Enterprise multi-account unified architecture
Solution overview
The enterprise multi-account unified architecture is a solution based on Alibaba Cloud Best Practices that helps you quickly design a multi-account environment for your enterprise. Setting up a multi-account environment can be time-consuming because it involves multiple basic cloud products, the configuration of multiple accounts and services, and a deep understanding of the related services. This solution saves time by automatically creating core accounts and resources and implementing an initial security baseline. It also provides a financial management model for multi-account environments to help you quickly decide which financial settlement method to use for managing cloud expenses.
Solution advantages
Systematic management of multiple accounts
You can plan a multi-account architecture to centrally and systematically manage your enterprise's Alibaba Cloud accounts. Clarifying the responsibilities of each account helps business units better use Alibaba Cloud account resources.
Quick creation of new accounts
Enterprises need to create new accounts quickly for the rapid development of innovative businesses. This solution lets you quickly create resource accounts that comply with your enterprise's identity verification requirements. This helps enterprises launch innovative businesses faster.
Customer scenarios
Unified management of all enterprise cloud accounts from a structured perspective
Scenario description
You can enable a resource directory and then create new accounts or invite existing accounts for unified management.
Applicable customers
Primarily inactive customers who have enabled RD.
Customers who use multiple accounts on the cloud and want to centrally manage them and control cloud resource usage based on business relationships.
Quickly transform from a single account to multiple accounts
Scenario description
Do not use an existing account that is running services as the management account. Instead, use this solution to quickly create a new, empty account to serve in this role. You can then invite your existing Alibaba Cloud accounts for unified management.
Applicable customers
Customers who use a single cloud account and want to use multiple accounts for new business development.
Customer use cases
Customer background
A communications company in China has over 20 Alibaba Cloud accounts, each deploying a different business unit. The company's information management team wants to unify the management of these accounts by setting consistent compliance standards and operation audit rules.
Customer pain points
The company has more than 20 Alibaba Cloud accounts managed by different business teams. This makes it difficult to centrally manage the accounts and implement unified permission restrictions. As new business lines are launched, more Alibaba Cloud accounts will be created. Therefore, unified management has become a top priority for the information management team.
Customer benefits
This enterprise multi-account unified architecture provided the customer with the following benefits:
You can use the Resource Directory product to converge accounts from various functional teams into a single, centrally managed system.
The team can apply uniform control policies to different accounts.
The team can centralize account management when launching new businesses.
Solution architecture
This solution guides enterprise customers in setting up a multi-account structure and determining a financial management model for a multi-account scenario.
Architecture diagram
Account description:
Management account: Manages multiple accounts. This account is used to configure identities and permissions, view bills for all Alibaba Cloud accounts, and apply audit rules to all member accounts.
Security account: Used by an enterprise's security team to configure security products, such as WAF and IP Address of Anti-DDoS Proxy instance.
Log archive account: Aggregates logs from all member accounts for centralized management.
Operations account: Deploys operations and maintenance (O&M) tools, such as a unified monitoring platform, a Cloud Management Platform (CMP), and a Configuration Management Database (CMDB).
Shared service account: Deploys enterprise shared services, such as network deployments. The costs for this account are typically managed by a single team, such as the infrastructure team.
Product costs and terms
Product costs
This solution uses Resource Directory and Cloud Governance Center and has separate deployment architectures for the Alibaba Cloud China Website and the Alibaba Cloud International Website (www.alibabacloud.com).
Resource Directory limits
For more information, see the Limits document.
Financial relationship limits
Financial Management: A financial management model for enterprises where a management account manages the funds, invoicing, and other financial activities of member accounts.
Finance Trusteeship: A financial management model for enterprises. In this model, a management account pays on behalf of member accounts to enable unified settlement and consolidated billing and invoicing.
Property |
Financial Management |
Finance Trusteeship |
Credit control |
The management account can choose to sync its Alibaba Cloud credit control status to member accounts. The management account can allocate or revoke credit for member accounts. |
Member accounts do not have Alibaba Cloud credit control. A virtual quota is enabled. |
Budget management |
Member: Services are suspended due to overdue payments if the budget is exceeded. |
No budget control |
Settlement relationship |
Member account -> Alibaba Cloud |
Management account -> Alibaba Cloud |
Invoicing relationship |
Member accounts can issue their own invoices or have the management account issue invoices for them (using the member account's information). The management account cannot issue consolidated invoices. |
Alibaba Cloud issues invoices to the management account. Consolidated invoicing is supported. |
Coupons |
Member accounts can use coupons. |
Member accounts cannot use coupons. |
Implementation steps
Preparations
Determine the financial management model
If you choose finance trusteeship, decide which account to use for settlement.
Select a member account to use as the finance trusteeship account. Consult with your company's finance department to make this decision.
Determine the management account
Identify all existing Alibaba Cloud accounts in your enterprise and select one to serve as the management account.
Before you build a landing zone, the system automatically checks if the current Alibaba Cloud account is qualified to be a management account. You can use the results of this check to select a suitable management account. For more information, see Check account qualification.
Implementation duration
After the preparations are complete, this solution takes an estimated 15 minutes to implement.
Procedure
Scenario 1: Use an existing account as the enterprise management account
Configure setup items
Log on to the Cloud Governance Center console.
In the navigation pane on the left, choose Landing Zone > Set Up Landing Zone.
On the Set Up Landing Zone page, in the Select Blueprint section, select Standard Blueprint and click Set Up.
On the Configure Blueprint page, in the Added Setup Items section, you can view the setup items in the blueprint and add or remove them as needed.
Click Add Setup Item to add a setup item. Some items have dependencies and must be added together.
Click the
icon next to a setup item to remove it. Required setup items cannot be removed.
