All Products
Search
Document Center

Support:Alibaba Cloud Landing Zone Service Statement of Work

Last Updated:Jun 03, 2026

Defines the scope, editions, responsibilities, and acceptance criteria for the Alibaba Cloud Landing Zone IT governance service.

1.Overview

1.1.Introduction

Landing Zone provides IT governance solution design and validation based on Alibaba Cloud offerings. It covers account management, network planning, financial management, resource management, compliance auditing, and security protection, and guides customers to set up a secure, multi-account Alibaba Cloud environment based on Alibaba Cloud best practices.

Landing Zone offers three editions:

Landing Zone

  • Basic edition

    • Provides lightweight consulting and solution design for account management, and either network planning or security protection.

    • Validates the technical feasibility of the preceding solutions.

  • Standard edition

    • Provides standard consulting and solution design for account management, network planning, financial management, resource management, compliance auditing, and security protection.

    • Validates the technical feasibility of the preceding solutions.

    • Provides solutions to integrate with self-managed systems, such as SSO, CMDB, and billing system.

  • Advanced edition

    • Provides advanced consulting with solution design and implementation for account management, network planning, financial management, resource management, compliance auditing, and security protection.

    • Validates the technical feasibility of the preceding solutions and implements them.

    • Provides solutions to integrate with self-managed systems, such as SSO, CMDB, and billing system.

Any work or solution not defined in this statement of work is excluded from the project scope.

2.Service Scope

The service scope varies by edition: Basic, Standard, and Advanced.

2.1.Landing Zone Basic edition

Landing Zone Basic edition provides the following services:

  • Investigation and evaluation

    • Investigate and analyze the current application technology stack through surveys and interviews. Evaluate the feasibility of cloud-based IT governance and define the Landing Zone service process.

    • Design the technology roadmap based on the evaluation results.

  • Account management

    • Design the account management solution based on the investigation and evaluation results:

      • Account: design solutions for account management and permission management, and norms for using RAM roles.

      • MFA: add support for MFA.

      • SSO: integrate with existing SSO to achieve centralized user authentication.

      • Identity authentication: design a federated authentication solution based on use scenarios.

  • Network planning (select between network planning and security protection)

    • Design the network planning solution based on the investigation and evaluation results:

      • Network connection: design a solution to connect your data centers to Alibaba Cloud through VPNs, design firewalls at the access layer and application layer, and design jump servers.

      • Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.

      • Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

  • Security protection (select between network planning and security protection)

    • Design the security protection solution based on the investigation and evaluation results:

      • Network security: design solutions for security group and security domain management. Isolate applications through security domains and connect specified applications as required.

      • Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet customer requirements.

      • The security protection solution covers cloud platform security management only and complies with enterprise security regulations. Enterprise application security and other security requirements are not covered.

  • Technical validation

    • Validate the technical designs of the following solutions: account management, and network planning or security protection. The technical feasibility of the following features is validated:

      • Account management, permission management, and identity management

      • Network allocation, network segmentation, and network connectivity

2.2.Landing Zone Standard edition

Landing Zone Standard edition provides the following services:

  • Investigation and evaluation

    • Investigate and analyze the current application technology stack through surveys and interviews. Evaluate the feasibility of cloud-based IT governance and define the Landing Zone service process.

    • Define the work scope of Landing Zone based on the evaluation results.

  • Account management

    • Design the account management solution based on the investigation and evaluation results:

      • Account: design solutions for account management and permission management, and norms for using RAM roles.

      • MFA: add support for MFA.

      • SSO: integrate with existing SSO to achieve centralized user authentication.

      • Identity authentication: design a federated authentication solution based on use scenarios.

  • Network planning

    • Design the network planning solution based on the investigation and evaluation results:

      • Network connection: design a solution to connect your data centers to Alibaba Cloud, design firewalls at the access layer and application layer, and design jump servers.

      • Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.

      • Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

  • Financial management

    • Design the financial management solution based on the investigation and evaluation results:

      • Cost accounting: Design a cost accounting model and make a cost center-based bill analysis scheme for cloud expenditures.

