaC<\/strong>) principle &#8211; e.g., through the <strong>CloudFormation Stack Sets<\/strong> service &#8211; is a fundamental aspect. This service allows us to centrally control the basic configuration stacks of the various corporate organization accounts.<\/p>\n\n\n\n<p><strong>Costs Control<\/strong><\/p>\n\n\n\n<p>Implementing budget<strong> alarms<\/strong> defined for each workload or account is important to keep costs under control.<\/p>\n\n\n\n<p>Then costs can be optimized with <strong>Saving Plans<\/strong> which offer a discount for a commitment of at least an annual and at most three-year.<\/p>\n\n\n\n<p><strong>Disaster recovery<\/strong><\/p>\n\n\n\n<p>In the case of companies with few workloads, it is better to start by trying to reduce the impact of Disaster Recovery on costs. <strong>Backup &amp; Restore<\/strong> is the perfect strategy to achieve this. The data must be identified and replicated continuously, and the infrastructure must be coded in such a way to automate the recovery procedures.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Large IT<\/h2>\n\n\n\n<p><strong>Organization<\/strong><\/p>\n\n\n\n<p>Companies with digital departments that have many teams require a complex and highly stratified organization. However, it is necessary to limit the number of accounts to avoid the structure&#8217;s explosion.<\/p>\n\n\n\n<p>As for the Foundational accounts, you can still think of a single main OU with several accounts divided between security, logging, access management, billing management, and networking.<\/p>\n\n\n\n<p>Things get more complicated when it comes to the classification of workloads. Since the number of accounts tends to grow in case of many development environments, a trade-off must be found between workloads that are meant to be separated and workloads that can be grouped.<\/p>\n\n\n\n<p>To provide <strong>DevOps<\/strong> with the opportunity to experiment in sandbox environments, it is possible to build an <strong><em>Account Vending Machine<\/em><\/strong><em> that allows the automatic <\/em>provisioning and de-provisioning of accounts.<\/p>\n\n\n\n<p><strong>Identity and Access management<\/strong><\/p>\n\n\n\n<p>A centralized dashboard to manage the permissions to the various OUs or the different accounts is another certain need. A Landing Page to facilitate daily access for those who use the console is a must. If you\u2019re also considering integrating your IdP, then the perfect service is <strong>AWS Single Sign-on<\/strong>. With AWS SSO it is possible to manage identities and access authorizations to your multi-account structure centrally.<\/p>\n\n\n\n<p><strong>Networking<\/strong><\/p>\n\n\n\n<p>It is difficult for companies with a complex network topography to find an exhaustive summary of it. Indeed Transit Gateway is necessary. Connecting two transit gateways set in different regions and accounts is also possible.<\/p>\n\n\n\n<p>The <strong>AWS VPN Client<\/strong> is, in turn, integrated with AWS SSO avoiding the need to manage additional login credentials&nbsp;<\/p>\n\n\n\n<p>In case of continuous and massive data transfer between offices, datacenters, and virtual environments, it is essential to provide physical connections in order to reduce latency. This is achieved through the creation of a mesh network of private physical connections via <strong>Direct Connect<\/strong>, backed up by backup <strong>SiteToSite VPNs<\/strong>.<\/p>\n\n\n\n<p>In a complex company, it is convenient to define the network access requirements by identifying paths that potentially do not meet them. You can achieve this using <strong>the Network Access Analyzer<\/strong> service.<\/p>\n\n\n\n<p><strong>Security<\/strong><\/p>\n\n\n\n<p><strong>AWS Security Hub<\/strong> allows you to have a centralized dashboard on which to collect and cross-reference all our metrics based on security rules.<\/p>\n\n\n\n<p>Thanks to <strong>AWS Organization<\/strong>&#8216;s<strong> <\/strong>involvement, you can use <strong>Firewall Manager<\/strong>, a single service to create firewall rules and security policies and apply them consistently and hierarchically to the entire infrastructure from a central administrator account.<\/p>\n\n\n\n<p>Governance and compliance<\/p>\n\n\n\n<p>In the case of very large companies, it is helpful to provide a self-service portal from which to implement configurations validated by the company. <strong>Service Catalog<\/strong>, together with <strong>CloudFormation<\/strong>, helps you achieve consistent governance and meet compliance requirements.<\/p>\n\n\n\n<p>Procedures must be supported by the collection of metrics; with the <strong>Audit Manager<\/strong>, it is easier to evaluate the efficiency of policies, procedures and controls.