3.9 KiB
title, type, source-type, category, tags, date-added, video-source, audio-source, status
| title | type | source-type | category | tags | date-added | video-source | audio-source | status | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CTP Topic 7 SaaS Landing Zone design | cloud-learning | video | DevOps & SRE/01_AWS-Landing-Zone |
|
2026-04-14 | nas:///volume2/work/Public Cloud Learning Sessions/CTP _ Topic 7_ SaaS Landing Zone design.mp4 | summarized (Gemini 摘要) |
CTP Topic 7 SaaS Landing Zone design
Source: NAS /volume2/work/Public Cloud Learning Sessions/CTP _ Topic 7_ SaaS Landing Zone design.mp4
Type: VIDEO | Category: 01_AWS-Landing-Zone
Status: 🟡 Awaiting Whisper transcription → Summary
摘要
SAS Landing Zone Design
The session covers the high-level design for the new production SAS Landing Zone, emphasizing a single landing zone approach for all products to reduce overhead and costs, a departure from the per-product group (PG) landing zones used in dev labs. The design incorporates AWS accounts, Terraform modules, and TerraGrant for deployment.
Key components include core accounts (shared, logs, security), baseline accounts (network, DNS, Active Directory), shared services accounts (software factory, cyber, ARC site, monitoring), and product accounts.
The SAS landing zone will use a single landing zone for all the product groups.
Core Accounts
These accounts are based on the grant work reference architecture and include:
- Shared Account: Hosts hardened AMIs and a master Jenkins server for managing deployments. The master Jenkins initiates Lambda functions within each account to trigger Jenkins slaves, enhancing security by preventing direct exposure of the master Jenkins to jobs or credentials.
- Logs Account: A centralized account for logs from every account (CloudTrail, Config, Flowlogs), accessible primarily to the security team, with read access for products to their specific logs.
- Security Account: Hosts IAM roles inherited within each account, with the ability for account owners to attach additional policies to restrict role usage.
Baseline Accounts
These accounts are essential for product functionality and include:
- Network Account: Contains a regional transit gateway connecting all accounts, with a checkpoint appliance for monitoring traffic based on a tagging approach. Resources require specific tags to access destinations like the internet or on-prem networks.
- DNS Account: Hosts Route 53, with each product having its own hosted zone for managing DNS records.
- Active Directory Account: Includes two AD nodes for domain joining and controlling resource access.
Shared Services Accounts
These accounts provide internal production services to product accounts:
- Software Factory accounts (45 hubs, Octane Hub, Artifactory).
- Cyber account (Qalis).
- ARC site account.
- Monitoring account (OBM, potentially Sitescope).
Product Accounts
Each product account features a public subnet for internet exposure via a load balancer and internet gateway, while workloads reside in private subnets. A web application firewall (WAF) monitors incoming traffic, and CloudFront is available as a CDN.
The workload itself is going to be under private subnet.
Automation and Deployment
Terraform is used for automation, with each account having its own GitHub repository. Changes to Terraform code trigger Jenkins via a GitHub hook, initiating a deployment process through the management VPC, Lambda, and ECS cluster. A review process, including code review and plan output review, is implemented before applying changes, with staging environments used for testing before production deployment.
Remote Access
Remote access is transitioning from Checkpoint VPN to Pulse VPN, requiring operators to use a VPN client and authenticate against the AD. Future plans involve SD1 replacing some network components.
关键概念
行动项
相关视频
配对视频笔记链接(生成后填入)
最后更新: 2026-04-14