ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c898cc3fb924eeb27ec63f2d0ae471b5059c2d3e
nexus/wiki/sources/ctp-topic-35-aws-landing-zone-design-refresher-saas-labs.md

53 lines
3.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "CTP Topic 35 AWS Landing Zone Design Refresher (SaaS Labs)"
type: source
tags: []
date: 2026-04-14
---
## Source File
- [[raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/01_AWS-Landing-Zone/ctp-topic-35-aws-landing-zone-design-refresher-saas-labs.md]]
## Summary用中文描述
- 核心主题AWS Landing Zone 设计复习,重点对比 SaaS生产与 Labs开发两种 Landing Zone 环境的架构差异与近期变更
- 问题域:企业多账户 AWS 环境下的账户结构设计、共享服务架构、网络分段策略、以及 SaaS 与 Labs 的职责划分
- 方法/机制:基于 Gruntwork Terraform 模板构建 Landing Zone IaC通过 CCOEs CloudTrail 替代 Gruntworks CloudTrail 实现统一审计;网络账户 Checkpoint 重新路由入站流量;网络分段阻断 SaaS 工作负载的直接连通性
- 结论/价值:明确 SaaS = 生产、Labs = 开发的核心定位PoC Landing Zone 将并入 Labs 以最大化资源共享Cloud Technology Design Forum 推动 Micro Focus 云交付标准化
## Key Claims用中文描述
- Gruntwork 框架的 Landing Zone 通过 Terraform 模板以 IaC 方式构建
- SaaS Landing Zone 为每个产品区域提供客户专属的产品账户,通过共享服务账户实现安全、日志和网络互联
- Gruntwork 账户跨所有账户管理 AMI、日志和安全策略
- 网络分段策略将阻断对 SaaS 工作负载的直接连通性
- CCOEs CloudTrail 取代 Gruntworks CloudTrail 实现统一云审计
- 入站流量拟通过 Network 账户的 Checkpoint 重新路由
- 原生 AWS Backup 有望成为强制要求
- 新账户可能取消 Management VPC
- SaaS 用于生产环境Labs 用于开发环境PoC Landing Zone 将并入 Labs
## Key Quotes
> "Our AWS landing zones, they're built infrastructure as code as you'd expect on terraform templates using the grunt work framework." — Landing Zone 的 IaC 实现方式
> "Basically, the only answer is that SAS is production, Labs is development." — SaaS 与 Labs 的本质区别
## Key Concepts
- [[AWS-Landing-Zone]]AWS 多账户架构的基础框架,通过账户隔离实现安全、合规和可管理性
- [[Gruntwork]]:提供生产级 Terraform 模块的基础设施库Micro Focus 基于此构建 Landing Zone
- [[Shared-Services-Account]]托管共享服务Artifactory、Cyber Eupriva、ArcSight、监控等的集中账户
- [[Core-Accounts]]:包含 Active Directory、DNS 和 Network 账户,支持 IT 服务和 Micro Focus 基础设施
- [[Product-Accounts]]:托管各产品线的 IT 产品、项目、应用程序及相关 AWS 资源,由各项目团队管理
- [[Gruntwork-Accounts]]:跨所有账户管理 AMI、日志和安全策略的集中账户
- [[CCOEs-CloudTrail]]:由 CCOE 团队管理的统一 CloudTrail替代原有的 Gruntworks CloudTrail
- [[Network-Segmentation]]:通过 Checkpoint 防火墙和网络分段策略阻断对 SaaS 工作负载的直接连通性
## Key Entities
- [[Cloud-Technology-Design-Forum]]Micro Focus 云技术设计论坛,致力于标准化和集中化云交付产品(包括 Landing Zone 设计)
## Connections
- [[ctp-topic-1-gruntwork-landing-zone-architecture]] ← extends ← [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]]
- [[ctp-topic-7-saas-landing-zone-design]] ← related_to ← [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]]
- [[ctp-topic-25-labs-landing-zone-overview-itom-teams]] ← related_to ← [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]]
- [[ctp-topic-10-aws-landing-zone-lz-data-collection-tagging]] ← related_to ← [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]]
## Contradictions
- (暂无检测到与其他 Wiki 页面的明显冲突)
Reference in New Issue View Git Blame Copy Permalink