<\/p>\n\n\n\n<p><strong>Costs control<\/strong><\/p>\n\n\n\n<p>The cost allocation can be achieved through the <strong>Billing Conductor<\/strong> service. It allows you to create ad hoc invoices in case of complex needs in separating the costs (customers or business).<\/p>\n\n\n\n<p>A cost control strategy is necessary, and it must go through a process of optimization of the computational part (<strong>AWS Compute Optimizer<\/strong>) and follow the automatic recommendations for the <strong>Reservation<\/strong> plans and the <strong>Saving Plans<\/strong>.<\/p>\n\n\n\n<p><strong>Disaster recovery<\/strong><\/p>\n\n\n\n<p>Critical workloads with strict business continuity constraints require implementing an <strong>active-active multi-site strategy<\/strong>. This strategy consists of two workloads located in different accounts and regions ready to receive all production traffic without creating data split-brain scenarios.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">To conclude<\/h2>\n\n\n\n<p>The Cloud is a revolutionary tool, but only when properly used; therefore, it is essential to have an informed, structured approach to the new model before you even think about services and features. First, companies evaluating a paradigm shift should provide IT teams with adequate training to build a Cloud Center of Excellence (CCoE) within the company. This group will be designated for making strategic decisions based on new responsibilities and available data and will successfully lead the transformation process.<\/p>\n\n\n\n<p>In this blog series, we focused on the concept of Landing Zone, the primary aspects that a CCoE should be able to understand and apply. The collaboration between the CCoE and an expert partner allows companies to design their own Cloud environments in the best possible way and to customize it according to each company-specific need. Always with evolution in mind:&nbsp; just like any IT project, the Landing Zone is not a static object. Instead, it is something dynamic that must be adapted continuously to the never-ending change both in the company and the AWS world.<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Our previous articles discussed what a Landing Zone is and why it is important for any company to implement. Then, [&hellip;]<\/p>\n","protected":false},"author":5,"featured_media":4713,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[468],"tags":[586,580,566],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.9.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Examples of Landing Zone implementations - Proud2beCloud Blog<\/title>\n<meta name=\"description\" content=\"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Examples of Landing Zone implementations\" \/>\n<meta property=\"og:description\" content=\"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/\" \/>\n<meta property=\"og:site_name\" content=\"Proud2beCloud Blog\" \/>\n<meta property=\"article:published_time\" content=\"2022-07-22T07:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-07-22T08:54:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2022\/07\/Copertina-blog-22-07-22_22-07-22-social-eng.png\" \/>\n\t<meta property=\"og:image:width\" content=\"2499\" \/>\n\t<meta property=\"og:image:height\" content=\"1308\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Nicola Ferrari\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"Examples of Landing Zone implementations\" \/>\n<meta name=\"twitter:description\" content=\"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/blog.besharp.it\/wp-content\/uploads\/2022\/07\/Copertina-blog-22-07-22_22-07-22-social-eng.png\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nicola Ferrari\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/\",\"url\":\"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/\",\"name\":\"Examples of Landing Zone implementations - Proud2beCloud Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.besharp.it\/#website\"},\"datePublished\":\"2022-07-22T07:00:00+00:00\",\"dateModified\":\"2022-07-22T08:54:38+00:00\",\"author\":{\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/c7a43fb4eda911877f8ce2702c09706f\"},\"description\":\"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.besharp.it\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Examples of Landing Zone implementations\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.besharp.it\/#website\",\"url\":\"https:\/\/blog.besharp.it\/\",\"name\":\"Proud2beCloud Blog\",\"description\":\"il blog di beSharp\",\"alternateName\":\"Proud2beCloud Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.besharp.it\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/c7a43fb4eda911877f8ce2702c09706f\",\"name\":\"Nicola Ferrari\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.besharp.it\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cdf6121b27aba78c0e1b61f1d5888325?