Landing Zones: Creating a Foundation for Your AWS Migrations When migrating lots of applications to the cloud, it's important to architect cloud environments that are efficient, secure and compliant. AWS Landing Zones are a prescriptive set of instructions for deploying an AWS-recommended foundation of interrelated AWS accounts, networks, and core services for your initial AWS application environments. This session will review the benefits and best practices. Ali Juzer, Cloud Architect, Professional Services, Amazon Web Services

1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ali Asgar Juzer
Sr. Advisory Consultant, Professional Services,
Amazon Web Services
Landing Zones: Creating A Foundation
For Your AWS Migrations

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Session Agenda
1. Definition of the Problem
2. Landing Zone Concept
3. Components of a Landing Zone
4. AWS Best Practices & Tips for Building a Landing Zone

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Definition Of The Problem

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
meets the organisation’s
security and auditing
requirements
ready to support highly
available and scalable
workloads
configurable to
support evolving business
requirements
What Do You Need

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing Zone Concept

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing
Zone
What Is A Landing Zone
Multi-Account AWS
Environment Based
on AWS Best Practices
Set of Architecture Patterns
For Shared Core Services
Adaptable Foundation
With Governance
Guardrails
Automation Driven
Versioned Infrastructure

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Logging Configuration Image
Migrate
Iterate
Operate &
Optimise
Start Accounts
End User
Interaction
AutomationService
Catalog
Domains Direct
Connect
Central
Services
Access Identities Federation
Network Security
Identity &
Access
Cloud
Users
What’s
Next ?
Building A Landing Zone
Business
Needs

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing Zone Components

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Account Structure
Billing visibility
Environment isolation
Small blast radius
Shared Core services
Centralised logs
Governance at Scale

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Non-overlapping
IP range
VPC Design
Logging and
Monitoring
VPN / AWS
Direct Connect
Subnet Design
Access Control Lists &
Security Groups
Network Design

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Network Design
VPN/Direct Connect
VPC Peering
DNS Domains Ingress/Egress Points
Bastion Hosts

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudWatch Metrics &
Alarms
CloudTrail Logs for
Auditing
VPC Flow Logs for
Network Insights
AMI Factory for
Hardened OS Images
Amazon GuardDuty for
Threat Detection
AWS Config Rules for
Dynamic Compliance
and more…
Security

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity & Access Management

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Corporate Data Centre
Browser
interface
Identity
Store
AD Group
Identity and
authentication
AWS Accounts
Identity & Access Management
Mapping to specific
IAM roles with access
policies
Example: Federation with AD

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud
consumers
Browse products2
5
Notifications
and outputs
Notifications
and outputs
5
4
Deploy
Administrator
3 Select version,
Provision product,
configure
parameters
Portfolio
Cloud Consumption Model
Example: AWS Service Catalog
1 Maintain Products

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Start Accounts Network Security
Identity &
Access
Cloud
Users
What’s
Next ?

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Build, Operate And Optimise
AWS Managed
Services
AWS Managed Services
Provider Partners
Build & Manage
Your Own
Infrastructure Operations
Management for the
Enterprise by AWS
Next Gen Managed Services
Providers with 3rd Party Audits
In-house Capabilities to Run
& Operate at Scale

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tips To Get Started

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Best Practices & Tips
LZ
1. Automate Everything
2. Start Small, Develop Fast, Iterate Frequently
3. Collaborate & Improve
4. Assess Build vs. Buy Decisions
5. Learn & Seek from the Experts
6. Think Holistic - Business, Governance, People, Platform,
Security & Operations

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What Did We Cover in This Session
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
meets the organization’s
security and auditing
requirements
ready to support highly
available and scalable
workloads
configurable to
support evolving business
requirements
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Landing
Zone
Multi-Account AWS Environment
Based on AWS Best Practices
Set of Architecture Patterns
For Shared Core Services
Adaptable Foundation
With Governance Guardrails
Automation Driven
Versioned Infrastructure
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Managed
Services
AWS Managed Services
Provider Partners
Build & Manage
Your Own
Infrastructure Operations
Management for the
Enterprise by AWS
Next Gen Managed Services
Providers with 3rd Party
Audits
In-house Capabilities to Run
& Operate at Scale
Operate and Optimise

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Thank you!