This document provides an overview on how to design landing zones in Google Cloud. A landing zone, also called a cloud foundation, is a modular and scalable configuration that enables organizations to adopt Google Cloud for their business needs. A landing zone is often a prerequisite to deploying enterprise workloads in a cloud environment.
A landing zone is not a zone or zonal resources.
This document is aimed at solutions architects, technical practitioners, and executive stakeholders who want an overview of the following:
- Typical elements of landing zones in Google Cloud
- Where to find detailed information on landing zone design
- How to deploy a landing zone for your enterprise, including options to deploy pre-built solutions
This document is part of a series that helps you understand how to design and build a landing zone. The other documents in this series help guide you through the high-level decisions that you need to make when you design your organization's landing zone. In this series, you learn about the following:
- Landing zone design in Google Cloud (this document)
- Decide how to onboard identities to Google Cloud
- Decide the resource hierarchy for your Google Cloud landing zone
- Decide the network design for your Google Cloud landing zone
- Decide the security for your Google Cloud landing zone
This series does not specifically address compliance requirements from regulated industries such as financial services or healthcare.
What is a Google Cloud landing zone?
Landing zones help your enterprise deploy, use, and scale Google Cloud services more securely. Landing zones are dynamic and grow as your enterprise adopts more cloud-based workloads over time.
To deploy a landing zone, you must first create an organization resource and create a billing account, either online or invoiced.
A landing zone spans multiple areas and includes different elements, such as identities, resource management, security, and networking. Many other elements can also be part of a landing zone, as described in Elements of a landing zone.
The following diagram shows a sample implementation of a landing zone. It shows an Infrastructure as a Service (IaaS) use case with hybrid cloud and on-premises connectivity in Google Cloud:
The example architecture in the preceding diagram shows a Google Cloud landing zone that includes the following Google Cloud services and features:
Resource Manager defines a resource hierarchy with organizational policies.
A Cloud Identity account synchronizes with an on-premises identity provider and Identity and Access Management (IAM) providing granular access to Google Cloud resources.
A network deployment that includes the following:
- A Shared VPC network for each environment (production, development, and testing) connects resources from multiple projects to the VPC network.
- Virtual Private Cloud (VPC) firewall rules control connectivity to and from workloads in the Shared VPC networks.
- A Cloud NAT gateway allows outbound connections to the internet from resources in these networks without external IP addresses.
- Cloud Interconnect connects on-premises applications and users. (You can choose between different Cloud Interconnect options, including Dedicated Interconnect or Partner Interconnect.)
- Cloud VPN connects to other cloud service providers.
- A Cloud DNS private zone hosts DNS records for your deployments in Google Cloud.
Multiple service projects are configured to use the Shared VPC networks. These service projects host your application resources.
Google Cloud Observability includes Cloud Monitoring for monitoring and Cloud Logging for logging. Cloud Audit Logs, Firewall Rules Logging and VPC Flow Logs help ensure all necessary data is logged and available for analysis.
A VPC Service Controls perimeter includes Shared VPC and the on-premises environment. A security perimeter isolates service and resources, which helps to mitigate the risk of data exfiltration from supported Google Cloud services.
The diagram above is only an example, because there is no single or standard implementation of a landing zone. Your business must make many design choices, depending on different factors, including the following:
- Your industry
- Your organizational structure and processes
- Your security and compliance requirements
- The workloads that you want to move to Google Cloud
- Your existing IT infrastructure and other cloud environments
- The location of your business and customers
When to build a landing zone
We recommend that you build a landing zone before you deploy your first enterprise workload on Google Cloud, because a landing zone provides the following:
- A foundation that's designed to be secure
- The network for enterprise workloads
- The tools that you require to govern your internal cost distribution
However, because a landing zone is modular, your first iteration of a landing zone is often not your final version. Therefore, we recommend that you design a landing zone with scalability and growth in mind. For example, if your first workload does not require access to on-premises network resources, you could build connectivity to your on-premises environment later.
Depending on your organization and the type of workloads that you plan to run on Google Cloud, some workloads might have very different requirements. For example, some workloads might have unique scalability or compliance requirements. In these cases, you might require more than one landing zone for your organization: one landing zone to host most of the workloads and a separate landing zone to host the unique workloads. You can share some elements such as identities, billing, and the organization resource across your landing zones. However, other elements, such as the network setup, deployment mechanisms, and folder-level policies, might vary.
