Cloud is touted as a new age computing, especially now with its popularity as number of enterprise workloads migrated to cloud are rising exponentially. The agility, flexible financial model and productivity with cloud platforms has accelerated this move, making it imperative for enterprises to have the right strategy in place. When planning a cloud migration and an adoption strategy, it is important to create an effective operational and governance model that is connected to business goals and objectives. At this point, building an efficient cloud landing zone plays a big role. In this article we will take a deeper look into why having a cloud landing zone is a key foundation block in the cloud adoption journey. We will also elaborate on the building blocks for creating a mature landing zone.
What is a Landing Zone?
The cloud landing zone is an environment configured for desired standards and best practices that provides foundational capabilities for workloads that are deployed in the cloud. What are these foundational capabilities? Think of any application deployment platform and identify the following attributes:
- Provision for identity and access management
- Reliable connectivity and adequate network topology
- Desired Security & Operational Instrumentation
- Automation of Ops for efficiency
A landing zone deployment will contain all of these attributes to create a secure, scalable and operationally efficient environment in cloud where workloads can be deployed and managed.
The significance of a Landing Zone
Now, you must be thinking, isn’t this obvious? These concerns existed prior to the era of cloud, so what changed? Well, the change is the arrival and proliferation of cloud as the new way of running IT. Cloud platforms have made it easy to build, deploy and run apps in virtually no time. Consider that you can:
- Set up and run a fully functional virtual network in cloud in a matter of few minutes
- Set up and run a fully featured data warehouse in less than 10 minutes
- Scale a 3 node VM cluster to 20 nodes in less than an hour
Imagine if you had to manage to execute these activities in a traditional data center. While this new power of the cloud is quite liberating, such capabilities need to be dealt with carefully. Best practices indicate to make a conscious effort to create a “standardized,” “secured” and “maintainable” cloud environment. If different teams are given the freedom to deploy workloads with their own assumptions and understanding, they can harness the power of cloud, but that will lead to a few challenges, such as:
- Risk of each deployment lacking adherence to security standards, thereby risking breaches and data loss.
- Lack of operational efficiencies; for example, each team may adopt a certain blueprint to operate workloads on cloud that is not aligned.
- Potential cost inefficiencies that can negate the perceived cost benefits of cloud platforms, due to variety of instrumentation models as opposed to aligning with one specific model.
- Efficiency and agility of the underlying cloud infrastructure is constrained by the maturity that a given team brings to deployment activities.
A cloud landing zone addresses all of these concerns. It allows enterprises to standardize cloud environments, so that teams deploying and managing workloads will experience consistency across ops instrumentation, access control, connectivity and other key concerns.
Building a landing zone, is therefore a starting point to meet the needs for any kind of cloud transformation journey. It effectively lays the groundwork and the platform on which cloud workloads are deployed and managed.
What are the building blocks?
The landing zone is designed to implement the following foundation elements.
Tenancy, Access & Cloud Subscription Management
The landing zone must provide a streamlined approach to address and manage the tenancy / multiple cloud subscriptions and the overarching access management when using these constructs. This creates a centralized approach to manage user and application access in a consistent manner and allows streamlined governance per enterprise standards. In other words, the landing zone implements a pre-defined blueprint to define various access types, Role based Access Control (RBAC) as well as isolation of multiple cloud subscriptions to define the desired isolation and responsibilities.
- Creation of Management Groups
- Implement RBAC
- Deploy multi-subscription environment for shared services, responsibility isolation etc.
The landing zone should be built to leverage existing identity management capabilities. Rather than creating a new Identity management repository, the identity repository is replicated into the cloud environment. This approach allows for existing identity management controls to be extended into the cloud environment. In addition, users can switch between cloud based and non-cloud applications in a seamless manner.
- Identity replication from tradition environments
- Federated authentication
- Common application principals
Most enterprises operate across multiple environments, cloud, and traditional data centers. Further, there may be clients that operate across multiple cloud platforms. In this instance, it is essential to build a uniform virtual network topology across these platforms to abstract the underlying complexities from the end user. The existing network topology is extended across each cloud platform, thereby providing a seamless, simplified logical network architecture. This approach creates the simplicity for application deployment and network isolation irrespective of the target environment.
- Connectivity across environments and sites
- Implementation of uniform ACLs and network policies
One of the biggest challenges of adopting the full capabilities of the cloud is enforcing adequate security standards. The landing zone build out takes these standards into consideration by implementing and enforcing required controls in the cloud environment. This build out provides a single pane of glass for management and governance of security controls across environments. As part of this process, consistent architecture is deployed for concerns such as Edge Security, Threat Management, Vulnerability Management, Transmission Security, and others.
- Uniform Tooling across environments
- Fulfilling enterprise compliance requirements
- Threat Instrumentation
- Data & System Security
DR & Data Retention
When planning cloud adoption extending existing policies and toolsets for Data Retention and Disaster Recovery is a key consideration. The landing zone takes into account the instrumentation required to meet the policy requirements. The actual design may or may not use the same toolset (there are many alternate cloud native options available), but the goal is to use have a common implementation to meet the policy requirements.
- Data Retention Policy Implementation
- DR Tooling & Orchestration Configuration
- System and Data Backup Automation
The landing zone automates the implementation of monitoring, engineering ops, governance. Additionally, a landing zone addresses cloud-specific concerns such as cost management and alerts, reactive scalability, and templated deployment. This facilitates an optimal/right sized environment that provides the optimal compute needed by the application workloads.
- Monitoring & Alerts
- Central Log Management
- Ops Automation
- Cost Management & Monitoring
- Service Catalog Blueprints
Infogain’ s Approach for building Landing Zones
Infogain helps the enterprise build and deploy cloud landing zones as part of the overall cloud transformation journey. Infogain has an elaborate cloud transformation framework to help organizations migrate to cloud at scale. One approach for landing zone buildout is identifying common use cases and building a templated approach called “Patterns”. Patterns are a standardized definition of the work breakdown, effort needed to execute the implementation. Furthermore, the patterns are used with reusable deployment templates to deploy landing zones rapidly.