Landing Zone....what on cloud it is?

Let us get the basics right first up

Landing Zones are not new, but the term “Landing Zone” is. Agree?

Since the early days of Cloud adoption (and really, we are not talking about more than a decade back), organisations adopting cloud had to design a foundation or a base in one form or other where they can then overlay the workloads and resources (infrastructure and services) therein. So, what is a Landing Zone? – A foundation consisting of multiple accounts in a linked and nested structure (sometimes complicated mesh type) to make some sense of and address the requirements. If I were to draw an analogy with farming – it is a well ploughed and fertilized land where our farmers (a.k.a architects and engineers) can sow and grow (a.k.a design and build) the required crops (a.k.a applications and workloads).

Eventually CSPs realised a need for something serious and hence a more formal concept of Landing Zone. Of course, with the advent of term “Landing Zone”, there have been more constructs and services (platform specific mostly) that help make the deployment much easier and more effective, for ex - in the AWS world we have Control Tower, Organisations, Organisation Units (OUs), Service Catalogue, Account factory etc.   

What it takes to design and implement a good Landing Zone?

Notice here that I have not used the word ‘perfect’ but rather ‘good’ for the Landing Zone. Why? Because it is never perfect and complete. Remember – in today’s digital world, we are designing and implementing something that is tomorrow’s legacy. Requirements will change (read agile) and hence your Landing zone should keep evolving as well. Your digital assets must re-energise continuously to be able to stay relevant and good – Landing Zone is one of such assets

Continuing with our analogy – what it takes to ensure the crops we are going to grow will be safe from insects/pests and access to the farm itself is limited (security), provides perceived financial benefits (cost optimization) and the harvest can be increased to match the demand (scalability) – okay I agree this is not the most accurate comparison, but you get the point!!

Answer is simple – thorough planning and preparation. Prepare the base (aka Landing Zone) well i.e do some research on the best practices and techniques to make the soil fertile, water thoroughly, procure the best fertilizers and manures etc.

Similarly, for an effective and successful Landing Zone deployment – get all the brains in the room, collaborate and try to answer the following questions as part of the planning and design phase:

• What are the networking and integration requirements - hybrid connectivity, transitive architecture, centralised or de-centralised egress/ingress etc.?
• What are the IAM requirements – access and authorisation, identities, enterprise wide IDP etc.?
• What is your organisation wide SSO strategy?
• What are the security requirements - north/south and east/west traffic inspection, filtering, limiting blast radius and more?
• What are the backup and DR requirements – tools, centralised backups, type of DR etc?
• How and where do you want to have isolations and relationships - based on business processes, shared services, security profiles, data classification, environments or something else?
• What is your zoning strategy – controlled zones, DMZ etc?
• What minimum guardrails would you like to have in place?
• What workload deployment patterns you have or will have?

As said earlier, once the Landing Zone has been deployed, the onus shifts to the continuous auditing and monitoring of what you have done to ensure the workloads function as expected or even better. Okay…Okay…. here I go again with my analogy – you continuously monitor your farm, soil, sown seeds, water regularly and make sure it is free of insects and pests. You can’t rest just because you have done a good job during the pre-deployment stages

Conclusion

Actual execution or deployment is just one part of the whole process and probably more technology focussed requiring some specific skills like AWS Control Tower, Organisations, SCPs etc. However, in my opinion, the pre-execution phases from discovery to design should take more precedence. These are the phases where people and processes overpower the technical aspects. If the right stakeholders are not involved and if requirements are not understood properly, the deployment (which is probably worth a day or two) might be totally irrelevant.

Remember a Landing Zone is the base for successful operations and management of what you put on it. Deployment is not merely clicking some buttons in the console (for ex - AWS Control Tower), but a lot is about proper planning and design with key stakeholders involved. And yes – what about a good enterprise-wide Cloud Operating Model and a Cloud Adoption Strategy? They do play an important role as inputs into the planning and design phase, but I’ll keep it for another day (hopefully with another interesting analogy 😉). For now, just understand that elements like the operating model and framework will also help in coming up with an effective multi-OU and multi-Account strategy for the Landing Zone.

The idea of writing this article was not to teach the steps to create a Landing Zone. I would rather see the CSP specific documentation for that. This is just a blurb out of my experiences and not an attempt to preach the DOs and DON’Ts of deploying a Landing Zone. I am happy to learn further from you (positive or negative comments…keep’em coming)