      • Cost analysis: Design financial analysis for customers, provide billing capability, help customers access the enterprise internal financial analysis platform, and obtain billing, expense details, and other expense data.

      • Cost optimization: Recommend best practices, deployment plans, and audit plans for cost optimization based on the adopted cloud services.

  • Resource management

    • Design the resource management solution based on the investigation and evaluation results:

      • Design a solution to integrate with the enterprise's billing system for retrieving bills, invoices, and other expense data.

      • Design expense management solutions based on resource catalogs and cost allocation solutions for enterprises that do not have standard billing models or platforms.

  • Compliance auditing

    • Design the compliance auditing solution based on the investigation and evaluation results:

      • Provide norms for enterprise firewall configuration to meet the compliance requirements of perimeter security.

      • Design multi-layered protection solutions that include server-side encryption, client-side encryption, hotlinking protection, and IP blacklisting and whitelisting.

      • Design solutions for behavioral auditing, account auditing, and log auditing. Provide custom auditing solutions based on enterprise auditing requirements.

  • Security protection

    • Design the security protection solution based on the investigation and evaluation results:

      • Network security: design solutions for security group and security domain management. Isolate applications through security domains and connect specified applications as required.

      • Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet customer requirements.

      • The security protection solution covers cloud platform security management only and complies with enterprise security regulations. Enterprise application security and other security requirements are not covered.

  • Technical validation

    • Validate the technical designs of the following solutions: account management, network planning, financial management, resource management, compliance auditing, and security protection. The technical feasibility of the following features is validated:

      • Account management, permission management, and identity management

      • Network allocation, network segmentation, and network connectivity

      • Cost allocation

      • IP whitelists, security groups, and behavioral auditing

      • Security domain isolation and access control based on whitelists

      • Integration with self-managed systems such as SSO, CMDB, and billing system

2.3.Landing Zone Advanced edition

Landing Zone Advanced edition provides the following services:

  • Investigation and evaluation

    • Investigate and analyze the current application technology stack through surveys and interviews. Evaluate the feasibility of cloud-based IT governance and define the Landing Zone service process.

    • Define the work scope of Landing Zone based on the evaluation results.

  • Account management

    • Design the account management solution based on the investigation and evaluation results:

      • Account: design solutions for account management and permission management, and norms for using RAM roles.

      • MFA: add support for MFA.

      • SSO: integrate with existing SSO to achieve centralized user authentication.

      • Identity authentication: design a federated authentication solution based on use scenarios.

  • Network planning

    • Design the network planning solution based on the investigation and evaluation results:

      • Network connection: design a solution to connect your data centers to Alibaba Cloud, design firewalls at the access layer and application layer, and design jump servers.

      • Cloud network planning: design the cloud network architecture, including VPC management, IP address management, and DMZ management.

      • Interconnection between clouds: design a solution to connect VPCs of different regions, accounts, or data centers through CEN. Interconnection between services owned by different accounts can be achieved after authorization.

  • Financial management

    • Design the financial management solution based on the investigation and evaluation results:

      • Cost accounting: Design a cost accounting model and make a cost center-based bill analysis scheme for cloud expenditures.

      • Cost analysis: Design financial analysis for customers, provide billing capability, help customers access the enterprise internal financial analysis platform, and obtain billing, expense details, and other expense data.

      • Cost optimization: Recommend best practices, deployment plans, and audit plans for cost optimization based on the adopted cloud services.

  • Resource management

    • Design the resource management solution based on the investigation and evaluation results:

      • Design a solution to integrate with the enterprise's billing system for retrieving bills, invoices, and other expense data.

      • Design expense management solutions based on resource catalogs and cost allocation solutions for enterprises that do not have standard billing models or platforms.

  • Compliance auditing

    • Design the compliance auditing solution based on the investigation and evaluation results:

      • Provide norms for enterprise firewall configuration to meet the compliance requirements of perimeter security.

