Google Cloud Platform Landing Zone

A landing zone -cloud foundation, is a modular and scalable configuration that enables organizations to adopt Google Cloud for their business needs. A landing zone is often a prerequisite to deploying enterprise workloads in a cloud environment.

Landing zones help your enterprise deploy, use, and scale Google Cloud services more securely. Landing zones are dynamic and grow as your enterprise adopts more cloud-based workloads over time.

To deploy a landing zone, you must first

Create an Organization Resource

Create a billing account-(online/invoiced)

A landing zone spans multiple areas and includes different elements, such as identities, resource management, security, and networking. Many other elements can also be part of a landing zone, as described in Elements of a landing zone.

The following diagram shows a sample implementation of a landing zone. It shows an Infrastructure as a Service (IaaS) use case with hybrid cloud and on-premises connectivity in Google Cloud:

• Resource Manager defines a resource hierachy with organizational structure and policy.

• A Cloud Identity account synchronizes with an on-premises identity provider and IAM providing granular access to Google Cloud resources.

• A network deployment that includes the following:
  

  • A Shared VPC network for each environment (production, development, and testing) connects resources from multiple projects to the VPC network.

  • Virtual Private Cloud (VPC) firewall rules control connectivity to and from workloads in the Shared VPC networks.

  • A Cloud NAT gateway allows outbound connections to the internet from resources in these networks without external IP addresses.

  • Cloud Interconnect connects on-premises applications and users. (You can choose between different Cloud Interconnect options, including Dedicated Interconnect or Partner Interconnect.)

  • Cloud VPN connects to other cloud service providers.

  • A Cloud DNS private zone hosts DNS records for your deployments in Google Cloud.

• Multiple service projects are configured to use the Shared VPC networks. These service projects host your application resources.

• GCP Operation Suit includes Cloud Moniroting for monitoring and Cloud Logging for logging, Cloud Audit logs,Firewall Rules,VPC flow log help ensure all necessary data is logged and available for analysis.

• A VPC Service Controls perimeter includes Shared VPC and the on-premises environment. A security perimeter isolates service and resources, which helps to mitigate the risk of data exfiltration from supported Google Cloud services.

Elements of a landing zone

A landing zone requires you to design the following core elements on Google Cloud:

• Identity provisioning

• Resource Hierarchy

• Network

• Security Controls

In addition to these core elements, your business might have additional requirements. The following table describes these elements and where you can find more information about them.

References

https://console.cloud.google.com/cloud-setup/overview