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cdf6121b27aba78c0e1b61f1d5888325?s=96&d=mm&r=g\",\"caption\":\"Nicola Ferrari\"},\"description\":\"Cloud Infrastructure Line Manager @ beSharp and AWS authorized instructor champion. I live my life one level at a time getting superpowers by collecting caffeine hidden here and there in my daily map. I\u2019m a hardened internet surfer (yes, I surfed the whole internet\u2026 twice!) and tech-addicted with a passion for computers and networking. Building great IT things all nice and tidy contribute to achieving my main goal: the pursuit of perfection!\",\"url\":\"https:\/\/blog.besharp.it\/author\/ferro\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Examples of Landing Zone implementations - Proud2beCloud Blog","description":"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/","og_locale":"en_US","og_type":"article","og_title":"Examples of Landing Zone implementations","og_description":"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT","og_url":"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/","og_site_name":"Proud2beCloud Blog","article_published_time":"2022-07-22T07:00:00+00:00","article_modified_time":"2022-07-22T08:54:38+00:00","og_image":[{"width":2499,"height":1308,"url":"https:\/\/blog.besharp.it\/wp-content\/uploads\/2022\/07\/Copertina-blog-22-07-22_22-07-22-social-eng.png","type":"image\/png"}],"author":"Nicola Ferrari","twitter_card":"summary_large_image","twitter_title":"Examples of Landing Zone implementations","twitter_description":"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT","twitter_image":"https:\/\/blog.besharp.it\/wp-content\/uploads\/2022\/07\/Copertina-blog-22-07-22_22-07-22-social-eng.png","twitter_misc":{"Written by":"Nicola Ferrari","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/","url":"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/","name":"Examples of Landing Zone implementations - Proud2beCloud Blog","isPartOf":{"@id":"https:\/\/blog.besharp.it\/#website"},"datePublished":"2022-07-22T07:00:00+00:00","dateModified":"2022-07-22T08:54:38+00:00","author":{"@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/c7a43fb4eda911877f8ce2702c09706f"},"description":"In this article we\u2019re proposing examples of Landing Zone implementations based on two different company types: Small IT and Large IT","breadcrumb":{"@id":"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.besharp.it\/examples-of-landing-zone-implementations\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.besharp.it\/"},{"@type":"ListItem","position":2,"name":"Examples of Landing Zone implementations"}]},{"@type":"WebSite","@id":"https:\/\/blog.besharp.it\/#website","url":"https:\/\/blog.besharp.it\/","name":"Proud2beCloud Blog","description":"il blog di beSharp","alternateName":"Proud2beCloud Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.besharp.it\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/c7a43fb4eda911877f8ce2702c09706f","name":"Nicola Ferrari","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.besharp.it\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/cdf6121b27aba78c0e1b61f1d5888325?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/cdf6121b27aba78c0e1b61f1d5888325?s=96&d=mm&r=g","caption":"Nicola Ferrari"},"description":"Cloud Infrastructure Line Manager @ beSharp and AWS authorized instructor champion. I live my life one level at a time getting superpowers by collecting caffeine hidden here and there in my daily map. I\u2019m a hardened internet surfer (yes, I surfed the whole internet\u2026 twice!) and tech-addicted with a passion for computers and networking. Building great IT things all nice and tidy contribute to achieving my main goal: the pursuit of perfection!","url":"https:\/\/blog.besharp.it\/author\/ferro\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts\/4706"}],"collection":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/comments?post=4706"}],"version-history":[{"count":0,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/posts\/4706\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/media\/4713"}],"wp:attachment":[{"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/media?parent=4706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/categories?post=4706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.besharp.it\/wp-json\/wp\/v2\/tags?post=4706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}