Help Center/ Professional Services/ Service Overview/ Service Overview/ Cloudification and Implementation/ Landing Zone Design and Implementation/ Statement of Work (SOW)
Updated on 2025-08-18 GMT+08:00
View PDF
Share

Statement of Work (SOW)

Service Overview

As more and more enterprises gradually appreciate the cloud advantages in security, stability, service quality, operation efficiency, and others, they keep migrating their service systems to the cloud. In the all-cloud era, to avoid possible risks in cloud management and security, Huawei Cloud launches the Landing Zone solution to provide unified IT governance of people, finances, resources, permissions, and security compliance. This solution helps comprehensively and effectively manage business units, users, permissions, cloud resources, data, applications, and security for better cloud security and efficiency.

L4

L4.5

L6 Service Name

Service Content

Application Scenario

Landing Zone Design and Implementation

Design and Implementation for Basic Scenarios

Landing Zone Design for Basic Scenarios – Medium Scale
  • Low level design (LLD): The Landing Zone foundation is designed, including organization accounts, identity and permissions, network planning, system security, and compliance audit.
  • Technical tests are performed on selected technologies in LLD.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need scalable, efficient cloud governance, in terms of organization accounts, identity and permissions, networks, security, and audit.

Landing Zone Design for Basic Scenarios – Large Scale

Landing Zone Design for Basic Scenarios – Ultra-Large Scale

Landing Zone Implementation for Basic Scenarios – Medium Scale

A cloud environment is deployed for basic scenarios as designed. This helps enable resources, create accounts, deploy the cloud infrastructure, set up multi-account and authorization systems, and provide cloud network and security protection.

Landing Zone Implementation for Basic Scenarios – Large Scale

Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale

High-Level Scenarios – Data Boundary Management

Data Boundary Management Design
  • LLD: Security control policies are designed for network and intranet boundaries. Routing tables, Access Control Lists (ACLs), and security groups are managed based on different permissions. Service control policies (SCPs) and guardrail policies are configured for VPC endpoints and resources to block all unexpected access paths.
  • Technical tests are performed on selected technologies in LLD.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need their data privacy and core data being strictly protected.

Data Boundary Management Implementation

Data boundary management is implemented for enterprises as the best practices.

High-Level Scenarios – Cloud Financial Management

Cloud Financial Management Design
  • LLD: Hierarchical financial management is designed based on the organizational structure of Landing Zone and master-member account associations. Resources in each member account can be logically grouped by cost tag and costs can be split by cost tag.
  • Technical tests are performed on selected technologies in this design.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They need to manage finances in a hierarchical manner.

Cloud Financial Management Implementation

Financial management is implemented and accepted.

High-Level Scenarios – O&M Management

O&M Management Design
  • LLD: O&M and monitoring are performed for resource management, event management, and logs of all member accounts based on the organizational structure of Landing Zone.
  • Technical tests are performed on selected technologies in this design.

Medium- and large-sized enterprises are migrating services to Huawei Cloud. They want to monitor and maintain their accounts and resources on a regular basis.

O&M Management Implementation

O&M management is implemented and accepted.

Landing Zone Support Service

Landing Zone Support Service-Basic

Based on the customer's actual service requirements, provide advanced support services when the customer's required scenario is less than the basic scenario. Additional purchases for delivery requirements not covered by the above standard items are applicable, constituting an L2 level delivery kit for 5 person-days. The specific delivery scope and deliverability will be assessed on a case-by-case basis according to the project.

For medium- and large-sized enterprises, HUAWEI CLOUD provides customized Landing Zone services, such as automatic script development, basic IaaS resource provisioning, and technical training support services, helping enterprises design and implement a scalable and efficient governance architecture on the cloud.

Landing Zone Support Service-Professional

Based on the customer's actual service requirements, Huawei provides advanced support services. Additional purchases are required for delivery needs that cannot be covered by the above standard items, including but not limited to the development of automation scripts for the eight scenarios of the Landing Zone, as well as technical training activities related to the Landing Zone domain. This constitutes a delivery package for 5 person-days at the L3 level. The specific delivery scope and deliverability will be assessed and evaluated on a case-by-case basis.

Landing Zone Governance Optimization

Landing Zone Governance Optimization-Standard Edition-Monthly (Medium-Scale)

After the delivery and implementation of the five basic scenarios of the Landing Zone, the system provides governance detection and repair for the five scenarios, including organizational structure, identity permission, network management, security management, and compliance audit, and provides historical detection record query.