      • Design multi-layered protection solutions that include server-side encryption, client-side encryption, hotlinking protection, and IP blacklisting and whitelisting.

      • Design solutions for behavioral auditing, account auditing, and log auditing. Provide custom auditing solutions based on enterprise auditing requirements.

  • Security protection

    • Design the security protection solution based on the investigation and evaluation results:

      • Network security: design solutions for security group and security domain management. Isolate applications through security domains and connect specified applications as required.

      • Data security: design solutions for key management, database access control, and storage access control. Design data security solutions that meet customer requirements.

      • The security protection solution covers cloud platform security management only and complies with enterprise security regulations. Enterprise application security and other security requirements are not covered.

  • Technical validation

    • Validate the technical designs of the following solutions: account management, network planning, resource management, compliance auditing, and security protection. The technical feasibility of the following features is validated:

      • Account management, permission management, and identity management

      • Network allocation, network segmentation, and network connectivity

      • Cost allocation

      • IP whitelists, security groups, and behavioral auditing

      • Security domain isolation and access control based on whitelists

      • Integration with self-managed systems such as SSO, CMDB, and billing system

  • Solution implementation

    • Implement the following solutions based on the technical validation results: account management, network planning, financial management, resource management, compliance auditing, and security protection.

Notes:

  • Landing Zone covers IT governance based on Alibaba Cloud offerings only, not enterprise internal IT governance consulting. Enterprise-class IT governance solutions are available as separate services.

  • The security protection solution covers cloud platform security management only. It does not cover enterprise application and data security or classified protection requirements.

  • The project designs integration solutions for self-managed systems such as SSO, CMDB, and billing. Alibaba Cloud is not responsible for implementing these integrations or troubleshooting self-managed system issues.

  • Alibaba Cloud shall not be liable for schedule delays caused by the customer.

  • The customer shall not limit the ways in which Alibaba Cloud provides services. Alibaba Cloud conducts investigations and provides consulting services on-site or remotely in order to produce the final deliverables.

  • Alibaba Cloud is not responsible for providing any technical documentation other than Alibaba Cloud official documentation and documents within the scope of this project.

  • Alibaba Cloud is not responsible for any implementation or maintenance work involved in the planning, architecture design, cloud transformation, or implementation of the customer's business system.

  • Alibaba Cloud is not responsible for troubleshooting or technical support of third-party software and application systems that are not provided by the Alibaba Cloud platform.

3.Prerequisites

  • The customer must apply at least 15 working days before placing the order so Alibaba Cloud can evaluate business objectives and schedule feasibility.

  • For resource-intensive applications, apply one month in advance so Alibaba Cloud can verify resource availability with suppliers.

  • The customer must provide Alibaba Cloud with all necessary documents, information, data, diagrams, system permissions, and remote access channels in a timely manner. All such information is subject to the confidentiality clauses attached to this statement. The customer agrees that all information disclosed to Alibaba Cloud is true, accurate, and not misleading.

  • Alibaba Cloud provides Landing Zone services (Basic, Standard, and Advanced editions) through phone calls, DingTalk, and emails. There are no location restrictions for service delivery.

  • During project delivery, Alibaba Cloud designs the IT governance solution and troubleshoots issues during technical validation, while the customer implements the solution.

  • Alibaba Cloud provides services from 9:00 AM to 6:00 PM (UTC+8), Monday through Friday, excluding national holidays in China.

  • The project managers designated by the customer and Alibaba Cloud must use mutually agreed communication methods for written project information. Options include DingTalk, fax, and email.

  • All project deliverables are in Chinese or English, and the working language is Chinese or English. All deliverables are submitted as electronic copies in Microsoft Office formats, including PowerPoint, Word, Excel, and Visio.

  • The customer and Alibaba Cloud must follow the work plan, staffing plan, and schedule agreed upon by both parties. Alibaba Cloud is not liable for project delays caused by the customer's business system launch delays.

  • If either party introduces a third party, that party is responsible for signing contracts with the third party. Alibaba Cloud is not responsible for delays caused by the customer's subcontractors or vendors, and the customer is not responsible for delays caused by Alibaba Cloud's subcontractors or vendors.

