Cloud Governance Center:Overview

Blueprint template

Description

Standard blueprint

A general-purpose blueprint template.

This template contains only the items that are essential to building a landing zone, such as the resource directory, Core and Applications folders, log archive account, and billing account. This template also allows enterprises to enable the required CloudSSO and security compliance protection rules. You can configure the items based on your business requirements.

You can configure advanced network, security, and compliance features after you complete the standard blueprint.

Standard blueprint (CEN)

A blueprint template that is suitable for enterprises that have high requirements on network security, management, and costs.

This template contains the items that are required to build a landing zone and a demilitarized zone (DMZ) of Cloud Enterprise Network (CEN). CEN simplifies network configurations and provides high scalability. The DMZ allows enterprises to configure and manage the traffic ingress and egress in a centralized manner. This improves security and reduces costs.

Cloud-native blueprint

A blueprint template that is suitable for enterprises that use the cloud-native technology architecture.

This template allows enterprises to build an enterprise-level ACK Pro cluster by using a specific Alibaba Cloud account. The cluster provides high-availability features such as load balancing and multi-zone availability. You can also configure the required permissions to manage the ACK Pro cluster in this blueprint template.

Finance industry blueprint

A blueprint template that is suitable for enterprises in the financial industry.

The financial industry has high requirements for business isolation. In addition to the items of the standard blueprint template, this template contains the items that are required to build a DMZ of CEN and common compliance packages for the financial industry.

Category

Item

Description

Required

Recommended account

Resource planning

Create Management Account

Creates a management account that is used to manage a resource directory.

Yes

Management account

Resource planning

Enable Resource Directory

Creates a resource directory that is used to build a multi-account structure for an enterprise.

Yes

Management account

Resource planning

Create Folder

Creates Core and Applications folders to separate management information and business information. You can modify the names and structures of the folders based on the organization and business architecture of your enterprise.

Yes

Management account

Resource planning

Create Core Account

Creates or specifies core accounts, including the billing account, log archive account, security account, and shared service account. You can assign different responsibilities to the accounts to isolate resources for log delivery, network, and security.

Yes

Management account

Resource planning

Invite Existing Account

Invites existing Alibaba Cloud accounts to join the resource directory for centralized management. Cloud Governance Center sends an invitation email to the Alibaba Cloud accounts that you specify. The users must log on to the specified Alibaba Cloud accounts and accept the invitation. The invitation is valid for 12 hours. If the invitation is not accepted within the validity period, you must send another invitation.

No

Management account

Identities and permissions

Cloud SSO

Enables and initializes CloudSSO, and completes common access configurations. This way, enterprises can quickly configure the permissions and single sign-on for multiple accounts.

Recommended

Management account

Compliance and auditing

Unified Delivery of ActionTrail Logs

Delivers ActionTrail logs of multiple accounts to the log archive account. You can deliver logs to Object Storage Service (OSS) for long-term storage or to Simple Log Service for real-time log analysis.

Recommended

Log archive account

Compliance and auditing

Unified Delivery of Cloud Config Logs

Delivers Cloud Config logs of multiple accounts to the log archive account. You can deliver logs to OSS for long-term storage or to Simple Log Service for real-time log analysis.

Recommended

Log archive account

Compliance and auditing

Guardrails

Configures and enables the protection rules of Cloud Config for all member accounts in your resource directory. This ensures that the basic configurations of Cloud Governance Center and the resource structure that is created in Cloud Governance Center are not modified. This also ensures the security of multi-account environments. After you enable protection rules, you can view the compliance evaluation results of all your resource accounts in the Cloud Governance Center or Cloud Config console.

Yes

Management account

Compliance and auditing

Service Log Unified Delivery

Delivers runtime logs by using Simple Log Service in a centralized manner. The logs are collected from various cloud services such as storage services (OSS and Apsara File Storage NAS (NAS)), network services (Server Load Balancer (SLB), Application Load Server (ALB), API Gateway, and Virtual Private Cloud (VPC)), database services (ApsaraDB RDS, PolarDB-X 1.0, and PolarDB), and security services (Web Application Firewall (WAF), Anti-DDoS, and Cloud Firewall).

No

Log archive account

Finance

Configure Trusteeship

Configures the finance trusteeship for unified bill settlement, including the settlement method and the account that is used to settle bills.

Recommended

Billing account

Network

Activate CEN

Enables CEN to connect private networks of enterprises, cross-region networks, and cross-cloud networks. We recommend that you create DMZs to improve network security.

No

Shared service account

O&M

Enterprise-level ACK Cluster

Creates an enterprise-level ACK Pro cluster for a specific account. The cluster provides high-availability features such as load balancing and multi-zone availability.

No

Any account