A landing zone is a framework that Alibaba Cloud provides for enterprises to migrate business to the cloud. Landing zones help you regulate and implement resource structures, access security, network architectures, and security compliance systems in the cloud. This way, you can create a secure, efficient, and manageable cloud environment. Cloud Governance Center provides blueprint templates that you can use to build landing zones with higher efficiency. This topic describes how to use a standard blueprint to build a landing zone.

Background information

Cloud Governance Center automatically checks whether a resource directory is created for a specified management account. If no resource directory is created for the management account, Cloud Governance Center automatically creates a resource directory for the management account.

Step 1: Configure items

  1. Log on to the Cloud Governance Center console.
  2. In the left-side navigation pane, click LandingZone Setup.
  3. On the LandingZone Setup page, find the Select Blueprint section. In the Standard Blueprint section, click Build.
  4. In the Added Items section of the Configure Blueprint page, view the items added to the blueprint. You can add or remove items based on your business requirements.
    • Click Add Item. In the dialog box that appears, add new items and click OK.

      Some items may use other items as dependencies. In this case, you must add all items that depend on each other.

    • To delete the item, click the Delete icon to the right of an existing item.

      Do not delete a required item in a blueprint.

    In this example, only the following required items are retained: Create Folder, Create Core Account, and Guardrails.

Step 2: Create folders

A folder is an organizational unit in a resource directory. A folder may indicate a branch, a line of business, or a project of your enterprise. Each folder can contain member accounts and subfolders that are in a tree-shaped organizational structure. You can manage accounts and resources by using folders. For example, you can allocate resources, manage permissions, and implement security control and compliance control by using folders.

We recommend that you create the following folders based on the best practices. If the folders are not created for the management account, Cloud Governance Center automatically creates the folders.

  • Core: This folder contains member accounts that are used to manage resources.
  • Applications: This folder contains member accounts that are used to perform specific business operations.

In the Added Items section, click Create Folder. On the right of the page, the automatically created folders are displayed. You can change the name of each folder. If you no longer need a folder, you can delete the folder.

In addition to the Core and Applications folders, you can perform the following steps to create finer-grained folders by department or business environment: Log on to the Resource Management console, choose Resource Directory > Overview > Organization. On the left of the Organization tab, select a node and click Create Folder.

Step 3: Create core accounts.

You can create core accounts for existing functional units. This way, you can perform subsequent governance tasks. The governance tasks include resource allocation, permission management, security control, and compliance control.

  1. In the Create Core Account section, select a folder to which the core account belongs from the Default Folder drop-down list.
    In this example, the Core folder created in Step 2: Create folders is selected. This way, the core account is created in the Core folder.
  2. Specify a settlement method.
    • Trusteeship: If you use the method, the core account is used to settle the bills and manage split bills of all accounts in a centralized manner. We recommend that you select this method.
    • Finance management: Compared with the trusteeship method, this method allows you to use the core account to manage specific finance capabilities of all accounts in a centralized manner. If you use this method, the self-pay settlement method is automatically used for each account. After you build the landing zone, you can use the financial management account to specify another method.
    • Self-pay for each account: If you use this method, the owner of each account pays the bills of the account. No centralized finance management method is specified.
  3. Optional:If you select Trusteeship, you must specify a main account.
    To specify a main account, you can use one of the following methods:
    • Specify Existing Account: Specify the current management account or a member account in your resource directory as a main account.

      Cloud Governance Center automatically checks whether the member account meets the requirements for a main account. You can specify a main account based on the check result.

      Note The system may prompt you that the member account does not meet the requirements. For example, a prompt is displayed if the financial information about the member account is incomplete.In this case, go to the User Center to complete the financial information.
    • Create Account: Create a member account as a main account.
    • Invite Account: Invite the owner of an Alibaba Cloud account to join the resource directory and specify the account as a main account.
  4. Specify core accounts.
    In this example, the following core accounts are specified.
    • Log archive account: This account is used to collect the logs of all member accounts. By default, the account is enabled. You cannot disable the account.
    • Shared service account: This account is used to deploy shared services for your enterprise. By default, the account is enabled. You can disable the account.
    • Security account: This account is used to perform security control and compliance control in a centralized manner. By default, the account is enabled. You can disable the account.

    You can create a core account or specify an existing account as a core account. If you want to create a core account, you must specify basic information for the core account.

  5. Click Next.

Step 4: Configure protection rules

You can configure and enable the protection rules of Cloud Config in a centralized manner. This prevents the basic configurations and the resource structure that are created from being modified in Cloud Governance Center. This also ensures the security of multi-account environments.

In the Guardrails section, view protection rules and select the required protection rules. For more information about protection rules, see Configure protection rules in a centralized manner.

Step 5: Run a task to build the landing zone

  1. After you configure the preceding parameters, click Next: Preview. On the page that appears, check the configuration information about each item.
  2. After you verify the information, click Configure.
  3. View the status of the task and click Close after the task is completed.