After the Landing Zone environment is deployed for medium- and large-sized enterprises, routine governance is performed for five basic scenarios based on the Landing Zone best practices.

Landing Zone Governance Optimization-Standard Edition-Monthly (Large-Scale)

Landing Zone Governance Optimization-Standard Edition-Monthly (Ultra-Large Scale)

Landing Zone Governance Optimization-Standard Edition-Yearly (Medium-Scale)

After the delivery and implementation of the five basic scenarios of the Landing Zone, the system provides governance detection and repair for the five scenarios, including organizational structure, identity permission, network management, security management, and compliance audit, and provides historical detection record query. Provides automatic IaC script development and O&M for users with no more than 5 person-days.

Landing Zone Governance Optimization-Standard Edition-Yearly (Large-scale)

After the delivery and implementation of the five basic scenarios of the Landing Zone, the system provides governance detection and repair for the five scenarios, including organizational structure, identity permission, network management, security management, and compliance audit, and provides historical detection record query. Provides automatic IaC script development and O&M for users with no more than 10 person-days.

Landing Zone Governance Optimization-Standard Edition-Yearly (Ultra-Large Scale)

After the delivery and implementation of the five basic scenarios of the Landing Zone, the system provides governance detection and repair for the five scenarios, including organizational structure, identity permission, network management, security management, and compliance audit, and provides historical detection record query. Provides automatic IaC script development and O&M for users with no more than 15 person-days.

Landing Zone Governance Optimization-Ultimate Edition-Monthly (Medium-Scale)

After the delivery and implementation of the eight basic scenarios of the Landing Zone, the system provides governance detection and repair for the eight scenarios, including organizational structure, identity permission, network management, security management, compliance audit, financial management, O&M management, and data boundary and provides historical detection record query.

Landing Zone Governance Optimization-Ultimate Edition-Monthly (Large-scale)

Landing Zone Governance Optimization-Ultimate Edition-Monthly (Ultra-Large Scale)

Landing Zone Governance Optimization - Ultimate Edition - Yearly (Medium Scale)

After the delivery and implementation of the eight basic scenarios of the Landing Zone, the system provides governance detection and repair for the eight scenarios, including organizational structure, identity permission, network management, security management, compliance audit, financial management, O&M management, and data boundary and provides historical detection record query. Provides automatic IaC script development and O&M for users with no more than 5 person-days.

Landing Zone Governance Optimization - Ultimate Edition - Yearly (M Large-scale)

After the delivery and implementation of the eight basic scenarios of the Landing Zone, the system provides governance detection and repair for the eight scenarios, including organizational structure, identity permission, network management, security management, compliance audit, financial management, O&M management, and data boundary and provides historical detection record query. Provides automatic IaC script development and O&M for users with no more than 10 person-days.

Landing Zone Governance Optimization - Ultimate Edition - Yearly (Ultra-Large Scale)

After the delivery and implementation of the eight basic scenarios of the Landing Zone, the system provides governance detection and repair for the eight scenarios, including organizational structure, identity permission, network management, security management, compliance audit, financial management, O&M management, and data boundary and provides historical detection record query. Provides automatic IaC script development and O&M for users with no more than 15 person-days.

Service Content

Enterprise Scale Description :

  • Medium-scale (Landing Zone basic scenario design and implementation): Number of accounts ≤ 10, <= 3 VPC, and no cross-region scenario.
  • Large-scale (Landing Zone basic scenario design and implementation): If the requirements are not met in medium-scale scenarios, <= 100 accounts, <=10 VPC subnets.
  • Ultra-large scale (Landing Zone basic scenario design and implementation): If the requirements are not met in large-scale scenarios, > 100 accounts, > 10 VPC subnets.
  • Medium-scale (Landing Zone governance optimization): Number of accounts ≤ 10.
  • Large-scale (Landing Zone governance optimization): If the requirements are not met in medium-scale scenarios, <= 100 accounts.
  • Ultra-large scale (Landing Zone governance optimization): If the requirements are not met in large-scale scenarios, 100 accounts <accounts number<= 200 accounts.

