Help Center/ Professional Services/ Service Overview/ Service Overview/ Cloudification and Implementation/ Landing Zone Design and Implementation/ Statement of Work (SOW)
Updated on 2025-09-05 GMT+08:00
View PDF
Share

Statement of Work (SOW)

Service Overview

As more and more enterprises gradually appreciate the cloud advantages in security, stability, service quality, operation efficiency, and others, they keep migrating their service systems to the cloud. In the all-cloud era, to avoid possible risks in cloud management and security, Huawei Cloud launches the Landing Zone solution to provide unified IT governance of people, finances, resources, permissions, and security compliance. This solution helps comprehensively and effectively manage business units, users, permissions, cloud resources, data, applications, and security for better cloud security and efficiency.

Service Content

Service Item

Service Subitem

Service Content

Application Scenario

Design and Implementation for Basic Scenarios

Landing Zone Design for Basic Scenarios – Medium Scale

Huawei Cloud provides detailed design solutions for five scenarios tailored to customer needs: organizations and accounts, identities and permissions, network planning, security, and compliance audit.

Huawei Cloud helps medium- and large-sized enterprises design and implement a scalable and efficient cloud governance architecture in terms of multi-account organizations, identities and permissions, network planning, security, and compliance audit.

Landing Zone Design for Basic Scenarios – Large Scale

Landing Zone Design for Basic Scenarios – Ultra-large Scale

Landing Zone Implementation for Basic Scenarios – Medium Scale

Huawei Cloud implements a cloud environment based on the designs, including enabling cloud resources and accounts and establishing a multi-account system and a cloud authorization system. Huawei Cloud also builds a cloud infrastructure and configures networks and security settings.

Landing Zone Implementation for Basic Scenarios – Large Scale

Landing Zone Implementation for Basic Scenarios – Ultra-large Scale

High-Level Scenarios – Data Boundary Management

Data Boundary Management Design

Huawei Cloud provides a detailed design solution for data boundary management by configuring service control policies (SCPs) and guardrail policies for VPC endpoints and resources to block all unexpected access paths.

Medium- and large-sized enterprises need their data privacy and core data being strictly protected on Huawei Cloud.

Data Boundary Management Implementation

Huawei Cloud implements the best practices of enterprise data management based on the data boundary management design.

High-Level Scenarios – Cloud Financial Management

Cloud Financial Management Design

Huawei Cloud designs a hierarchical financial management solution based on the Landing Zone organizational structure and master-member account associations.

Medium- and large-sized enterprises need to manage finances in a hierarchical manner.

Cloud Financial Management Implementation

Huawei Cloud implements the cloud financial management design.

High-Level Scenarios – O&M Management

O&M Management Design

Huawei Cloud designs O&M and monitoring for resources, events, and logs of all member accounts based on the Landing Zone organizational structure.

Medium- and large-sized enterprises want to monitor and maintain their accounts and resources on a regular basis on Huawei Cloud.

O&M Management Implementation

Huawei Cloud implements the O&M management design.

Landing Zone Advanced Support

Advanced Support – Basic Package

This service is designed to meet customers' service requirements that go beyond the scope of the preceding standard items. It involves five person-days of L2 expert support for service delivery. Specific delivery scope and deliverability are reviewed and evaluated by project.

Huawei Cloud provides medium- and large-sized enterprises with custom Landing Zone services, such as developing automation scripts, provisioning IaaS resources, and providing technical training. Huawei Cloud helps enterprises design and implement scalable and efficient cloud governance architectures.

Advanced Support – Advanced Package

This service is designed to meet customers' service requirements that go beyond the scope of the preceding standard items. It includes but is not limited to automation script development for the Landing Zone eight domains and related technical training. It involves five person-days of L3 expert support for service delivery. Specific delivery scope and deliverability are reviewed and evaluated by project.

Landing Zone Governance Optimization

Landing Zone Governance Optimization – Standard – Monthly (Medium Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the five basic Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, and compliance audit. Historical check records can also be queried.

After medium- and large-sized enterprises deploy a landing zone environment, they govern the five basic scenarios based on Landing Zone best practices on a regular basis.

Landing Zone Governance Optimization – Standard – Monthly (Large Scale)

Landing Zone Governance Optimization – Standard – Monthly (Ultra-large Scale)

Landing Zone Governance Optimization – Standard – Yearly (Medium Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the five basic Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, and compliance audit. Historical check records can also be queried. Huawei Cloud develops automation scripts and performs O&M for users within 5 person-days.

Landing Zone Governance Optimization – Standard – Yearly (Large Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the five basic Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, and compliance audit. Historical check records can also be queried. Huawei Cloud develops automation scripts and performs O&M for users within 10 person-days.

Landing Zone Governance Optimization – Standard – Yearly (Ultra-large Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the five basic Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, and compliance audit. Historical check records can also be queried. Huawei Cloud develops automation scripts and performs O&M for users within 15 person-days.

Landing Zone Governance Optimization – Flagship – Monthly (Medium Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the eight Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, compliance audit, financial management, O&M management, and data boundaries. Historical check records can also be queried.

Landing Zone Governance Optimization – Flagship – Monthly (Large Scale)

Landing Zone Governance Optimization – Flagship – Monthly (Ultra-large Scale)

Landing Zone Governance Optimization – Flagship – Yearly (Medium Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the eight Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, compliance audit, financial management, O&M management, and data boundaries. Historical check records can also be queried. Huawei Cloud develops automation scripts and performs O&M for users within 5 person-days.

Landing Zone Governance Optimization – Flagship – Yearly (Large Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the eight Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, compliance audit, financial management, O&M management, and data boundaries. Historical check records can also be queried. Huawei Cloud develops automation scripts and performs O&M for users within 10 person-days.

Landing Zone Governance Optimization – Flagship – Yearly (Ultra-large Scale)

After delivery, Huawei Cloud provides governance check and rectification specific to the eight Landing Zone scenarios, including organizations and accounts, identities and permissions, network management, security management, compliance audit, financial management, O&M management, and data boundaries. Historical check records can also be queried. Huawei Cloud develops automation scripts and performs O&M for users within 15 person-days.

Enterprise Scale Description :

  • Medium-scale (Landing Zone basic scenario design and implementation): Number of accounts ≤ 10, <= 3 VPC, and no cross-region scenario.
  • Large-scale (Landing Zone basic scenario design and implementation): If the requirements are not met in medium-scale scenarios, <= 100 accounts, <=10 VPC subnets.
  • Ultra-large scale (Landing Zone basic scenario design and implementation): If the requirements are not met in large-scale scenarios, > 100 accounts, > 10 VPC subnets.
  • Medium-scale (Landing Zone governance optimization): Number of accounts ≤ 10.
  • Large-scale (Landing Zone governance optimization): If the requirements are not met in medium-scale scenarios, <= 100 accounts.
  • Ultra-large scale (Landing Zone governance optimization): If the requirements are not met in large-scale scenarios, 100 accounts <accounts number<= 200 accounts.

Prerequisites

  • Customers need to apply for the Landing Zone design and implementation services 15 days in advance so that Huawei Cloud can evaluate the business objectives and project delivery plan.
  • When deploying Landing Zone, if access to customers' service environment is needed, authorization from the customer must be obtained before the service content can be fulfilled. In addition, the cooperation of customers' personnel is required to survey the service status, collect requirements, design and review the solution, and accept the solution.

Service Scope

  1. Applicable Scope

    Phase

    Activity

    Description

    Survey and evaluation on cloud IT governance

    Survey and evaluation on IT governance

    Huawei Cloud learns customers' IT governance status, collects their IT governance specifications (for example, on security, network, account management, billing, and bill splitting), analyzes the current IT governance architecture, and collects their requirements for cloud IT governance.

    Design and implementation for basic scenarios

    Resource organization

    Based on the business structure and IT management mode, Huawei Cloud designs resource grouping in a single account or for multiple accounts to separate responsibilities based on permissions.

    Identity and permissions
    • Huawei Cloud designs the cloud identity federation with identity providers (for example, Active Directory or Google) so that existing credentials can be used to access Huawei Cloud.
    • Huawei Cloud designs users and user groups, authorization management, and credential security, and configure permission sets for a single account or multiple accounts.
    • Huawei Cloud designs permission boundaries and organization-level guardrail policies for users, user groups, and application identities.

    Network planning
    • Huawei Cloud designs public network access, including access via the NAT gateway, elastic IP address (EIP), and proxy servers.
    • Huawei Cloud designs multi-region connections between cloud and on-premises data centers or on the same cloud, as well as the connection with third-party clouds.
    • Huawei Cloud designs VPC division for service deployment, inter-cloud VPC interconnection, and networks for public services, file systems, and Object Storage Service (OBS) buckets in the file management area.

    Compliance audit
    • Huawei Cloud checks the compliance of resource configurations for cloud asset operations, O&M, security, and reliability as the best practices.
    • Huawei Cloud audits operation logs and permanently stores logs about operations and resource changes.

    Security protection
    • Host security: Huawei Cloud designs protection solutions against vulnerabilities, threats, and attacks to hosts.
    • Data security: Huawei Cloud designs solutions for key management, database protection policies, and storage access control.

    High-level scenarios

    Data boundaries
    • Huawei Cloud designs security control policies for network and intranet boundaries. Routing tables, ACLs, and security groups are managed based on different permissions. This aims to minimize exposure to network risks.
    • Huawei Cloud configures SCPs and guardrail policies for VPC endpoints and resources to block all unexpected access paths based on principles of separation of duty (SOD). This ensures that data and resources can be accessed only by specified users on specified networks or environments. Analysis tools are provided to prove the validity of policy configurations. This way, Huawei Cloud can eliminate data leakage risks caused by privilege credential disclosure or incorrect configurations.

    Cloud financial management
    • Hierarchical financial management is designed based on the organizational structure of Landing Zone and master-member account associations.
    • Resources in each member account can be logically grouped by cost tag and costs can be split by cost tag.

    O&M management
    • The resource and event management of all member accounts can be viewed and operated in a unified manner.
    • The management account centrally manages the log monitoring of other accounts in an organization with multiple accounts.

    Landing Zone Governance Optimization

    Governance optimization

    The Landing Zone governance optimization service continuously monitors whether the multi-account environment on the cloud complies with the best practices of HUAWEI CLOUD Landing Zone, identifies governance risks, and provides rectification capabilities to ensure customers' cloud security and compliance.

    Technical testing

    Technical testing for IT governance solutions

    Technical tests are performed for the Landing Zone IT governance architecture in the customer's test or pre-production environment. The tests cover the multi-account system, single sign-on (SSO), user permissions, identity management, network connectivity, and operation audit.

    Solution implementation

    Implementation of IT governance solutions

    All IT governance solutions of Landing Zone are implemented in customers' production environment.
  2. Inapplicable Scope
    • Software design, reconstruction, installation, and deployment that are beyond the Landing Zone design scope, such as third-party security, application, and network software purchased by customers
    • Cloud services that are used for Landing Zone testing and implementation, such as Enterprise Router, Direct Connect, Virtual Private Network (VPN), Cloud Firewall (CFW), and Web Application Firewall (WAF)
    • Services that are beyond the Landing Zone scope, such as SecMaster, disaster recovery (DR) and backup design, and resource planning for cloud services (such as big data and database)
  3. Service Regions

    Asia Pacific, Middle East, Latin America (excluding Brazil), Europe, Brazil, and South Africa.

Service Process

Service Deliverables

L6 Service Name

Deliverable

Landing Zone Design for Basic Scenarios – Medium Scale

Landing Zone Design and Implementation for Basic Scenarios for XX Project

Landing Zone Design for Basic Scenarios – Large Scale

Landing Zone Design for Basic Scenarios – Ultra-Large Scale

Landing Zone Implementation for Basic Scenarios – Medium Scale

Landing Zone Implementation for Basic Scenarios – Large Scale

Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale

High-Level Scenarios – Data Boundary Management

Advanced Scenarios – Cloud Financial Management

Advanced Scenarios – O&M Management

Landing Zone Support Service

“Landing Zone Design and Implementation for Basic Scenarios for XX Scenario”

"Landing Zone XXX Scenario Best Practices"

"Landing Zone Courseware"

"Landing Zone XXX Scenarios Automated Best Practices"

"Landing Zone XXX Scenario Lab Guide"

And other deliverables related to customer-specific requirements for Landing Zone customization

Responsibility Matrix

  1. Shared Responsibilities
    • Negotiate and confirm specific IT governance requirements and objectives.
    • Negotiate and confirm project management plans.
    • Negotiate, confirm, and review Landing Zone contents.
    • Sign a contract.
  2. Huawei Responsibilities
    • Designate a project owner and notify the customer of any personnel changes three working days in advance until the project is accepted.
    • Use the authorized data only for Landing Zone services and not use the data for any other purposes.
  3. Customer Responsibilities
    • Assign a project owner to assist Huawei Cloud in implementing Landing Zone design and implementation services. The project owner is responsible for coordinating and managing personnel and resources between the two parties. The owner also reviews and accepts the services provided by Huawei Cloud.
    • Provide the service system information, including but not limited to the application architecture, deployment architecture, network architecture, and security requirements.
  4. Responsibility Details
    • "R" represents the responsible party.
    • "S" represents the supporting party.

    No.

    Service Process

    Content

    Huawei

    Customer

    1

    Survey and evaluation on cloud IT governance

    Survey and evaluation on IT governance

    R

    S

    2

    Design and implementation for basic scenarios

    Resource organization

    R

    S

    3

    Identity and permissions

    R

    S

    4

    Network planning

    R

    S

    5

    Compliance audit

    R

    S

    6

    Security protection

    R

    S

    7

    Advanced scenarios

    Data perimeter

    R

    S

    8

    Cloud financial management

    R

    S

    9

    O&M management

    R

    S

    10

    Landing Zone Support Service

    Support Service

    R

    S

    11

    Landing Zone Governance Optimization

    Governance Optimization

    R

    S

    12

    Technical testing

    Technical testing for IT governance solutions

    S

    R

    13

    Solution implementation

    Implementation of IT governance solutions

    S

    R

    If a customer has purchased the Landing Zone implementation service, Huawei Cloud is responsible for implementing the solution.

Acceptance Criteria

The deliverables of each service item must be submitted in compliance with the following criteria. If customers accept the deliverables, they need to sign or seal theAcceptance Report of Huawei Cloud Landing Zone Design and Implementation or click the acceptance link on the Huawei Cloud official website.