Covered in this AWS at Scale Side Quest
- Introduction
- AWS Management Account
- AWS Organisations
- AWS Control Tower
- AWS Organisation Units
- AWS Member Accounts
- AWS Regions
- AWS VPCs
- AWS Availability Zones
- AWS VPC Subnets
- Final Thoughts
Reading time: 5 minutes đŤĄ
Introduction
To understand, design and operate AWS at Scale, youâll need a good grasp of AWS platform concepts. If youâre coming from the startup world or an SME, these concepts can be difficult to grasp.
I also want to give you an understand of the sequence of build when designing and deploying AWS platform configuration at scale.
So letâs get started with your very first AWS account!
AWS Management Account
Letâs start with the âouterâ container, the other shell so to speakâŚ
If youâre a beginner to AWS and youâve created your first account and started deploying resources into it, great, well done - youâre on your way đ
If you are building a product or platform that is growing and expanding and you are still deploying into your first and only AWS account, stop â.
Think about how you might want to manage your AWS platform at scale. Why? Because deploying AWS organisations into this account once it is full of AWS resources is a no-go, donât do it as it becomes your âmanagement accountâ.
Q. What should I do instead?
A. Create another AWS account and treat it as your management account. A management account should be so clean that even the thought of deploying even the tiniest of workloads into it will make you shiver with disgust.
Avoid deploying any centralised services into your management account, even AWS are enabling the deployment of their centralised services outside your management account (another example with Guard Duty).
Key takeaway⌠who do you want logging into your management account?
It is your crown jewel! Delegate admin features outside of it as much as possible, this is why in large enterprises youâll see AWS accounts for security, core networking, centralised logging, auditing, and breakglass (more on that later..)
Now thatâs clear, when you create a clean management account, you can enable AWS Organisations and invite your workload account (where youâve been deploying resources) when the time is right to do so.
AWS Organisations
Once you have a clean management account, you can enable AWS Organisations (within it) and eventually planning & building your organisational units (more on that later). Organisational units provide logical grouping of your AWS accounts into groups that better reflect the operational setup of your organisation.
Think of AWS Organisations as the first step to providing some compliance and structure to your AWS empire at scale. Here you can apply policies at the root level of the organisation as well as at organisational unit level.
Donât go to far down this rabbit hole though without considering AWS Control Tower (which weâll come into next).
Two important things to cover here if you are working at scale:
Nobody wants to convert an existing AWS account into a management account, but weâve covered that already.
If you build out an signifigant deployment of AWS Organisations then you may struggle to integrate AWS Control Tower at a later date due to overlap of configuration, rework and general risk management.
If youâre AWS Organisations is somewhat complex, AWS ProServe may recommend a migration to an new AWS Landing Zone, this is primarily down to risk mitigation as it is a bit of a one way door.
AWS Control Tower
Youâe got AWS Organisations in place (setup from within your management account). Now itâs time to consider using AWS Control Tower (sooner rather than later for reasons discussed above).
AWS Control Tower is another service that you enable within your clean management account (you canât delegate it out to another account so be mindful who needs to login and what timebound/permissions/polices they need).
You can think of AWS Control Tower like an orchestration and management tool for more opinionated granular governance and compliance over and above what AWS Organisations offers (under the hood, it is basically AWS Config).
AWS Organisations and AWS Control tower work together provide a well structured and governed platform to meet specific governance and compliance regulations. It has some good continuous compliance monitoring capabilities, automated remediation, pre-configured controls and automated remediation.
AWS Control Tower also includes Integrated Identity and Access Management (IAM/SSO) for your AWS Organisation and member accounts..There is also AWS Account Factory for vending out new accounts (although I am dead against admins logging into the management account to use it) and AWS SSO/Identity Centre configuration (which can be delegated out to a different account now).
Worth noting that AWS Control Tower does not mandate that all accounts be governed by it. AWS member accounts (more on them later) need to be invited into Control Tower or be part of an OU that is registered with AWS Control Tower. For example, your management account isnât governed by Control Tower, I canât think of a use case where you wouldnât invite all your member accounts in but hey ho, there is duality on offer here.
Youâll hear the term âlanding zoneâ a lot when working with AWS Control Tower, best to think of this in 2 ways:
A foundation landing zone:
AWS Organisations & AWS Control Tower provides a foundation Landing Zone, some people also call this a control plane, this is your core AWS Organisation, Control Tower, policies, roles, SSO, vending, and delegated core accounts (more on that later).
In some large organisations there are more than one of these:
A dev landing zone is a mirror of a production landing zone and is used to test high level global configurations that cannot be tested in isolation. This landing zone doesnât host any live AWS member accounts for workloads. This is hosted in itâs own management account.
A production landing zone that hosts all the member accounts (again in some very large AWS deployments youâll see more than one of these and they may be also known as consumer landing zones). Each production landing zone (aka consumer landing zones) are also hosted in their own management account.
Workload landing zones:
If you get account vending working correctly with good account baselines, controls, automated governance and compliance at scale, time bound SSO access, VPC vending and environment segregation (at account level) then you are basically building workload landing zones every time your vend.