Prerequisites

  • Customers need to apply for the Landing Zone design and implementation services 15 days in advance so that Huawei Cloud can evaluate the business objectives and project delivery plan.
  • When deploying Landing Zone, if access to customers' service environment is needed, authorization from the customer must be obtained before the service content can be fulfilled. In addition, the cooperation of customers' personnel is required to survey the service status, collect requirements, design and review the solution, and accept the solution.

Service Scope

  1. Applicable Scope

    Phase

    Activity

    Description

    Survey and evaluation on cloud IT governance

    Survey and evaluation on IT governance

    Huawei Cloud learns customers' IT governance status, collects their IT governance specifications (for example, on security, network, account management, billing, and bill splitting), analyzes the current IT governance architecture, and collects their requirements for cloud IT governance.

    Design and implementation for basic scenarios

    Resource organization

    Based on the business structure and IT management mode, Huawei Cloud designs resource grouping in a single account or for multiple accounts to separate responsibilities based on permissions.

    Identity and permissions
    • Huawei Cloud designs the cloud identity federation with identity providers (for example, Active Directory or Google) so that existing credentials can be used to access Huawei Cloud.
    • Huawei Cloud designs users and user groups, authorization management, and credential security, and configure permission sets for a single account or multiple accounts.
    • Huawei Cloud designs permission boundaries and organization-level guardrail policies for users, user groups, and application identities.

    Network planning
    • Huawei Cloud designs public network access, including access via the NAT gateway, elastic IP address (EIP), and proxy servers.
    • Huawei Cloud designs multi-region connections between cloud and on-premises data centers or on the same cloud, as well as the connection with third-party clouds.
    • Huawei Cloud designs VPC division for service deployment, inter-cloud VPC interconnection, and networks for public services, file systems, and Object Storage Service (OBS) buckets in the file management area.

    Compliance audit
    • Huawei Cloud checks the compliance of resource configurations for cloud asset operations, O&M, security, and reliability as the best practices.
    • Huawei Cloud audits operation logs and permanently stores logs about operations and resource changes.

    Security protection
    • Host security: Huawei Cloud designs protection solutions against vulnerabilities, threats, and attacks to hosts.
    • Data security: Huawei Cloud designs solutions for key management, database protection policies, and storage access control.

    High-level scenarios

    Data boundaries
    • Huawei Cloud designs security control policies for network and intranet boundaries. Routing tables, ACLs, and security groups are managed based on different permissions. This aims to minimize exposure to network risks.
    • Huawei Cloud configures SCPs and guardrail policies for VPC endpoints and resources to block all unexpected access paths based on principles of separation of duty (SOD). This ensures that data and resources can be accessed only by specified users on specified networks or environments. Analysis tools are provided to prove the validity of policy configurations. This way, Huawei Cloud can eliminate data leakage risks caused by privilege credential disclosure or incorrect configurations.

    Cloud financial management
    • Hierarchical financial management is designed based on the organizational structure of Landing Zone and master-member account associations.
    • Resources in each member account can be logically grouped by cost tag and costs can be split by cost tag.

    O&M management
    • The resource and event management of all member accounts can be viewed and operated in a unified manner.
    • The management account centrally manages the log monitoring of other accounts in an organization with multiple accounts.

    Landing Zone Governance Optimization

    Governance optimization

    The Landing Zone governance optimization service continuously monitors whether the multi-account environment on the cloud complies with the best practices of HUAWEI CLOUD Landing Zone, identifies governance risks, and provides rectification capabilities to ensure customers' cloud security and compliance.

    Technical testing

    Technical testing for IT governance solutions

    Technical tests are performed for the Landing Zone IT governance architecture in the customer's test or pre-production environment. The tests cover the multi-account system, single sign-on (SSO), user permissions, identity management, network connectivity, and operation audit.

    Solution implementation

    Implementation of IT governance solutions

    All IT governance solutions of Landing Zone are implemented in customers' production environment.
  2. Inapplicable Scope
    • Software design, reconstruction, installation, and deployment that are beyond the Landing Zone design scope, such as third-party security, application, and network software purchased by customers
    • Cloud services that are used for Landing Zone testing and implementation, such as Enterprise Router, Direct Connect, Virtual Private Network (VPN), Cloud Firewall (CFW), and Web Application Firewall (WAF)
    • Services that are beyond the Landing Zone scope, such as SecMaster, disaster recovery (DR) and backup design, and resource planning for cloud services (such as big data and database)
  3. Regions

    Asia Pacific (AP),Middle East,Latin America (Brazil Not Included),Europe,Brazil,South Africa.

