DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
Building Scalable Real-Time Apps with AstraDB and Vaadin
Register Now

Trending

  • Merge GraphQL Schemas Using Apollo Server and Koa
  • Exploratory Testing Tutorial: A Comprehensive Guide With Examples and Best Practices
  • Revolutionizing Algorithmic Trading: The Power of Reinforcement Learning
  • Top 10 Engineering KPIs Technical Leaders Should Know

Trending

  • Merge GraphQL Schemas Using Apollo Server and Koa
  • Exploratory Testing Tutorial: A Comprehensive Guide With Examples and Best Practices
  • Revolutionizing Algorithmic Trading: The Power of Reinforcement Learning
  • Top 10 Engineering KPIs Technical Leaders Should Know
  1. DZone
  2. Data Engineering
  3. Databases
  4. Optimize AWS Landing Zone

Optimize AWS Landing Zone

Agustin Romano user avatar by
Agustin Romano
·
Sep. 22, 20 · Presentation
Like (1)
Save
Tweet
Share
2.55K Views

Join the DZone community and get the full member experience.

Join For Free

AWS consistently releases best-practices guides, whitepapers, and documentation to outline more and more ways for developers to simplify cloud infrastructure management. Manually maintaining and managing cloud infrastructure is feasible when you have a single, simple environment to control. Add complexity into the mix, however, and it is easy to lose track of the nodes and services you have running.

Architectural complexity becomes even more challenging when you start leveraging multi-account environments across your organization. Using multiple accounts and services allows you to overcome specific challenges of developing and running cloud-native apps in a seamless and efficient way, but it is certainly not something you want to do manually.

This is where AWS Landing Zone is designed to come in handy. AWS Landing Zone is a solution that is designed from the ground up around running multiple account and cloud environments with complex AWS clusters while staying true to AWS Well-Architected Framework best practices. Even better, there are ways you can optimize AWS Landing Zone for specific purposes.

Starting From Scratch

The real challenge of deploying cloud-native apps on top of Amazon services doesn’t lie in the actual deployment process itself. Amazon offers tools like CodePipeline and CodeDeploy, both of which streamline your deployment pipeline significantly.

The real challenge is configuring a base environment that can support the native apps running on top of it in an efficient yet sustainable way. You have to think not only about the challenges you face right now but the potential challenges you face in the future.

There are a lot of basics to cover in this phase. The base environment is called the landing zone because it is where your cloud-native apps and microservices land when they are ready to be deployed.

The landing zone includes key elements, such as your account structure, your IAM and security configurations, the default network settings, and of course, the basic services you use to power your AWS environment.

Support for multiple accounts allows for larger environments to be managed by multiple teams. Since teams can focus on a specific part of the environment—or certain services they are regulating—you can configure the accounts in such a way that they don’t overstep each other.

Key Components

A multi-account structure provides the best balance between ease of use and control. Rather than having teams sharing a single master account — which is the root of many fundamental issues faced by those running their apps this way — they can have core and team accounts with separation of access and resources.

The organization still has a single master account, and this is the account that provisions member accounts and cloud resources. Amazon provides AWS Organizations Service to make managing your organization’s master account a smooth process.

There are also Core accounts in an organizational unit with access to critical functions such as Shared Services and Log Archive. For teams and departments, you can configure Team or Group accounts, each with its own group level; this allows for detailed control over accounts.

Team accounts can have Core accounts in them. This means a Team can have access to security functions and Shared Services in such a way that access control becomes easy. Alongside team accounts, you can also have Developer accounts for individuals completely sandboxed.

Another key component to this setup is connectivity. Accounts can have customized networking patterns, but it is still necessary to set up default networking patterns for both the accounts and external data centers and services.

Keep in mind that setting up these accounts—the structure of your multi-account cloud environment—manually involves making a lot of design decisions and staying true to them. As mentioned before, trying to configure a complex cloud environment manually can be daunting.

AWS Landing Zone Optimization

Fortunately, AWS Landing Zone eliminates the need for manual configuration of cloud structure and replacing it with a simple, automated workflow. When you configure AWS Landing Zone, the service automatically configures your multi-account architecture and key components.

When you start adding new accounts and altering the base configuration of your cloud architecture, Landing Zone maintains efficiency and scalability behind the scene. Account Baseline, Shared Services, and other components can be linked to organizational units.

The service also lets you comply with AWS best practices without doing manual checks, regardless of the architecture you are trying to build. You can have a Log Archive Account with CloudTrail logs, Audit Account with CloudWatch aggregator, and Security account with GuardDuty and SNS.

Landing Zone grants you access to the Account Vending Machine, which simplifies creating new accounts even further. AWS Single Sign-On is used by default, so there is no need to manually configure user roles or create separate accounts to compartmentalize different AWS services.

As an added feature, Landing Zone integrates well with AWS Service Catalog; well, all AWS services play well with each other. AWS Service Catalog allows self-service architecture management from multiple accounts.

More Optimization Tips

If you think AWS Landing Zone is useful enough with the automation features that it offers, you will certainly appreciate the optimization options the service also offers, starting with the fact that you can optimize the manifest file used by AWS CodePipeline to configure the way accounts are set up.

Blueprints and security measures are also fully integrated, but you can take it a step further and integrate your own security policies for an air-tight cloud environment. Since Landing Zone always follows AWS best practices, security becomes less of a concern.

Other optimizations—and modifications—that can be added to Landing Zone for better visibility and scalability are:

  • Auto-tagging, which can be achieved with a simple auto-tagging template
  • Access key rotation for better security via IAM
  • MFA enforcement
  • KMS rotation configured to the specific timeframe that suits your needs
  • Integration external services like Slack for alerts and notifications
  • Budgeting and billing notifications for accounts
  • Global security mods, including denying the creation of an internet gateway for accounts
  • CloudWatch integration for better visibility

That last part is actually very important. You can create a comprehensive dashboard by integrating CloudWatch status check and using Lambda function to monitor CloudTrail for certain activities such as specific API calls.

Everything else is easy from there. With AWS Landing Zone creating the perfect, well, landing zone for your cloud-native apps, you can focus on developing and deploying the apps rather than creating a suitable environment for them to run.

AWS microservice app Cloud teams security

Published at DZone with permission of Agustin Romano. See the original article here.

Opinions expressed by DZone contributors are their own.

Trending

  • Merge GraphQL Schemas Using Apollo Server and Koa
  • Exploratory Testing Tutorial: A Comprehensive Guide With Examples and Best Practices
  • Revolutionizing Algorithmic Trading: The Power of Reinforcement Learning
  • Top 10 Engineering KPIs Technical Leaders Should Know

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com

Let's be friends: