Organization-level Reference Architecture
Huawei Cloud provides the Landing Zone solution to assist enterprise customers in establishing a multi-account environment that is architecturally sound, secure, compliant, and scalable. The foundational step involves planning the organizational and account structure. In accordance with Conway's Law, the organization and account architecture on Huawei Cloud should align with, but not be a direct copy of, the enterprise's internal organizational and business structures.
Huawei Cloud offers a reference architecture. It is advisable to design organization levels and accounts based on your business architecture, geographical distribution, and IT functions.
- Structure different organizational levels and Organizational Units (OUs) on Huawei Cloud based on your business architecture. You can create independent member accounts for each business OU, corresponding to specific business systems. Large-scale business systems or those with stringent security isolation requirements (e.g., PCI-DSS and HIPAA compliance) should be allocated to an independent member account. Conversely, multiple smaller business systems with lower security isolation needs can share a single member account. For example, you might create independent member accounts for major business systems like a sales management system and a digital marketing system. For the R&D department, you could deploy the design and R&D systems of a single product within one member account.
- Structure different organizational levels and OUs on Huawei Cloud based on your geographical presence. You can create independent member accounts for each geographical region OU, typically corresponding to a country or specific region. Deploy local customer relationship management systems and customer service systems within these member accounts. In the reference architecture provided, the organization in the China region is mapped to an OU, with independent member accounts created for branches such as Beijing and Shanghai to host localized application systems.
- For an enterprise's IT department, create an OU on Huawei Cloud and establish member accounts based on IT functions. This approach ensures isolated responsibilities and permissions within the IT management domain and facilitates unified management of multiple member accounts across the enterprise. In the provided reference architecture, two OUs are created: a "security OU" housing an account for security operations and log auditing, and an "infrastructure OU" containing an account for network operations, O&M monitoring, public services, and sandbox testing. The following table further describes these IT function accounts.
- In addition to the aforementioned accounts, each organization maintains a single management account. It is strongly recommended not to deploy any cloud resources within the management account. The management account primarily handles the following management tasks:
- Unified organization and account management: Create and manage organizational structures and OUs, establish cost accounts under OUs, or invite existing accounts to become member accounts of OUs.
- Unified financial management: Centrally manage all enterprise accounts on Huawei Cloud, including unified budget management, bill management, cost settlement, and cost analysis.
- Unified control policy management: Set service control policies (SCPs) for each organizational unit and member account to define the maximum permissions for IAM users (including administrators of member accounts) under that member account. This prevents security risks arising from excessive permissions. When creating an SCP, you can apply it to an organizational unit, allowing the policy to be inherited by associated member accounts and lower-level organizational units.
- Unified identity and permission management: Perform centralized user identity management and permission configuration for all enterprise accounts on Huawei Cloud. This also includes the unified setup of federated identities with external Identity Providers (IdPs).
The table below details the accounts described previously. The security operations account and log account are responsible for centralized security management across all enterprise accounts. Consequently, you must enable relevant security cloud services for other accounts as needed, allowing the security operations account and log account to aggregate security posture data and audit logs from those accounts. Furthermore, security policies and incident response directives from the security operations account can be uniformly disseminated to other accounts. To protect the cloud services enabled under each respective account, it is advisable to also enable relevant security cloud services directly within that account, as illustrated in the rightmost column of the table.
|
Account |
Function |
Responsible Team |
Recommended Cloud Service |
Recommended Security Cloud Service |
|---|---|---|---|---|
|
Management account |
Centrally manage organizations and accounts, finances, governance policies, and identities and permissions. |
IT governance team |
Organizations, Resource Governance Center (RGC), Cost Center, and IAM Identity Center |
SecMaster, Cloud Trace Service (CTS), and Config |
|
Security operations account |
Centrally manage and control security policies, rules, and resources in all accounts of the company, set security configuration baselines for member accounts of the company, and be responsible for information security of the entire company. |
Security management team |
Deploy services that support cross-account security management and control, such as SecMaster, Host Security Service (HSS), Data Security Center (DSC), Data Encryption Workshop (DEW), Cloud Certificate Manager (CCM), CodeArts Inspector, and Config. |
CTS |
|
Logging account |
Centrally store and view audit logs and security-related logs (such as VPC flow logs and OBS access logs) of all accounts. |
Compliance audit team |
Cloud Trace Service (CTS), Log Tank Service (LTS), and Object Storage Service (OBS) |
SecMaster, DSC, CTS, and Config |
|
O&M monitoring account |
Centrally monitor and maintain resources and applications under each member account, manage alarms, handle events, manage changes, and provide O&M security assurance measures |
O&M team |
Application Operations Management (AOM), Cloud Operations Center (COC), Log Tank Service (LTS), Application Performance Management (APM), and Cloud Bastion Host (CBH) |
SecMaster, CTS, and Config |
|
Network operations account |
Centrally deploy and manage enterprise network resources (including resources used for protecting network boundaries), and ensure VPC connectivity in a multi-account environment. In particular, manage ingress and egress in a unified manner for Internet and on-premises IDCs. |
Network management team |
Enterprise Router, Domain Name Service (DNS), NAT Gateway, Elastic IP (EIP), Virtual Private Cloud (VPC), Direct Connect, Cloud Connect, Virtual Private Network (VPN), Cloud Firewall (CFW), Web Application Firewall (WAF), and Anti-DDoS Service (AAD) |
SecMaster, CTS, and Config |
|
Public service account |
Centrally deploy and manage the enterprise public resources, services, and application systems, and share them with other member accounts of the enterprise. |
Public service management team |
Image Management Service (IMS), SoftWare Repository for Container (SWR), Scalable File Service (SFS), Object Storage Service (OBS), in-house NTP servers, and in-house Anti-DDoS servers |
SecMaster, CTS, Config, HSS, and DSC |
|
Business account |
This account is created based on the business architecture and geographical architecture to deploy application systems that support R&D, production, supply, sales, and service domains. |
Application DevOps team |
Deploy cloud services as required by service systems. |
SecMaster, CTS, Config, HSS, and DSC |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
