A landing zone (“LZ”) in a public cloud provider is a collection of tools, processes and policies that supports the customer in establishing a multi-account presence in one of the various public clouds: AWS, Microsoft Azure, etc.
Multi-account refers to the creation of sub-accounts under one master billing account, using AWS Organizations, Azure Subscription Management, or the equivalent in another provider. An organisation may choose to run a multi-account structure for many reasons, but most commonly it is because they wish to isolate applications or parts of the business for reasons of security or cost control.
An LZ establishes a set of baseline rules such as tagging and control policies on the allocation of resources, to limit the risk of an inadvertent or intentional act causing an over-sized bill or operational incident.
It also puts in place the policies relating to identity and access management within and between accounts, such as organisational security and billing administrators contrasted with account-level system operators.
Most importantly, an LZ establishes packaged account structures – IP addressing and routing, network security controls, encryption keys, etc – that can exist in combinations of size and complexity to support rapid deployment of different applications.
Consumers of the LZ are given a single interface from which to select their desired account structure, which is then created automatically.
An enhanced landing zone (“ELZ”) takes the LZ concept and applies infrastructure-as-code (“IaC”) practices across the entire creation, operation and management lifecycle of a multi-account structure.
In an ELZ, the deployed accounts and their supporting services are both created and managed using tools such as Terraform and Ansible.
Using IaC also enforces policies regarding the management of post-deployment services and applications, by providing for the termination or restriction of unmanaged or improperly-configured resources.
While an LZ automates the creation of new accounts within a multi-account structure, an ELZ imposes an automation discipline on the operation of created accounts and can leverage standard or existing software development lifecycle practices.