Don’t build your cloud landing zone in the dark

By Andrew Rossiter | 5 November 2019

Digital transformation in its many forms is without doubt one of the most pressing objectives for almost all firms across all industries. Cloud migration is at the heart of creating any sort of digital environment or DevOps culture. But despite the amount of commentary, white papers, consultancy firms, and dollars spent, it is still one of the most difficult challenges that many organisations are facing.

While my experience is mostly within financial services, I don’t believe the problems are exclusive to this sector. Everyone has security, data, legacy technology and budget constraints. 'Getting to the cloud' is the modern day industrial revolution and those who don’t take their journey in the most efficient and cost effective way are the ones who will suffer - potentially catastrophic consequences.

A 'Landing Zone' in cloud terms is defined as, 'A configured environment with a standard set of secured cloud infrastructure, policies, best practices, guidelines, and centrally managed services'. Most large firms will adopt a multi cloud strategy and therefore will require a landing zone for Amazon Web Services (AWS), Google Cloud Provider (GCP), Microsoft Azure (Azure) etc… This is incredibly time consuming to build, resource heavy and experience reliant - something most companies don’t have the luxury of.

In reality the majority of firms are building their landing zones for the first time and without access to battle hardened professional expertise, with the best will in the world the likely outcome is going to be less than best. We are all either suffering from a lack of information on best practise or the opposite, information overload. This means that many organisations are fumbling around in the dark trying to build just one landing zone, let alone one for each cloud solution provider (CSP).

Building a cloud landing zone can be daunting. Sometimes, at the start of the build, it doesn’t look too difficult. But as the build progresses, many companies find out the devil-in-the-detail can really be a significant barrier.

I often say that building a cloud landing zone is similar to if you had walked into an enormous, empty warehouse and were told to build a datacentre for your entire company. All you have is a single power supply terminating in one corner of the building. Everything else has to be built from scratch. Herein lies the challenge. Who are you? A network, storage or security engineer, a Linux admin or SQL DBA? Believe me when staring into this vast, empty space, you need to be all of the above and more.

  • How do we make a plan?
  • Where do we start?
  • What have other people done?
  • Where are the potential pitfalls?

If we take GCP, Azure or AWS for example, their cloud platforms are essentially a collection of 50+ individual products that need to be mastered and integrated for a successful outcome that can be managed, controlled and supported.

There are a number of common business challenges and questions when building a landing zone:

  • Should we go cloud native?
  • Open source?
  • Cloud agnostic?
  • Multi-cloud?
  • Do you mix some open source products with cloud native products and how will you choose?
  • How to encrypt everything – not only at-rest but on the wire?
  • How do we harden the default security?
  • How do we maintain our new cloud environment?
  • What happens when we need to upgrade?
  • How do we bill internally?
  • How do we follow ITIL with regards to permissions and change management etc?
  • How long will it take?

You might have already answered these questions for on-premises data centres - but the entire technology community has amassed this knowledge over many years.

The promise of cloud is to make provisioning simple, fast and cheap. It should enable developers to become highly productive – many aim to adopt DevOps (and FinOps …. Etc). CSP’s can be amazing development environments, if you get all the building blocks completed following best practice.

In order to adopt a positive DevOps culture you need to consider the following:

  • How will developers deploy their infrastructure in this environment?
  • How will you be agile and let them deploy what they need, when they need it, but still maintain control?
  • You don’t want a different setup (or datacentre) for each team.
  • If you work in a regulated environment, how will you demonstrate that this is under control, and secure?
  • How to get the account structure correct with least-privilege access and the networking between VPCs correct, with internal firewalls.
  • Secrets management and certificate rotation.
  • Create and deploy automated pipelines to support the DevOps function.

There are many examples where we have seen customers end up with multi-month cycles to provision infrastructure with multiple manual steps and sign offs. All using the CSPs web UI. This introduces a huge amount of complexity as configurations need to be stored. We also see development teams pushing to use the latest cloud technology, but we often find there are many “gotchas” when you dive into the detail and not all cloud products are feature complete or available in every datacentre. This is crucial when you want to implement disaster recovery and business continuity planning.

All of these considerations take a huge amount of time to work through and the potential solutions are endless. Even if you don’t feel like you’re in the dark the chances are you’re going to be blindsided by a vast array of options to choose from.

The great news is that all doubts and fears end here. Tranquility Base has landed.

Tranquility Base is an open source multi cloud infrastructure as code Landing Zone. A configured environment with a standard set of secured cloud infrastructure, policies, best practices, guidelines, and centrally managed services. And we are creating a landing zone for each of the major CSPs. Along the way we have found many, many engineering issues and each CSP has their own strengths and weaknesses that caused some things to be easy to do, and others really hard. But the best news is - it works. We are already working with our first client to use Tranquility Base to create a cloud platform which they can use to deploy all of their applications, across all departments and all geographies.

We chose to create Tranquility Base, not because it was easy but because cloud migration is hard. You don’t have to struggle in the dark anymore, the lights are on, it’s as easy as 3, 2, 1 – lift off.

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development