ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc0dde291fa7c19f90564e88e6a04ed4c26b5ba6
nexus/wiki/sources/ctp-topic-7-saas-landing-zone-design.md
weishen 861ba9d1f6 Auto-sync: 2026-04-19 00:02
2026-04-19 00:02:42 +08:00

58 lines
3.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "CTP Topic 7 SaaS Landing Zone Design"
type: source
tags:
- AWS
- Landing-Zone
- SaaS
- CTP
- Cloud-Learning
date: 2026-04-14
---
## Source File
- [[raw/Cloud & DevOps/Public-Cloud-Learning-Sessions/01_AWS-Landing-Zone/ctp-topic-7-saas-landing-zone-design.md]]
## Summary
- 核心主题:生产环境 SaaS Landing Zone 的高级设计
- 问题域:多账号架构、基础设施自动化、安全隔离
- 方法/机制:单一 Landing Zone 策略、Terraform 模块化部署、TerraGrant 权限管理
- 结论/价值:统一 Landing Zone 降低开销和复杂度与开发实验室的每产品组PG Landing Zone 模式区分
## Key Claims
- SaaS 生产环境采用单一 Landing Zone 策略,服务所有产品组,降低基础设施开销和运维复杂度
- Shared Account 托管硬化的 SRE-provided AMIs 和主 Jenkins 服务器,通过 Lambda 函数触发各账号的 Jenkins slaves 执行部署任务
- Logs Account 集中收集所有账号的 CloudTrail、Config、Flowlogs安全团队拥有完全访问权限产品团队仅可访问自身日志
- Security Account 承载跨账号继承的 IAM Role各账号所有者可附加额外策略限制 Role 使用范围
## Key Quotes
> "The SAS landing zone will use a single landing zone for all the product groups." — 单一 Landing Zone 策略的核心声明
>
> "The workload itself is going to be under private subnet." — 产品账号工作负载部署模式
## Key Concepts
- [[Multi-Account Strategy]]AWS 推荐的企业级云架构模式,通过将工作负载分离到多个 AWS 账号提升安全性和治理能力
- [[Gruntwork Landing Zone]]:基于 Grant 工作参考架构的预配置 AWS 基础架构框架
- [[Terraform]]:基础设施即代码工具,用于自动化部署和管理 AWS 资源
- [[SRE-provided AMIs]]SRE 团队预构建的机器镜像,内置自动域加入脚本
- [[Domain Join]]:通过 SRE-provided AMIs 实现自动化将实例加入 AD 域的技术
## Key Entities
- [[AWS]]:全球最大公有云平台,提供计算、存储、网络等基础架构服务
- [[Gruntwork]]Gruntwork Landing Zones 框架提供商
- [[Jenkins]]:开源自动化服务器,用于持续集成和持续部署
- [[Route 53]]AWS DNS 服务,用于管理域名解析
- [[Active Directory]]Microsoft 目录服务,用于身份验证和资源访问控制
- [[CloudFront]]AWS 内容分发网络CDN用于加速静态内容分发
- [[WAF]]Web Application FirewallWeb 应用防火墙,用于保护 Web 应用免受攻击
- [[Check Point]]:网络安全公司,提供防火墙和 VPN 解决方案
- [[Pulse Secure]]VPN 解决方案供应商,提供安全的远程访问
## Connections
- [[ctp-topic-35-aws-landing-zone-design-refresher-saas-labs]] ← similar_architecture ← [[ctp-topic-7-saas-landing-zone-design]]
- [[ctp-topic-1-gruntwork-landing-zone-architecture]] ← builds_on ← [[ctp-topic-7-saas-landing-zone-design]]
- [[ctp-topic-10-aws-landing-zone-lz-data-collection-tagging-related-security]] ← relates_to ← [[ctp-topic-7-saas-landing-zone-design]]
- [[ctp-topic-17-active-directory-services-in-gruntwork-aws-lzs]] ← depends_on ← [[ctp-topic-7-saas-landing-zone-design]]
## Contradictions
- 与 Labs 环境的区别:生产环境采用单一 Landing ZoneLabs 环境采用每个产品组独立的 Landing Zone
Reference in New Issue View Git Blame Copy Permalink