AWS Landing Zone Accelerator - Part 4: Networking

Welcome back to my deep dive into the AWS Landing Zone Accelerator (LZA)!

We’ve made some good progress. In Part 1, we introduced the LZA and its benefits for building a well-managed AWS environment. Part 2 walked through setting up your AWS Organisation and creating new accounts. Then, in Part 3, we explored the LZA’s global settings, which allow for standardised configurations across your entire AWS organisation, ensuring consistency and simplified management.

Now, I’m going to shift our focus to a critical aspect of any AWS environment: networking. This part of the series will delve into the network configurations provided by the LZA, exploring how it helps you establish a secure, scalable, and well-structured network foundation for your AWS workloads.

AWS Landing Zone Accelerator - Part 3: Configuring Global Settings for Your Organization

Welcome back to my deep dive into the AWS Landing Zone Accelerator (LZA)!

We’ve made some good progress so far. In Part 1, we introduced the LZA and explained how it can help you build a well-managed AWS environment. In Part 2, we got hands-on and learned how to set up your AWS Organization and create new accounts.

Now, in Part 3, we’re going to take a broader perspective and explore the global settings that the LZA provides. These settings let you establish standardised configurations across your entire AWS organization, ensuring consistency and simplifying management.

AWS Landing Zone Accelerator - Part 2: Organizational Units and Account Configuration

In Part 1 of our AWS Landing Zone Accelerator (LZA) series, we introduced the LZA and its benefits. Now, we’ll explore configuring OUs and other essential organizational settings, along with the process of creating AWS accounts within your LZA environment.

Prerequisites

Before we begin, ensure you have the following:

• Access to the AWS Management account with the necessary permissions to modify the LZA setup.
• Permissions to update the LZA configuration, including editing files in the aws-accelerator-config repository.
• A brand-new email address for the new AWS account you’ll be creating.
• Git access to download and upload LZA configuration files.
• AWS Command Line Interface (CLI) installed and configured on your computer.
• The required permissions in Microsoft Entra ID to create and manage groups, and connect them to AWS IAM Identity Center for access control.

Important Note: I’m assuming you’ve already set up the LZA in your AWS environment by following the official guide: https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/step-1.-launch-the-stack.html. This means you’ve got the basic LZA structure in place.

AWS Landing Zone Accelerator - Part 1: Introduction & Overview

Migrating to the cloud can feel like a giant leap into the unknown. Where do you even begin? How can you ensure your cloud environment is secure, scalable, and compliant from the get-go? The AWS Landing Zone Accelerator (LZA) is your trusted launchpad for a smooth and successful cloud journey.

What is the LZA?

Think of the LZA as an open-source blueprint provided by AWS for building a well-architected, multi-account AWS environment. It comes complete with pre-configured security controls, network configurations, and account structures, forming a robust foundation for your cloud deployments.

How to Set Up AWS CDK for Python

In this guide, I’ll walk through setting up AWS CDK with Python, including all the required dependencies and steps, and demonstrate how to deploy a simple app that provisions an Amazon S3 bucket.

What is the AWS CDK?

The AWS Cloud Development Kit (CDK) is an open-source software development framework designed to facilitate the creation and management of cloud infrastructure using familiar programming languages. Here are several important features and concepts associated with AWS CDK.:

Configuring Amazon VPC IP Address Manager (IPAM)

In many enterprise environments a common challenge is to how to handle the allocation of IP CIDR blocks be that to Data Centers, Offices, Subnets so as to ensure that resources don’t end up with IP addresses that have already been assigned to resources on the Network. Duplicate IP Addresses on the Network can cause numerous issues and AWS have previously written the following blog that discusses several solutions to this challenge such as the use of NAT Gateways and AWS PrivateLink or a couple of more manual approaches to workaround the issue.

Customising AWS Control Tower with Account Factory Customisations

At AWS re:Invent this year Account Factory Customisations was released. This post will walk you through how to configure and use the new functionality as in my opinion the documentation isn’t particularly clear as to how things work and there were also issues with the implementation steps when I first implemented it.

Use Case

For my specific situation that I’m utilising this for I want to deploy a VPC that leverages the Amazon VPC IP Address Manager (IPAM) for obtaining an IP CIDR Range since I don’t want to have to manually enter one each time and run the risk of overlapping address space. As part of my pre-requisties I’ve already written some automation using CloudFormation to not only setup VPC IPAM for delegated administration in my Organization, but I’ve also set up VPC IPAM so that I have seperate IPAM Pools for different regions and also different environments within those regions. This post won’t go into the details of the automation or the details of the CloudFormation Template that I’ll deploy either but how the Solution ultimately works.