Going to the cloud? Start with Landing Zone!

Many companies are considering the public cloud as a solution to many problems. Scalability, security, global replication, increased development process speed, or cost reduction are the most popular reasons for choosing the cloud. After a year, or maybe two, comes disappointment. The public cloud is more expensive, application performance is weaker, and security doesn’t exist. There are many unknown resources, and no one knows their true purpose. It is complete chaos. Many smart people in the organization are starting to wonder: what has gone wrong? 🤔

The answer is simple — they didn’t start from Landing Zone and Cloud Governance standards! Ok, but what is Landing Zone? Why is it so important? Let’s try to find out!

Landing Zone

In aviation, the landing zone is a predetermined area where aircraft can land and take off. The landing zone must be large enough to accommodate the plane and have a clear approach and departure path.

The same concept is in the public cloud — here, Landing Zone is a place where you can deploy your applications to a dedicated space in a fully controlled process. There are many similarities between those two areas. In aviation, you need to know which plane will be landing, talk with the pilot, separate air traffic, and have security standards that must be followed. Cloud computing is the same. You need to be able to identify your resources based on tagging, separate network traffic for them, continuously monitor your application, take some automated actions if something goes wrong, and enforce security policies.

In cloud computing, the landing zone is a complex environment that needs to address several aspects:

• Resource governance
• Networking
• Identity
• Security
• Monitoring
• Infrastructure
• Cost management
• Automation and CI/CD processes
• Data management and architecture (we can create sub-zones called data landing zone and data management zone).

Every one of these aspects has a couple of different elements. For example, in resource governance, we need to:

• plan resource hierarchy,
• naming convention
• standardize tagging
• build policies (that will force or block some behaviors)

In networking, we must figure out how to:

• create hybrid connectivity,
• allocate IP addresses,
• manage DNS,
• create PaaS solutions networking
• create network architecture
• plan secure internet communication

In identity, we have to:

• plan accounts management
• create or use specific roles
• manage hybrid identity if we have on-prem identity providers
• create privileged identity management mechanisms (or use cloud-based existing ones)
• manage service accounts for our resources and applications

Working on infrastructure, we must:

• specify resources allowed by our organization
• choose geo-localizations for resources
• plan disaster recovery mechanisms
• design HA configuration for resources
• build scaling mechanisms

There are many more different aspects that we need to address to create a fully operational cloud environment. Most of these topics we need to consider at the beginning of our cloud journey, especially when talking about big organizations that already have some on-prem systems.

Landing Zone example for MS Azure. Source: https://learn.microsoft.com/pl-pl/azure/cloud-adoption-framework/ready/landing-zone/

Do we need it at the beginning?

Let’s imagine that in our organization, somebody has an idea to start working with the cloud. This person is searching the web for information on cloud computing, doing online courses, and maybe visiting meetups for technological inspiration and knowledge. Then there is a decision — let’s try to do something in the public cloud. At this point, you do not need a landing zone. You need to experiment with the cloud and check if it will fit your requirements. You can use a cloud web console, try to create some resources, and maybe make a simple PoC. You need to get familiar with the public cloud concept and all benefits and risks of this model.

So when to start thinking about a landing zone? When you want to put your first production system inside the cloud. It is the point when you need to build a robust cloud environment, and a landing zone is an excellent way to do this.

How to build a landing zone?

Building a suitable landing zone could be a challenge. There are materials from every cloud provider that describe the design process and many open-source codes with LZ implementation in Terraform.

• MS Azure LZ: https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-principles
• GCP LZ: https://cloud.google.com/architecture/landing-zones
• AWS LZ: https://docs.aws.amazon.com/prescriptive-guidance/latest/migration-aws-environment/understanding-landing-zones.html

The problem is that they are very general.

Let’s get back to aviation. Every airport is different, and because of it, landing zones for each one will be different and fully customized for this specific airport. The same situation is in cloud computing. Every organization has a different culture, technological stack, and people, so why should they have the same landing zone? To take full advantage of cloud computing, you must have a landing zone customized for your organization. For that, it is good to use an external consultant — who already has experience in this area. They will help you and will be your guide in the cloud adoption process. This person specialized in this task and worked with many different companies. The consultant has seen which approaches work in other companies and will be able to point out the most significant things you need to take care of in this process.

How should the process of creating a landing zone look?
I know that every consultant can have a different approach, but here I want to share with you one that, based on my experience, is the most efficient. It consists of three phases: knowledge sharing, gathering insights, creating architecture of LZ, and the last one — implementation.

Build fundamental knowledge about cloud computing in your organization.

It is always the first step in our cloud journey. To create a fully operational landing zone, you need committed people who understand the public cloud concept. They need to know what cloud services exist and how they can use them. Here it is essential to build the T-shape skills model.

The vertical bar in the “T” represents a person’s depth of knowledge and expertise in a specific field. This could be a particular subject area, like networks, data engineering, software development, etc. The horizontal bar in the “T” represents general knowledge about the cloud computing model. Understanding how PaaS, SaaS, and IaaS services work in the cloud and when you should use them. Be familiar with cloud cost models, monitoring and observability, and access control.

Many companies at the beginning try to skip this step, but if you do it, there will be consequences in the future. Cloud is complex, and mistakes at the beginning can be costly in the future. You need to have a team with good cloud skills.

Start from workshops where you will be able to gather all requirements and create the architecture of your landing zone.
In this stage, when our people understand specific concepts of the cloud, we can start gathering insights and requirements. I always do this in the form of workshops.

