What is a landing zone? (explained in 4 min)


In the past when companies adopted the Cloud, everything was managed through a single account e.g. development, test, staging, and production.

The problem of having to manage multiple environments within a single account is a cause of concern if the security isn’t managed properly. Another disadvantage is the lack of scalability, flexibility to onboard new teams and applications, and the lack of central control and monitoring.

These disadvantages can be solved by implementing a landing zone when you’re adopting the cloud and migrating your workloads. A Landing zone allows you to quickly set up a Cloud environment using automation including best practice configurations for security so you can focus on your core business.

What is a landing zone in the cloud?

A landing zone is a pre-defined, secured, multi-account environment that is ready to onboard different workloads and teams in an automated manner.

The goal of a landing zone in the Cloud is to have guardrails in place that allow you to onboard different teams and applications and divide them over multiple accounts so that the workloads are secured and isolated and where security controls are managed centrally.

When you compare that to adopting the Cloud without a landing zone, the typical things that go wrong when managing everything on a single account from my experience with different clients are:

  • Users having access to different environments on the same account e.g. dev and production
  • Untagged resources confuse the ownership and usage (monitoring & billing)
  • Potential big blast radius in case of getting a breach with having all the data stored centrally.
  • Loss of control, for example, a production environment requires different security control policies compared to a development environment.

What are the benefits of creating a landing zone?

Now that more and more businesses leverage the Cloud and are migrating their applications. You’ll notice that the 3 major suppliers Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) have spent a lot of effort in improving Cloud adoption.

So therefore the concept of a Cloud landing zone has matured over the years and has resulted in a fundamental cloud adoption framework such as the AWS Well-Architected Framework.

AWS Well-Architected and the Six Pillars overview
AWS Well-Architected and the Six Pillars overview

These frameworks describe the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.

This means you can leverage the knowledge within this framework and apply it to organize your account architecture setup for your business without reinventing the wheel.

The biggest features and benefits of creating a landing zone for your organization are:

  • Improved security controls – It’s possible to apply different security policies between different workloads.
  • Central user management – You can manage authentication and authorization from a central control plane. This allows you to rapidly onboard new teams and apply specific policies to each group or individual.
  • Data isolation – limiting an environment to an account means that the data is contained within the boundaries and security policies of that account. So if a potential breach happens, the rest of the environments are safe since they are isolated from each other.
  • Improved visibility – Tagging resources and confining resources within the boundaries of an account gives clear visibility of which team builds what and how much of it is being used.
  • Set limitations – By separating environments in different accounts you’re able to set limits on Cloud services which prevents them from consuming too much and limits any potential overprovisioning. A good example is having sandbox accounts where developers can test a limited number of resources that are linked to budget controls so the business avoids overspending money on overprovisioned resources.

Why do I need a landing zone?

The reason you need a landing zone when you’re adopting the cloud is that it can accelerate the path to migrations. The landing zone acts as a controlled and secure foundation where you can quickly deploy new applications and services without having to spend time configuring the bare essentials like setting up AWS CloudTrail or AWS organizations to get building. This means you have more time left over to innovate and accelerate your core business.

How can I start creating a landing zone?

There are multiple solutions available that help you set up a landing zone in an automated way. In this section, we’ll focus on landing zones offered on AWS.

Which landing zone solutions are available on AWS?

To make it easy for you, there are two mature solutions available that allow you to build a landing zone on AWS:

Here you’ll find a table that contains the trade-offs between each solution:

SolutionFeaturesTrade-offs
AWS Control Tower1. Managed service with full support from AWS
2. Compliance status and monitoring are visible from a dashboard
3. Accounts can be created from the AWS Console
4. Security policies are applied out-of-the-box
1. Limited extensibility and customization. New features and changes are heavily reliant on the support of AWS.
2. Can be slow and the user interface is rather unintuitive.
3. No API or programmatic support
4. No CloudFormation or AWS CDK support
AWS Organization Formation1. Use infrastructure as code to manage AWS Organizations.
2. Freedom to deploy your custom stacks in your preferred way e.g. AWS CloudFormation or AWS CDK.
3. Re-use the same codebase to manage different organizations, by storing the code in version control e.g. GitHub.
1. Limited support as this project is open source and maintained by a small group.
2. Takes a bit of time to learn the framework and how to set up a new project from scratch.
AWS Control Tower vs AWS Orgformation

I’m more in favor of AWS Orgformation because it allows me to control AWS accounts in a consistent and repeatable way since I can build everything in code and store it in git version control.

As a Cloud Consultant, I have to repeatedly build landing zones for different clients and organizations. Therefore having the ability to clone my information projects will accelerate my deployment times and reduces repeatability.

With AWS Control Tower you have to manually maintain the structure and compliance of the accounts you manage in AWS. Therefore you’ll lose a bit of repeatability in favor of clicking everything together.

Conclusion

Managing multiple environments on the same account is a bad practice that should be avoided at all costs. You’ll quickly learn that onboarding new workloads and teams on your cloud platform can become time-consuming and insecure because there is a lack of control and visibility.

By making use of a landing zone in the Cloud, you’ll be able to migrate your business’s applications and teams faster and more securely by automating the setup and configuration of your accounts in the Cloud.

If you’re interested in finding out more about how you can leverage the power of a landing zone in AWS to accelerate your business. Then you can contact us to help you build one for your organization.


Danny Steenman

Is a Principal Cloud Consultant with a background in DevOps Engineering and thorough hands-on experience in architecting and building highly scalable distributed systems on AWS Cloud using Infrastructure as Code.

A prominent leader who is passionate about sharing AWS technical expertise by writing technical articles.