  • Neither party is liable for special, incidental, or indirect damages, or consequential economic damages (this includes loss of profits or discounts) under this contract, even if the party has been informed of the possibility of such damages.

4.Responsibilities

4.1.Customer and Alibaba Cloud

  • To purchase Landing Zone (Basic, Standard, or Advanced edition), the customer must apply for the service in advance and can place orders only after the application is approved by Alibaba Cloud.

  • The customer and Alibaba Cloud negotiate to confirm the business objectives and service scope of Landing Zone.

Service type

Phase

Task name

Task details

Customer

Alibaba Cloud

Landing Zone

Current situation investigation

Infrastructure

Analyze the customer's deployment architecture, understand the relationship between computing, storage, middleware, and applications, and analyze and aggregate data on nodes.

A/S/C/I

R/I

Business status and application systems

Investigate the current IT governance situation and understand the requirements for cloud-based IT governance through remote collection and on-site communication.

A/S/C/I

R/I

IT governance norms

Investigate the current IT governance norms, such as security, network, account management, and billing norms, and understand the customer's IT governance requirements.

A/S/C/I

R/I

Solution design

Account management

Design the account management solution based on the enterprise account system to achieve SSO integration, MFA, and centralized permission management.

A/S/C/I

R/I

Network planning

Design the network planning solution to meet the customer's networking requirements.

A/S/C/I

R/I

Financial management

Design cloud financial management based on account distribution labels, providing data support for cost optimization and business decisions.

A/S/C/I

R/I

Resource management

Design the resource management solution to meet the customer's requirements for cloud resource provisioning.

A/S/C/I

R/I

Compliance auditing

Design the compliance auditing solution based on the customer's compliance and auditing requirements.

A/S/C/I

R/I

Security protection

Design the security protection solution based on enterprise security norms to meet the customer's requirements. The solution covers only cloud security.

A/S/C/I

R/I

Technical validation

Landing Zone technical validation

Validate the technical feasibility of the solutions and troubleshoot the issues that occur in the validation process.

A/S/C/I/R

S/C/I

Solution implementation

Landing Zone solution implementation

Implement the solutions.

A/S/C/I

R/S/C/I

Notes: R for Responsible, A for Accountable, C for Consulted, I for Informed, and S for Support.

4.1.1.Customer responsibilities

  • The customer must appoint a qualified project manager as the main contact for Alibaba Cloud. The project manager has full authority to make project decisions on behalf of the customer and is responsible for planning, coordination, supervision, control, and issue resolution during project implementation.

  • The customer's project manager is responsible for coordinating all resources to lead project investigation and technical verification.

  • At the beginning of the project, the customer must provide information and specification documents related to IT governance within the enterprise, and explicitly state the implementation requirements.

4.1.2.Alibaba Cloud

  • Alibaba Cloud must appoint an experienced technical manager to communicate with the customer's project manager and manage the Alibaba Cloud project team.

  • Alibaba Cloud must investigate the basic architecture, business scenarios, technical components, and development frameworks of the customer's system, and evaluate the Landing Zone specifications.

  • Alibaba Cloud must design the Landing Zone solution based on the results of the preliminary investigation.

  • Alibaba Cloud must cooperate with the customer to validate the technical feasibility of the Landing Zone solution and help the customer resolve issues that occur in the validation process.

4.1.3.Completion criteria

  • Completion criteria for Landing Zone Basic edition

    • The designs of the following solutions are completed and confirmed by the customer: account management, and network planning or security protection.

    • Deliverables

      • Landing Zone Basic IT Governance Solution

  • Completion criteria for Landing Zone Standard edition

    • The designs of the following solutions are completed and confirmed by the customer: account management, network planning, financial management, resource management, compliance auditing, and security protection.

    • Deliverables

      • Landing Zone Standard IT Governance Solution

  • Completion criteria for Landing Zone Advanced edition

    • The designs of the following solutions are completed, implemented, and confirmed by the customer: account management, network planning, financial management, resource management, compliance auditing, and security protection.

