When working with customers in moving their workloads to the cloud, either on a pure or hybrid approach, it is crucial how to define the layout of the involved cloud accounts. In a way, the cloud accounts can be considered as an extension of the on-premises datacenters or even datacenters themselves. Therefore, these layouts must ensure the ability to meet aspects like networking, identity and access management and security in a scalable and multi-tenancy fashion.
Industry best practices have shown that it is worth investing an initial effort to properly define and build these account blueprints, which are known as Cloud Landing Zones. The specific approach for the Cloud Landing Zones varies from one cloud provider to another, but there are some common aspects between all of them:
- Allowing centralized logging with appropriate levels of permissions for different accounts.
- Clear isolation of the different environments of the hosted applications (dev, staging, prod).
- Centralized and built-in CI/CD infrastructure.
- Simplified and centralized connectivity management.
- Centralized billing, account and permissions management.
Alongside with this, in hybrid environments it is highly desirable that the Cloud Landing Zones follow a structure that preserves as much homogeneity as possible with the on-premises datacenters. This enables the SRE and operations teams to be much more effective and foster the ability to use agnostic automation solutions to support the target reliability levels of the customers.