We are building a Landing Zone in AWS. More precisely, our own Antonio Vivas and Kevin Vuong from AWS have been creating a Landing Zone (LZ), with assistance from Andrew Romond and Kevin Min.
The term ‘Landing Zone’ is unfortunate. Landing zones remind me of Apocalypse Now and the Battle of Arnhem—temporary locations where helicopters drop down amid gunfire and smoke, or gliders crash into pastures. What AWS calls a Landing Zone is better thought of as an airport—a clearly-defined and solidly constructed place for landing our systems, a place built with all the latest safety features.
The LZ has two parts. One part handles the people who need access to systems. AWS has developed an “Account Vending Machine” to create AWS user accounts. The Vending Machine is an automated process for generating new user accounts. The accounts are protected by “guardrails”—an AWS term—to protect the users from injury.* All user accounts that are created with the Vending Machine have auditing and logging implemented by default. If the account has a compliant VPC (Virtual Private Cloud, or virtual network), the Vending Machine assures that the VPC will be able to connect to other resources in AWS and back to campus. The Vending Machine also automatically adds the account to Wharton’s central billing for AWS. Accounts automatically receive the non-profit sales tax exemption and users do not need to provide credit card information. Lastly, owners of these vended accounts can see their billing in our application Cloudhealth, and the bills will automatically be presented to Finance and Administration for payment.
The second part of the Landing Zone is the infrastructure that supports our operations. The Landing Zone has four special-purpose accounts: Billing, Shared Services, Security, and Logging. Those four core accounts in turn support all the user accounts. All those accounts will create the resources that replace our existing data center.
What does that mean? It means that this room—
is going to be replaced entirely by code like this—
provider "aws" {
region = "us-east-1"
}
...
resource "aws_instance" "web" {
ami = "${data.aws_ami.ubuntu.id}"
instance_type = "t2.micro"
}
We will have a data center, but it will exist as strings of text. As Dan Alig noted, we are spending a lot of money on something we cannot even point at. Where is the physical manifestation of our Landing Zone? Somewhere that Amazon Web Services tries to keep secret.
Since the entire LZ is generated from code, no one in Wharton Computing will have to worry about UPS batteries, power failures, or floods. The space eaten up by the data center can be converted to classrooms or offices.
For those of you that don’t manage the data center, the payoff from the LZ is faster account creation for users, better support when you want to use AWS resources, and centralized billing.
AWS has released a beta version of Control Tower, their next-generation, secure, well-architected multi-account AWS environment. We could not wait another six months for Control Tower, but we will be able to upgrade when it goes into general release.
Like our existing data center, most people can live in blissful ignorance of the details of Landing Zone. Like a real airport, the less you notice, the better it will be functioning.
(My apologies to Joni Mitchell fans, but this is the version I knew and loved as a teen.)
* At this point the metaphors are thoroughly mixed. Landing Zones, Guardrails, and Vending Machines.