Service Process

Service Deliverables

L6 Service Name

Deliverable

Landing Zone Design for Basic Scenarios – Medium Scale

Landing Zone Design and Implementation for Basic Scenarios for XX Project

Landing Zone Design for Basic Scenarios – Large Scale

Landing Zone Design for Basic Scenarios – Ultra-Large Scale

Landing Zone Implementation for Basic Scenarios – Medium Scale

Landing Zone Implementation for Basic Scenarios – Large Scale

Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale

High-Level Scenarios – Data Boundary Management

Advanced Scenarios – Cloud Financial Management

Advanced Scenarios – O&M Management

Landing Zone Support Service

“Landing Zone Design and Implementation for Basic Scenarios for XX Scenario”

"Landing Zone XXX Scenario Best Practices"

"Landing Zone Courseware"

"Landing Zone XXX Scenarios Automated Best Practices"

"Landing Zone XXX Scenario Lab Guide"

And other deliverables related to customer-specific requirements for Landing Zone customization

Responsibility Matrix

  1. Shared Responsibilities
    • Negotiate and confirm specific IT governance requirements and objectives.
    • Negotiate and confirm project management plans.
    • Negotiate, confirm, and review Landing Zone contents.
    • Sign a contract.
  2. Huawei Responsibilities
    • Designate a project owner and notify the customer of any personnel changes three working days in advance until the project is accepted.
    • Use the authorized data only for Landing Zone services and not use the data for any other purposes.
  3. Customer Responsibilities
    • Assign a project owner to assist Huawei Cloud in implementing Landing Zone design and implementation services. The project owner is responsible for coordinating and managing personnel and resources between the two parties. The owner also reviews and accepts the services provided by Huawei Cloud.
    • Provide the service system information, including but not limited to the application architecture, deployment architecture, network architecture, and security requirements.
  4. Responsibility Details
    • "R" represents the responsible party.
    • "S" represents the supporting party.

    No.

    Service Process

    Content

    Huawei

    Customer

    1

    Survey and evaluation on cloud IT governance

    Survey and evaluation on IT governance

    R

    S

    2

    Design and implementation for basic scenarios

    Resource organization

    R

    S

    3

    Identity and permissions

    R

    S

    4

    Network planning

    R

    S

    5

    Compliance audit

    R

    S

    6

    Security protection

    R

    S

    7

    Advanced scenarios

    Data perimeter

    R

    S

    8

    Cloud financial management

    R

    S

    9

    O&M management

    R

    S

    10

    Landing Zone Support Service

    Support Service

    R

    S

    11

    Landing Zone Governance Optimization

    Governance Optimization

    R

    S

    12

    Technical testing

    Technical testing for IT governance solutions

    S

    R

    13

    Solution implementation

    Implementation of IT governance solutions

    S

    R

    If a customer has purchased the Landing Zone implementation service, Huawei Cloud is responsible for implementing the solution.

Acceptance Criteria

The deliverables of each service item must be submitted in compliance with the following criteria. If customers accept the deliverables, they need to sign or seal theAcceptance Report of Huawei Cloud Landing Zone Design and Implementation or click the acceptance link on the Huawei Cloud official website.

L6 Service Name

Deliverable

Acceptance Report

Landing Zone Design for Basic Scenarios – Medium Scale

Landing Zone Design and Implementation for Basic Scenarios for XX Project

Acceptance Report of Huawei Cloud Landing Zone Design and Implementation

Landing Zone Design for Basic Scenarios – Large Scale

Landing Zone Design for Basic Scenarios – Ultra-Large Scale

Landing Zone Implementation for Basic Scenarios – Medium Scale

Landing Zone Implementation for Basic Scenarios – Large Scale

Landing Zone Implementation for Basic Scenarios – Ultra-Large Scale

High-Level Scenarios – Data Boundary Management

High-Level Scenarios – Cloud Financial Management

High-Level Scenarios – O&M Management

Landing Zone Support Service

“Landing Zone Design and Implementation for Basic Scenarios for XX Scenario”

"Landing Zone XXX Scenario Best Practices"

"Landing Zone Courseware"

"Landing Zone XXX Scenarios Automated Best Practices"

"Landing Zone XXX Scenario Lab Guide"

And other deliverables related to customer-specific requirements for Landing Zone customization

Acceptance Report of Huawei Cloud Landing Zone Design and Implementation