40 lines
1.7 KiB
Markdown
40 lines
1.7 KiB
Markdown
---
|
||
title: "Reference Architecture"
|
||
type: concept
|
||
sources: [ctp-topic-1-gruntwork-landing-zone-architecture, ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]
|
||
last_updated: 2026-04-14
|
||
---
|
||
|
||
## Definition
|
||
参考架构(Reference Architecture)是一套经过实战验证的最佳实践集合,作为企业云平台部署的起点和蓝图。它定义了标准化的账户结构、网络拓扑、安全边界和服务组合,帮助组织快速建立符合安全和合规要求的云基础设施。
|
||
|
||
## Key Components
|
||
|
||
### Account Structure
|
||
- **Core Accounts(核心账户)**:
|
||
- `Shared`:共享服务账户,提供 CI/CD 工具、NTP、DNS 等公共服务
|
||
- `Logs`:日志账户,集中收集和存储所有账户的审计日志
|
||
- `Security`:安全账户,托管 IAM 角色和联邦身份配置
|
||
- **Workload Accounts(工作负载账户)**:
|
||
- `Prod`:生产环境账户
|
||
- `Stage`:预发布环境账户
|
||
- `Dev`:开发环境账户
|
||
|
||
### Network Topology
|
||
- Centralized network design with VPCs per account
|
||
- Transit Gateway for cross-account connectivity
|
||
- Shared services accessible via VPC peering or Transit Gateway
|
||
|
||
## Relationship with Landing Zone
|
||
- **Reference Architecture**:标准化的起点和蓝图,定义通用模式
|
||
- **Landing Zone**:基于 Reference Architecture 的具体部署单元,由各产品团队在 Gruntwork 仓库基础上定制
|
||
|
||
## Related Concepts
|
||
- [[Landing-Zone-Architecture]]:Reference Architecture 的具体部署实例
|
||
- [[Federated-Access]]:安全账户的身份管理机制
|
||
- [[Terraform-Modules]]:实现 Reference Architecture 的 IaC 模块库
|
||
|
||
## References
|
||
- [[ctp-topic-1-gruntwork-landing-zone-architecture]]
|
||
- [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]]
|