Workload landing zones can be considered as an opinionated template for your workloads where everything plumbs together to ensure that the development team are building within the right controls, segregation and guard rails.
AWS Organisation Units
Iâve dropped these in after AWS Control Tower rather than with AWS Organisations. In the perfect world youâll want to be designing your AWS Organisation Units (your operational structure) along with AWS Organisations and AWS Control Tower, not before and not as an after thought.
Thereâs a lot to consider here, itâs not as easy as you may think.. for example:
- Where are you going to put mergers and acquisitions
- Where are migrated accounts going (if you have any from a previous organisation)
- What does your standard operating environment OU structure look like for net new account vends?
- How are you splitting up Prod and Non Prod accounts?
- Where are you putting shared accounts for workload utilities or lower tier workloads?
- Where are sandbox accounts going?
- What about stale accounts?
- What about accounts that are being divested?
- What about accounts that are being audited for suspicious activity
- Where are the core accounts going?
- Where are Control Tower vended accounts going?
- Where are shared services accounts going?
- Hence the need to plan them with AWS Organisations, AWS Control Tower and the future of your business in mind.
AWS Member Accounts
So far, in sequential order we have the following covered:
Your first AWS accounts (management account).
- AWS Organisations.
- AWS Control Tower.
- AWS Organisational Units (which are logical account groupings of AWS Organisations)
Now we have a great baseline for any AWS member account. Whatâs an AWS member account? AWS member accounts are any accounts that are not your management account.
Foundational Landing Zone core accounts
- Core Network
- Security
- Auditing
- Logging
- Identity
- Shared Services
Workload accounts (depending on tier)
- Prod
- Non Prod
- Dev
- Stage
- Standalone
Developer accounts
- Sandbox
Infrastructure accounts.
- Native Cloud intelligence dashboards
- SaaS Integrations
Migrated accounts
- Coming in from acquisitions
- Coming in from legacy AWS Organisations
Departing accounts
- Divestments
- Time bound sandbox
- Under audit
This should give you a good understanding of all the different types of account patterns you may need to cater for. The good thing is if youâve designed and planned for this during your AWS Organisations and AWS Control Tower designs youâll be in a good place to cater for them but you also need to very opinionated and decisive on what comes in through that front door!
Quick reminder that Iâll be covering all these accounts and other general stuff throughout my AWS at Scale series here (donât forget to subscribe!):
AWS Regions
Now we are getting into the overall workload architecture within an AWS member account.
Itâs worth noting that AWS Control Tower allows you to design and configure for supported regions in your foundational landing zone which then rolls into the support for your workload landing zones.
Itâs important to get a graps of the regions youâll be supporting during your initial AWS Organisations and AWS Control Tower design. You donât need to be supporting all of them, especially if you are deployment east-west traffic inspection and other expensive services to govern network and cross VPC communications and if you have governance and compliance regulations that prohibit the provisioning of certain services and resources in a region that will violate those regulations and get your ass fined.
Typically you can consolidate regions into something more manageable and then raise exceptions when needed through good change and risk management.
AWS VPCs
Designing and deploying VPCs at scale is really important. Youâll need a reference architecture with consistency and strict limits on what your workload teams can change if anything, youâll also need the ability to provision accounts with or without VPCs depending on the requirement.
VPC design is a signifigant component of AWS at Scale, in your reference design youâll want the following features:
- Consistent reference architecture based vending
- Centralised logging
- A good solution for IP availability for serverless and microservices (they are worse than Teams eating up RAM)
- Eliminate NACLs and use blackhole routing (NACLs are fecking awful at scale)
- Strong opinionated SCPs and Controls
- Prohibit VPC peering
- Well thought out subnet layers
- IPAM management of internal routable IPs (if needed)
- Integration with Transit Gateway and east west inspection (if you are deploying that)
- I good solution for how you connect services together without VPC peering (see the below post)
 AWS Availability Zones
Heavily depending on a tiering model and tightly coupled with your VPC vending.. I wouldnât deploy a reference architecture to anything less than 3 AWS Availability Zones.
Iâve been caught out by this in the past, sometimes AWS drops the AZâs down to new AWS accounts (although you get plenty of notice).
Understanding availability zones is an essential learning path towards AWS at Scale especially if you are tiering as part of your overall architecture engagment, understand how AWS provides uptime through compute and storage is solid place to start:
AWS VPC Subnets
And that brings us to our last platform concept, subnets (which we have pretty much covered in the VPC section above).
Obviously youâre subnets will cover all your availability zones and you need to design for this accordingly.
Final Thoughts
People complain that AWS is a steep learning curve.
It is and it isnât⌠depends on the scale of the operation, doing AWS at Scale is a steep learning curve, but itâs worth the effort. Cloud Platform roles are becoming more and more popular, in order to perform this role successfully a solid understanding of AWS at Scale within the enterprise is critical to success.
Thank you for reading this post, if you like it please subscribe below and share with your network. This is a side quest post but Iâll be getting back to my main AWS at Scale series soon.
Top comments (0)