A landing zone is a framework provided by Alibaba Cloud to allow enterprises to migrate their business to the cloud. Landing zones help enterprises plan and implement resource structures, access security, network architectures, and security compliance systems in the cloud. This way, enterprises can build secure, efficient, and manageable cloud environments. Cloud Governance Center allows you to build landing zones by using blueprint templates in a centralized and efficient manner based on a large number of best practices. Cloud Governance Center integrates the multi-account management capabilities of resource directories and allows you to create a multi-account resource structure for your enterprise at high efficiency.
Process of building a landing zone
You can build a landing zone by using Cloud Governance Center in a more simple and efficient manner than when you deploy a self-managed landing zone. Perform the following steps:
Check the qualification of an Alibaba Cloud account.
The system automatically checks whether the current Alibaba Cloud account meets the requirements for a management account. You can specify a suitable management account based on the check result. For more information, see Check the qualification of an Alibaba Cloud account.
Build a landing zone.
Select a blueprint template.
For information about the supported blueprint templates, see the Supported blueprint templates section of this topic.
Configure items and parameters.
For information about the items that you can configure to build a landing zone, see the Supported items section of this topic.
Run a building task.
For more information, see Build a landing zone.
Supported blueprint templates
Blueprint template | Description |
Standard blueprint | A general-purpose blueprint template. This template contains only the items that are essential to building a landing zone, such as the resource directory, Core and Applications folders, log archive account, and billing account. This template also allows enterprises to enable the required CloudSSO and security compliance protection rules. You can configure the items based on your business requirements. You can configure advanced network, security, and compliance features after you complete the standard blueprint. |
Standard blueprint (CEN) | A blueprint template that is suitable for enterprises that have high requirements on network security, management, and costs. This template contains the items that are required to build a landing zone and a demilitarized zone (DMZ) of Cloud Enterprise Network (CEN). CEN simplifies network configurations and provides high scalability. The DMZ allows enterprises to configure and manage the traffic ingress and egress in a centralized manner. This improves security and reduces costs. |
Cloud-native blueprint | A blueprint template that is suitable for enterprises that use the cloud-native technology architecture. This template allows enterprises to build an enterprise-level ACK Pro cluster by using a specific Alibaba Cloud account. The cluster provides high-availability features such as load balancing and multi-zone availability. You can also configure the required permissions to manage the ACK Pro cluster in this blueprint template. |
Finance industry blueprint | A blueprint template that is suitable for enterprises in the financial industry. The financial industry has high requirements for business isolation. In addition to the items of the standard blueprint template, this template contains the items that are required to build a DMZ of CEN and common compliance packages for the financial industry. |
Blueprint of medical and biotechnology industries | This template is formulated based on the EU GxP standard and applies to enterprises in the pharmaceutical manufacturing, biotechnology, and medical device industries. In addition to the items that are involved in a standard template, this template contains the items that are required to build a DMZ of CEN and deliver service logs, and the common compliance packages for the biotechnology and medical industries. |
Supported items
Category | Item | Description | Required | Recommended account |
Resource planning | Create Management Account | Creates a management account that is used to manage a resource directory. | Yes | Management account |
Resource planning | Enable Resource Directory | Creates a resource directory that is used to build a multi-account structure for an enterprise. | Yes | Management account |
Resource planning | Create Folder | Creates Core and Applications folders to separate management information and business information. You can modify the names and structures of the folders based on the organization and business architecture of your enterprise. | Yes | Management account |
Resource planning | Create Core Account | Creates or specifies core accounts, including the billing account, log archive account, security account, and shared service account. You can assign different responsibilities to the accounts to isolate resources for log delivery, network, and security. | Yes | Management account |
Resource planning | Invite Existing Account | Invites existing Alibaba Cloud accounts to join the resource directory for centralized management. Cloud Governance Center sends an invitation email to the Alibaba Cloud accounts that you specify. The users must log on to the specified Alibaba Cloud accounts and accept the invitation. The invitation is valid for 12 hours. If the invitation is not accepted within the validity period, you must send another invitation. | No | Management account |
Identities and permissions | Cloud SSO | Enables and initializes CloudSSO, and completes common access configurations. This way, enterprises can quickly configure the permissions and single sign-on for multiple accounts. | Recommended | Management account |
Compliance and auditing | Unified Delivery of ActionTrail Logs | Delivers ActionTrail logs of multiple accounts to the log archive account. You can deliver logs to Object Storage Service (OSS) for long-term storage or to Simple Log Service for real-time log analysis. | Recommended | Log archive account |
Compliance and auditing | Unified Delivery of Cloud Config Logs | Delivers Cloud Config logs of multiple accounts to the log archive account. You can deliver logs to OSS for long-term storage or to Simple Log Service for real-time log analysis. | Recommended | Log archive account |
Compliance and auditing | Guardrails | Configures and enables the protection rules of Cloud Config for all member accounts in your resource directory. This ensures that the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center are not modified. This also ensures the security of multi-account environments. After you enable protection rules, you can view the compliance evaluation results of all your resource accounts in the Cloud Governance Center or Cloud Config console. | Yes | Management account |
Compliance and auditing | Service Log Unified Delivery | Delivers runtime logs by using Simple Log Service in a centralized manner. The logs are collected from various cloud services such as storage services (OSS and File Storage NAS (NAS)), network services (Server Load Balancer (SLB), Application Load Server (ALB), API Gateway, and Virtual Private Cloud (VPC)), database services (ApsaraDB RDS, PolarDB-X 1.0, and PolarDB), and security services (Web Application Firewall (WAF), Anti-DDoS, and Cloud Firewall). | No | Log archive account |
Finance | Configure Trusteeship | Configures the finance trusteeship for unified bill settlement, including the settlement method and the account that is used to settle bills. | Recommended | Billing account |
Network | Activate CEN | Enables CEN to connect private networks of enterprises, cross-region networks, and cross-cloud networks. We recommend that you create DMZs to improve network security. | No | Shared service account |
O&M | Enterprise-level ACK Cluster | Creates an enterprise-level ACK Pro cluster for a specific account. The cluster provides high-availability features such as load balancing and multi-zone availability. | No | Any account |
Solution library
The solution library is provided based on a large number of practices that are adopted by enterprises to migrate business to the cloud and manage and govern cloud resources. This library provides methods to design architectures, best practices, tools, and automated deployment code. You can use this library to plan your resource structure, access control, network architecture, compliance auditing, and O&M management systems in the cloud. This library helps you create a secure, compliant, controllable, and scalable cloud IT environment. This way, you can use cloud computing resources with high efficiency.
When you build a landing zone, you can refer to related cases to improve building efficiency.
Expert service
You can log on to the Advanced Service for Enterprise console and contact Alibaba Cloud experts for comprehensive cloud IT governance solutions tailored for your enterprise.