In October 2018 Department of Transportation engaged Enquizit to implement a solution which allows them to not only migrate on-premise infrastructure to AWS but also to bring few existing AWS accounts within the new solution. The business goal of the project is to provide centrally managed multi-account AWS environment following AWS best practices. AWS landing zones solution was proposed for DOT which makes it easy to create new accounts by providing baseline for security, logging, networking and identity management. Solution also provides more visibility into monthly cost of workloads running in multiple accounts.
DOT has several existing AWS accounts created by business units which are managed by vendors hired to implement and manage workloads in those accounts. These accounts do not follow standard guidelines for security, identity management, logging and networking. One of the challenges is to migrate complex workloads running in existing accounts which consists of large number of interdependent applications. A migration pattern of “quarantine and migrate” has been proposed to move those workloads in multiple phases to minimize impact on some mission critical applications running in those accounts.
Phase 1 brings an existing account under the central landing zone solution account as a quarantined account which provides central financial integration through consolidated billing. Phase 2 adds additional non-invasive security controls to implement compliance rules, logging and threat detection to the account. Phase 1 and phase 2 have no impact on workloads running in the quarantined account. Phase 3 is the longest phase to carefully plan, re-architect and move complex workloads to the new landing zone account which utilizes network integration of landing zone solution.
Prime and Partners:
Learn more about our work and we think about key issues in different industries.