Networks, identities, and workloads are the cloud resources that customers first come into interact with when using the cloud. Although the cloud provides flexibility, organizations still need to take security into key considerations and avoid sacrificing security for the sake of convenience. It is recommended to fully consider and consult on network planning and account system design, and perform effective detection and evaluation during the preparation phase of cloud migration. Alibaba Cloud provides best practice consulting for enterprise cloud migration. For enterprises migrating their businesses to Alibaba Cloud, it is hoped that business compliance and security can be guaranteed on the cloud while allowing for flexible business organization and expansion. Based on extensive customer practices, it has been found that making reasonable plans before migration can avoid repeated reconstructions of management methods and accelerate large-scale business migration to the cloud. Therefore, it is recommended that customers build a strong foundation for cloud migration, also called a Landing Zone.
Best practices for network architecture design
Based on a large number of network architecture designs and in combination with the characteristics of different industries' business and network requirements, Alibaba Cloud provides best practices for network architecture design. For example, best practices for enterprise-level cloud network partitioning and domain separation design, active-active disaster recovery network design, DMZ-VPC region design, east-west and VPC-VPC traffic isolation and control design, and hybrid cloud networking design. For detailed explanations, refer to the relevant content in network security protection.
Best practices for identity management design
Based on the Landing Zone solution, Alibaba Cloud helps organizations design resource management and planning, account hierarchy, and account isolation solutions.
Resource planning
For large enterprises with strict business isolation requirements, different businesses must be deployed in different cloud accounts according to security requirements or industry regulatory requirements. Based on Alibaba Cloud best practices, it is recommended that enterprises use a multi-account architecture to manage cloud resources. A multi-account architecture helps enterprises achieve strong isolation to reduce blast radius, and also facilitates structured management, making it easier for businesses to scale.
Account structure design
The suggested accounts are as follows:
Enterprise management account: Used for multi-account management, this account enables resource directory in the account and constructs an account hierarchy for unified audit and management rules, which are then applied to all member accounts. This account is generally also the financial main account, and after establishing a financial association with other accounts, it is used for unified financial management of the organization.
Security account: Used for security teams in the organization, this account is used to configure related security services, such as web application firewalls (WAF) and cloud firewalls.
Log account: Aggregates logs from all member accounts for centralized archive and management.
Operations and maintenance (O&M) account: Deploys O&M-related tools, such as bastion hosts, unified monitoring platforms, enterprise cloud management platforms (CMP), and cloud-based asset management platforms (such as CMDB).
Shared services account: Used to deploy enterprise shared services, such as networking.
Business accounts: Used to deploy workloads, such as production accounts and development/test accounts.
Organizational structure and business isolation
Recommendations
Use Resource Directory in the enterprise management account to build an account hierarchy and invite other accounts as member accounts for unified management of multi-accounts.
Place core functionality accounts under the Core resource folder and business accounts under the Applications resource folder.
Organize business units based on business organization units to reflect the enterprise's organizational structure and management methods. Common organization units include branch offices, departments, products, etc.
Each business workload can be divided into test accounts and production accounts to isolate production and test environments.
Different resource groups can be used within an account to isolate application resources.
Centralize big data workloads within a big data account.
The external folder is used to hold accounts for ISVs. Whether it is needed or not depends on the actual business needs. Control policies and other guardrails can be applied to restrict operations on those accounts.
Best practices for workload architecture design
The architecture design for workloads should be considered from three aspects: workload protection, workload network design, and workload access control. For detailed design best practices, refer to the section on workload protection.