AWS Landing Zone Accelerator Overview
Around a year ago, I got my hands on to AWS Landing Zone Accelerator, and really liked the way it simplified deploying a complex multi account architecture
What is an AWS Landing Zone?
Setting up an AWS Landing Zone is usually the first step for organizations moving their applications to the AWS cloud. It’s like a ready-made plan designed to create a safe and organized AWS environment with multiple accounts.
This plan includes things like how people can access the system(Identity and Access Management (IAM)), how the network is set up, keeping track of what’s happening in the system, how the accounts are organised, and making sure everything is secure.
By following this plan, organisations can easily set up and manage their AWS infrastructure while meeting security and compliance standards.
Challenges in Setting up AWS Landing Zone
- Developing and maintaining Infrastructure as Code (IaC) is crucial for setting up an AWS Landing Zone (LZ) from scratch.
- Organizations often face the challenge of creating multiple repositories of IaC to deploy various AWS infrastructure resources within the Landing Zone.
- Time constraints in developing the AWS Landing Zone as IaC can directly impact an organisation’s cloud journey roadmap and timelines, potentially delaying critical milestones.
- Rushing the implementation of the Landing Zone architecture (LZA) may result in manually created LZ resources that could persist for years, leading to technical debt and operational inefficiencies.
- Skill gaps in developing IaC can significantly prolong the deployment of the Landing Zone with code, necessitating comprehensive training or external support to bridge these gaps effectively.
Reference
What is Landing Zone Accelerator
The Landing Zone Accelerator is an open-source project tailored for simplifying AWS infrastructure setup. It harnesses the power of the AWS Cloud Development Kit (CDK) and TypeScript to provide a seamless deployment experience. By accepting straightforward configuration files as input, it efficiently orchestrates the provisioning of various AWS services essential for establishing a robust infrastructure.
This solution streamlines the creation of AWS accounts, network components, security services, and more, covering a wide spectrum of AWS offerings. Despite its sophisticated underpinnings in AWS CDK TypeScript, end-users are primarily tasked with updating the configuration files, keeping the deployment process straightforward. AWS shoulders the responsibility of managing the solution’s updates and maintenance, sparing customers the burden of heavy lifting.
Customers can seamlessly integrate this solution into their environment, typically within their AWS Master account. Updates are easily accessible, allowing users to pull bug fixes and new features whenever available. This approach ensures that organisations can swiftly adapt to evolving requirements without grappling with intricate development of IaC processes or maintenance overhead.
Architecture of LZA
In this architecture, two AWS CodePipelines are set up. The first one is responsible for installing the solution in the customer’s environment, while the second pipeline is used to deploy resources based on configuration files.
To use this solution, you need two repositories — one for hosting the source code and another for hosting the configuration files. Alternatively, you can directly link to GitHub Open Source project for the source code, but it’s recommended to have your own private repository. The solution automatically creates a CodeCommit repository for configuration files. However, you can also provide an existing CodeCommit repository. Currently, this solution only supports CodeCommit for version control of configuration files, and doesn’t support any other version control systems.
LZA Config files
accounts-config.yaml
file defines AWS accounts. To create a new account, you must update this file. Below is an example;
- name: Workload01
description: Workload account 01
email: example-email+workload01@example.com
organizationalUnit: WorkloadsThis configuration creates a new AWS account named Workload01 under the Workloads organizational unit (OU). Please note that the specified OU must exist, or else the account creation process will fail.
global-config.yaml
This configuration file is utilized to define global services such as Control Tower, Backup vaults, AWS budgets, CloudTrail, and other overarching settings.
iam-config.yaml
This configuration file is dedicated to defining IAM (Identity and Access Management) users, groups, policies, permission sets, roles, and related access controls.
network-config.yaml
This file is employed to define networking components such as VPCs (Virtual Private Clouds), subnets, route tables, NACLs (Network Access Control Lists), Firewalls, VPNs (Virtual Private Networks), Transit Gateways, Route 53 resolvers, and other networking configurations.
organization-config.yaml
Here, you define organizational-level settings including Backup policies, Tag policies, Organisation units, SCPs (Service Control Policies), and other organisational policies.
security-config.yaml
This file focuses on security-related configurations, encompassing Audit Manager, CloudWatch, Config, Security Hub, Macie, Detective, and other security services and settings.
customizations-config.yaml
An optional file used for defining custom CloudFormation stacks, stack sets, Application Load Balancers (ALBs), Network Load Balancers (NLBs), and other customized infrastructure components.
Conclusion
As of the time of writing this blog, the Landing Zone Accelerator solution on GitHub is at version 1.6.2. Having personally utilized LZA since version 1.4.0, I’ve witnessed numerous fixes and exciting new features being incorporated over time. If you’re seeking a reliable and supported solution for setting up your AWS Landing Zone, the Landing Zone Accelerator backed and supported by AWS is the go-to choice.
Incorporating the Landing Zone Accelerator into your AWS infrastructure deployment streamlines the process, ensuring efficiency and adherence to best practices. With each new version, the solution evolves, addressing any identified issues and introducing enhancements to further optimize your cloud architecture.
In conclusion, embracing the Landing Zone Accelerator represents a strategic decision for organisations aiming to optimise their AWS infrastructure deployment process, maximise efficiency, and future-proof their cloud architecture.