For every topic, we schedule 2–4 hours of workshops.

Workshop list:

• Resource governance
• Networking
• Identity
• Security
• Monitoring
• Infrastructure
• Cost management
• Automation and CI/CD processes
• Data management and architecture (we can create sub-zones called data landing zone and data management zone).
• At this point, we create high-level architecture for each aspect and work on standardizations.

Every workshop requires specific specialists from your organization to share their insights on particular topics.

Create documentation with cloud governance standards based on workshop results.

After the workshops, you need to document the landing zone architecture and cloud governance standards. You must go from high-level to low-level architecture for our landing zone at this stage. This is the stage when you need to create also standardization and governance policies for your cloud environment.

Implement your landing zone in the IaC approach.

The last stage is the simplest one — you need to implement everything in the IaC approach. To do this, you need to use a landing zone low-level architecture and cloud governance standards as inputs. Based on the cloud you are using, you can choose one of a couple of IaC technologies.

Infrastructure as code (IaC) is a practice that involves managing infrastructure using code and configuration files rather than manually configuring resources through a web-based interface or using a manual process. This process allows your organization to automate infrastructure resource provisioning, configuration, and management, making it easier to deploy and manage complex environments.

Before the implementation phase, you should decide which tool you will use. I will list a couple of them that, in my opinion, are worthy candidates:

• Terraform: Terraform is a tool that enables users to define and manage infrastructure as code using a declarative configuration language called HashiCorp Configuration Language (HCL). It supports many infrastructure providers and can manage infrastructure across public clouds (AWS, GCP, MS Azure), on-premises, and hybrid environments. Currently, it is the most popular tool for IaC, so there are many publications, videos, and online courses about it. You can also easily find cloud engineers that are very skilled in it.
• Pulumi: is a cloud-native infrastructure as code (IaC) platform that enables users to define, deploy, and manage infrastructure using familiar programming languages, such as JavaScript, TypeScript, Python, and Go. It allows users to create and manage resources across many clouds and on-premises platforms, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Kubernetes. With Pulumi, users can define infrastructure as code using a high-level, declarative syntax, which is then translated into the appropriate API calls for the target platform. This enables users to define and manage their infrastructure in a version-controlled, reusable, and maintainable way, making it easier to deploy and manage complex environments.
• Kubernetes Operators: Kubernetes operators are custom controllers that extend the Kubernetes API to create, configure, and manage instances of complex, stateful applications in a Kubernetes cluster. Operators use the Kubernetes API to watch for and respond to events in the cluster, such as the creation of a new resource or the scaling of an application, and can be used to automate the management of complex workloads. While Kubernetes operators were originally designed to manage applications and resources within a single Kubernetes cluster, it is possible to use operators to control resources in public cloud environments, such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). To use Kubernetes operators to control public cloud resources, you will need to install and configure the operator in your Kubernetes cluster. This typically involves creating a custom resource definition (CRD) for the operator and deploying the operator’s code and any necessary dependencies to the cluster. Once the operator is installed and configured, you can use it to create, configure, and manage public cloud resources by creating and modifying instances of the operator’s custom resource. For example, you might create a custom resource to define an Amazon EC2 instance and use the operator to create and manage that instance in your cluster. When most of your workloads will be in the cloud-native model, the approach of K8 operators to IaC may be the best solution for you.
• Azure Bicep is a domain-specific language (DSL) for defining Azure infrastructure as code (IaC) in a declarative way. It allows you to write reusable, maintainable, and testable infrastructure deployment templates in a simple and intuitive way. Bicep is designed to be easy to learn and use, especially for those familiar with Azure and familiar with JSON or YAML syntax. It provides a more concise and user-friendly syntax for defining Azure resources, as well as a set of built-in functions and directives for extending and customizing your infrastructure deployment templates. With Bicep, you can define all the resources and their dependencies needed to deploy an Azure solution, and then deploy the solution using Azure Resource Manager (ARM) templates. Bicep compiles your Bicep files into ARM templates, which are then deployed to Azure using Azure CLI or Azure PowerShell.
• AWS Cloud Formation is a service that helps you automate the process of creating and managing AWS resources. It enables you to use templates to define and deploy your infrastructure in a predictable and repeatable way. CloudFormation templates are written in JSON or YAML and use a declarative syntax to specify the AWS resources and their properties that you want to create. These templates can be used to create, update, and delete stacks of AWS resources, such as Amazon EC2 instances, Amazon RDS databases, and Amazon S3 buckets. CloudFormation provides a set of built-in resource types that you can use in your templates, as well as the ability to create custom resource types using AWS Lambda functions. You can also use CloudFormation to automate the provisioning and management of other AWS services, such as Amazon ECS, Amazon EKS, and Amazon DynamoDB.

After choosing a specific tool, you can start implementing your Landing Zone based on low-level architecture and cloud governance standards.

If you decide to use K8s operators, you must create a seed code in Terraform to create your first management cluster and basic infrastructure for network architecture and hybrid connectivity.

You should invest in the landing zone!

Landing Zone is a crucial part of the cloud adoption journey. Yes, it can be complex, especially at the beginning, but you must build it. You can always use external consultants as your guides in this process if it is too complicated for your organization. A good landing zone will help you better control your cloud resources, have a higher level of security, and lower your cloud infrastructure costs. It is an investment that you should take.