Elements of a landing zone
A landing zone requires you to design the following core elements on Google Cloud:
In addition to these core elements, your business might have additional requirements. The following table describes these elements and where you can find more information about them.
Landing zone element | Description |
---|---|
Monitoring and logging |
Design a monitoring and logging strategy that helps ensure all
relevant data is logged and that you have dashboards that visualize
the data and alerts that notify you of any actionable exceptions.
For more information, see Google Cloud Observability documentation |
Backup and disaster recovery |
Design a strategy for backups and disaster recovery.
For more information, see the following: |
Compliance |
Follow the compliance frameworks that are relevant to your
organization. For more information, see the Compliance resource center. |
Cost efficiency and control |
Design capabilities to monitor and optimize cost for workloads in your landing zone.
For more information, see the following: |
API management | Design a scalable solution for APIs that you develop. For more information, see Apigee API Management. |
Cluster management |
Design Google Kubernetes Engine (GKE) clusters that follow best practices to build scalable, resilient, and observable services. For more information, see the following: |
Best practices for designing and deploying a landing zone
Designing and deploying a landing zone requires planning. You must have the right team to perform the tasks, and use a project management process. We also recommend that you follow the technical best practices that are described in this series.
Build a team
Bring together a team that includes people from multiple technical functions across the organization. The team must include people who can build all landing zone elements, including security, identity, networks, and operations. Identify a cloud practitioner who understands Google Cloud to lead the team. Your team should include members who manage the project and track achievements, and members who collaborate with application or business owners.
Make sure that all stakeholders are involved early in the process. Your stakeholders must come to a common understanding of the scope of the process and make high-level decisions when the project gets kicked off.
Apply project management to your landing zone deployment
Designing and deploying your landing zone can take multiple weeks, so project management is essential. Ensure that project goals are clearly defined and communicated to all stakeholders and that all parties receive updates on any project changes. Define regular checkpoints and agree on milestones with realistic timelines that take operational processes and unexpected delays into account.
To best align with business requirements, plan the initial landing zone deployment around the use cases that you want to deploy first in Google Cloud. We recommend that you first deploy workloads that can most easily run on Google Cloud, such as horizontally scaling multi-tier web applications. These workloads might be new or existing workloads. To assess existing workloads for migration readiness, see Migration to Google Cloud: Getting started.
Because landing zones are modular, center the initial design around the elements that are required to migrate your first workloads and plan to add other elements later.
Follow technical best practices
Consider using Infrastructure as Code (IaC), with, for example, Terraform. IaC helps you make your deployment repeatable and modular. Having a CI/CD pipeline that deploys cloud infrastructure changes using GitOps helps you ensure that you follow internal guidelines and put the right controls in place.
When you design your landing zone, ensure that you and your team take technical best practices into consideration. For more information on decisions to make in your landing zone, see the other guides in this series.
In addition to this series, the following table describes frameworks, guides, and blueprints that can also help you follow best practices, depending on your use cases.
Related documentation | Description |
---|---|
Google Cloud setup checklist | A high-level checklist to help you set up Google Cloud for scalable, production-ready, enterprise workloads. |
Security foundations blueprint | An opinionated view of Google Cloud security best practices, aimed at CISO, security practitioners, risk managers, or compliance officers. |
Google Cloud architecture framework | Recommendations and best practices to help architects, developers, administrators, and other cloud practitioners design and operate a cloud topology that's secure, efficient, resilient, high-performing, and cost-effective. |
Terraform blueprints | A list of blueprints and modules that are packaged as Terraform modules and that you can use to create resources for Google Cloud. |
Identify resources to help implement your landing zone
Google Cloud offers the following options to help you set up your landing zone:
- Design and deploy a landing zone that is customized to your requirements with Google Cloud partners or Google Cloud professional services.
- Onboard a workload with the Google Cloud Customer Onboarding program.
- Deploy a generic landing zone with the setup guide in the Google Cloud console.
- Deploy a highly opinionated landing zone that is aligned to the security foundations blueprint by using the Terraform example foundation.
All these offerings have approaches that are designed specifically to meet the needs of different industries and business sizes, across the globe. To help you make the best selection for your use case, we recommend that you work with your Google Cloud account team to make the selection and help to ensure a successful project.
What's next
- Decide how to onboard identities to Google Cloud (next document in this series).
- Decide the resource hierarchy for your Google Cloud landing zone.
- Decide the network design for your Google Cloud landing zone.
- Decide the security for your Google Cloud landing zone.