Why Landing Zone?

To isolate faults in business units, Huawei Cloud recommends that application systems of different business units be deployed in different accounts. Huawei Cloud accounts have the following characteristics:

• Huawei Cloud accounts are resource containers. You can deploy cloud resources and upper-layer service application systems in an account. Different accounts are isolated from each other. Faults and security risks in one account do not affect or spread to other accounts.
• Huawei Cloud accounts are also security management boundaries. Each account has an independent identity and permissions management system. Without explicit authorization, users in an account cannot access resources, data, and applications in other accounts.
• Huawei Cloud accounts can also be used as independent billing entities. Each can be used to top up account, purchase cloud resources, settle bills, and issue invoices on Huawei Cloud.

Therefore, Huawei Cloud accounts can be used to effectively isolate faults and security risks and also to achieve efficient financial management and isolation. Using a single account to manage all resources may cause two major issues:

• A single fault in a single account will lead to the breakdown of all service systems.
• As there is a resource limit for cloud accounts, using only one account may hinder capacity expansion.

To minimize the impact of a single failure, do not deploy all service systems and cloud resources in a single account. Deploy different service systems in different accounts, as shown in the following figure.

Figure 1 Deployment across accounts

In the case, businesses need a multi-account architecture when migrating all services to the cloud. According to Conway's law, the multi-account architecture of a business is usually consistent with its organizational or service architecture. That is, accounts are divided by business unit, geographical unit, and functional unit. The multi-account architecture enables separation of duties. Different accounts are responsible for different tasks and carry different services. The administrator of each account can manage resources in the account independently. From the perspective of IT governance, no single account can be an information silo. Unified IT governance must be achieved within the company to manage identities and permissions, O&M, security, network, finances, and public resources. To meet these requirements, Huawei Cloud proposed the Landing Zone solution to help businesses build a secure, compliant, and scalable multi-account cloud environment. This solution enables resource sharing across accounts and unified management of people, finances, resources, permissions, and security compliance.

• People: business units, accounts, users, user groups, and roles
• Finances: funds, budgets, costs, invoices, and discounts
• Resources: cloud resources, including compute, storage, network, data, and applications
• Permissions: access permissions to implement the principle of least privilege (PoLP)
• Security compliance: compliance with the enterprise-specific, industry, and national security standards and all-round data perimeters to prevent sensitive data leakage

Landing Zone helps enterprises eliminate risks in cloud management, security, and costs during large-scale cloud migration. It helps establish a separated but unified IT governance system and a complete security compliance system to address all IT challenges.

• Separated but unified IT governance system: permission- and domain-specific hierarchical management as well as centralized O&M and security management
• Complete security compliance system: compliance with the enterprise-specific, industry, and national security standards in the cloud environment, including cloud resources, data, and applications