DocsICP FilingConsole
官方文档
首页

Set up a Landing Zone

更新时间:
复制 MD 格式
产品详情
我的收藏

A Landing Zone is an Alibaba Cloud enterprise cloud adoption framework for planning and implementing your cloud resource structure, access security, network architecture, and security and compliance controls. This topic describes how to set up a Landing Zone by using the Standard Blueprint template in Agentic Cloud Governance Center.

Background

The system automatically checks whether Resource Directory is enabled for your management account and enables it if needed.

Step 1: Configure setup items

  1. Log on to the Agentic Cloud Governance Center console.

  2. In the left-side navigation pane, choose Landing Zone > LandingZone Setup.

  3. On the LandingZone Setup page, in the Select Blueprint section, select Standard Blueprint, and then click Build.

  4. On the Configure Blueprint page, in the Added Items section, review the blueprint items. Add or remove items as needed.

    • Click Add Item to add an item.

      Some items have dependencies and must be added together.

    • Click the Delete icon next to an existing item to remove an unneeded item.

      Required items in the blueprint cannot be removed.

    In this example, keep only the three required setup items: Create Folder, Create Core Account, and Protection Rule.

Step 2: Create folders

Folders are organizational units in Resource Directory that represent subsidiaries, business lines, or projects. Nest them to build a hierarchy for resource allocation, permission management, security controls, and compliance.

We recommend that you create the following two folders. Agentic Cloud Governance Center creates them automatically if they do not exist.

  • Core folder: Holds members for governance purposes.

  • Applications folder: Holds members that run your workloads.

In the Added Items section, click Create Folder to view the two generated folders. Rename or delete them as needed.

Beyond the default Core and Applications folders, click Create Resource Folder under a target node in Resource Directory to create additional folders by department, environment, or other criteria.

Step 3: Create core accounts

Create core accounts for your functional teams to simplify resource allocation, permission management, and security and compliance controls.

  1. In the Create Core Account section, from the Default Folder drop-down list, select the folder that will contain the core accounts.

    In this example, select the Core folder created in Step 2: Create folders. This creates the core accounts under the Core folder.

  2. Configure the financial hosting method.

    • Trusteeship: An optional recommendation that centralizes billing settlement and cost allocation for all accounts under this account.

    • Finance Management: Centralizes selected financial capabilities under one account. Each account defaults to self-payment. After setup, log on to the financial management account to configure settings.

    • Self-pay for Each Account: Each account manages its own billing. No centralized financial management is configured.

  3. Optional: If you select Trusteeship, specify a Financial Hosting account.

    Specify a Financial Hosting account by using one of the following methods:

    • Specify Existing Account: Specify the management account or a Resource Directory member as the Financial Hosting account.

      The system validates whether the selected member meets the requirements.

      Note

      If a member account does not meet the requirements, its financial information may be incomplete. Go to the Billing console to complete it.

    • Create Account: Create a new member as the Financial Hosting account.

    • Invite Account: Invite an Alibaba Cloud account to join Resource Directory as the Financial Hosting account.

  4. Specify the core accounts.

    This example uses three core accounts:

    • Log Archive Account: Centralizes logs from all member accounts. Enabled by default and cannot be disabled.

    • Shared Service Account: Deploys shared services for your organization. Enabled by default but can be disabled.

    • Security Account: Manages security and compliance controls centrally. Enabled by default but can be disabled.

    For each account type, choose Create Account or Specify Existing Account. If you choose Create Account, configure the basic account information.

  5. Click Next.

Step 4: Configure guardrails

Configure and enable guardrails in Configuration Audit to protect the resource structure and baseline configurations from unauthorized changes.

In the Protection Rule section, review and select the rules you need. Centrally configure protection rules.

Step 5: Deploy the Landing Zone

  1. After configuring all parameters, click Preview Configuration to review your settings.

  2. If the settings are correct, click Execute.

  3. View the execution status. After all tasks are complete, click Off.

Next steps

Continue setting up the landing zone

The preceding steps cover only basic Landing Zone setup. On the Setup Landing Zone page, click Continue to Build in the upper-right corner to configure additional supported setup items.

Create member accounts

On the Account Factory page, view the core accounts created earlier, configure an account baseline, and create member accounts from it.

Manage multiple accounts

Review governance maturity assessment results

Governance Maturity Assessment continuously evaluates your cloud IT governance posture and provides recommendations. Agentic Cloud Governance Center automatically scans member accounts in your Resource Directory to identify governance gaps and risks. View assessment data and download reports.

Previous:Activate Agentic Cloud Governance CenterNext:View and download governance maturity check results