    • Deliverables

      • Landing Zone Advanced IT Governance Solution

4.2.Service catalog

The following table describes the services that are provided by Landing Zone:

Phase

Service

Landing Zone Basic edition

Landing Zone Standard edition

Landing Zone Advanced edition

Current situation investigation

Infrastructure

Supported

Supported

Supported

Business status and application systems

Supported

Supported

Supported

IT governance norms

Supported

Supported

Supported

Solution design

Account management

Supported

Supported

Supported

Network planning

Supported (select between network planning and security protection)

Supported

Supported

Financial management

Supported

Supported

Resource management

Supported

Supported

Compliance auditing

Supported

Supported

Security protection

Supported (select between network planning and security protection)

Supported

Supported

Technical validation

Landing Zone technical validation

Supported

Supported

Supported

Solution implementation

Landing Zone solution implementation

Supported

5.Service Level Agreement

  • Provide the Landing Zone service.

  • Provide technical validation and on-site support based on demands during the service period.

  • Provide the following documents based on service specifications: Landing Zone Basic IT Governance Solution, Landing Zone Standard IT Governance Solution, and Landing Zone Advanced IT Governance Solution.

6.Service Process

The following figure shows the service process of Landing Zone.

Service process flowchart

7.Acceptance criteria

7.1.Acceptance list

No.

Phase

Details

Deliverable

Deliverable type

1

Current situation investigation

Infrastructure

Landing Zone Investigation Report

Document

Business status and application systems

IT governance norms

2

Solution design

Account management

Landing Zone Advanced IT Governance Solution

Landing Zone Basic IT Governance Solution

Landing Zone Standard IT Governance Solution

Network planning

Financial management

Resource management

Compliance auditing

Security protection

3

Technical validation

Technical validation

N/A

4

Solution implementation

Solution implementation

N/A

7.2.Acceptance criteria

  • In the project delivery process, Alibaba Cloud should provide consulting services regarding Landing Zone and record important information in documents. In the acceptance phase, the customer should focus on the quality of document content and confirm that the documents meet their requirements.

  • If the customer's business process requires internal reviews before Alibaba Cloud submits the deliverables, the customer must conduct and complete internal reviews before the agreed acceptance time.

  • If the document content needs to be modified after the review meeting, Alibaba Cloud must make the required modifications and submit the modified documents to the customer for acceptance. The customer must appoint a representative to sign for confirmation.

  • Acceptance criteria for Landing Zone Basic edition

    • Landing Zone Basic IT Governance Solution meets expectations.

  • Acceptance criteria for Landing Zone Standard edition

    • Landing Zone Standard IT Governance Solution meets expectations.

  • Acceptance criteria for Landing Zone Advanced edition

    • Landing Zone Standard IT Governance Solution meets expectations.

7.3.Acceptance plan

In accordance with the deliverables of each project phase described in Section 7.1 Acceptance List, project acceptance is based on the following acceptance plans. The customer agrees to accept the deliverables submitted by Alibaba Cloud based on these acceptance plans.

No.

Acceptance start time

Acceptance content

Acceptance completion

1

Completion of the design and technical validation of Landing Zone Basic IT Governance Solution

Landing Zone Basic IT Governance Solution

Acceptance confirmation by the customer

Acceptance plan for Landing Zone Standard edition

No.

Acceptance start time

Acceptance content

Acceptance completion

1

Completion of the design and technical validation of Landing Zone Standard IT Governance Solution

Landing Zone Standard IT Governance Solution

Acceptance confirmation by the customer

Acceptance plan for Landing Zone Advanced edition

No.

Acceptance start time

Acceptance content

Acceptance completion

1

Completion of the design, technical validation, and implementation of Landing Zone Advanced IT Governance Solution

Landing Zone Advanced IT Governance Solution

Acceptance confirmation by the customer

8.Project Completion

The project is completed after the customer confirms the acceptance.