This example retains only the three required setup items: Create Folders, Create Core Accounts, and Protection Rules.
Create folders
A folder is an organizational unit in a resource directory that typically represents an enterprise's branch, line-of-business, or product project. You can add members to folders and nest subfolders to create a tree-like resource organization structure. You can perform administration tasks for each folder, such as resource allocation, permission management, security control, and compliance control.
As a best practice, create the following two folders. If these folders do not exist in the management account, Cloud Governance Center automatically creates them:
Core folder: Contains members used for administrative purposes.
Applications folder: Contains members that run specific business operations.
Procedure
In the Added Setup Items section, click Create Folders to view the two automatically generated folders. You can change the folder names or delete them if they are not needed. In addition to the automatically created Core and Applications folders, you can also click Create Folder under a target node in the resource directory to create more granular folders based on departments and business environments.
After the configuration is complete, click Next.
Create core accounts
You can create core management accounts for your enterprise's functional teams to simplify administration tasks, such as resource allocation, permission management, and security and compliance.
In the Create Core Accounts section, from the Default Folder drop-down list, select the folder that will contain the core accounts. In this example, select the Core folder created in the Create folders step.
Set the finance trusteeship method.
Finance Trusteeship: This is an optional setting recommended by Alibaba Cloud. If you enable finance trusteeship, you can centrally manage financial settlements and bill splitting for all accounts from a single account.
Financial Management: Unlike finance trusteeship, financial management lets you delegate only specific financial capabilities to a unified account. By default, each account uses its own settlement method. After the setup is complete, you must log on to the financial management account to configure the settings. For more information, see Invite a linked account.
Independent Settlement for Each Account: Each account uses its own settlement method. No unified financial management method is configured.
(Optional) If you select Finance Trusteeship, you must specify a finance trusteeship account. You can specify the finance trusteeship account in one of the following ways:
Specify an existing account: You can specify the current management account or a member in the resource directory as the finance trusteeship account. The system automatically determines whether a member is eligible to be a finance trusteeship account. Based on the result, select an eligible account.
Note: If the system indicates that a member does not meet the requirements, it may be because its financial information is incomplete. Go to Expenses and Costs to complete the information.
Create a new account: You can create a new member and set it as the finance trusteeship account.
Invite an account: You can invite an Alibaba Cloud account to join the resource directory and set it as the finance trusteeship account.
Specify the core accounts. In this example, the following three core accounts are specified:
Log archive account: This account is used to centrally collect log information from all members. It is enabled by default and cannot be disabled.
Shared service account: This account is used to deploy enterprise shared services. It is enabled by default but can be disabled.
Security account: This account is used for unified security and compliance control. It is enabled by default but can be disabled.
For each account type, you can choose to Create a new account or Specify an existing account. If you choose to Create a new account, you must configure the basic account information.
Click Next.
Configure protection rules
You can centrally configure and enable protection rules for configuration audit. This prevents modification of the resource structure and basic configurations created by Cloud Governance Center, thereby ensuring the security of the multi-account environment.
In the Protection Rules section, you can view and select the rules you need. For more information, see Configure protection rules in a centralized manner.
Run the landing zone setup task
After you configure all parameters, click Preview Configurations to review your settings.
After you confirm that the settings are correct, click Start.
View the execution status. When all tasks are complete, click Close.
After the landing zone blueprint is set up, click Add Setup Item. You can add new setup items, such as CloudSSO, as needed.
View the resource directory and account structure
Log on to the Cloud Governance Center console.
In the navigation pane on the left, click Account Structure.
In the Account Structure Overview section, you can view the following information about the account structure.
Number of folders: The total number of folders in the resource directory.
Number of Alibaba Cloud accounts: The total number of members that are Alibaba Cloud accounts in the resource directory.
Number of resource accounts: The total number of members that are resource accounts in the resource directory.
Finance trusteeship account: The finance trusteeship account in the resource directory.
Click the Account Structure tab to view information about the folders and member accounts in the resource directory.
Click the Account List tab to view the list of member accounts in the resource directory.
Scenario 2: Create a new account to use as the enterprise management account
For more information, see the Create a new management account to enable a resource directory section in Enable a resource directory.
Account planning
Assume that an enterprise has an identity-verified account named business-account that is used for business services. The enterprise wants to create a new account named management-account to serve as the management account, using the same identity verification information.
Procedure
Log on to the Resource Management console with your business account.
In the navigation pane on the left, choose Resource Directory > Enable Resource Directory.
In the Best Practices section, click Create a New Management Account.
In the dialog box, enter a name in the Management Account Name field.
Enter a phone number in the Secure Phone Number for Management Account field, click Get Code, and then enter the verification code that you receive on the secure phone.
Click Enable.
For the newly created management account, you must use the password recovery feature to set a logon password using the phone number that you set in step 6. Then, you can log on to the Resource Management console to manage the resource directory.
The preceding steps create an empty account named management-account with the same identity verification. Then, use this account to log on to the Cloud Governance Center. Complete the basic landing zone setup. For detailed steps, see Scenario 1: Use an existing account as the enterprise management account.
Troubleshooting
How can I add accounts with different identity verification information to the same resource directory?
This feature is not supported by default. To enable it, contact Alibaba Cloud to add your account to the whitelist.
What kind of account is not suitable to be a management account for a resource directory?
The account has pending invitations. We recommend that you process these invitations before you enable the resource directory.
The account already has cloud resources with deployed businesses or applications. The management account handles high-privilege operations, such as managing the resource directory architecture, controlling user permissions, and handling payments and settlements for all resources. To ensure the security of the management account, create a new Alibaba Cloud account to serve as the management account. Avoid using an Alibaba Cloud account that is already in use for other purposes.
Uninstalling the solution
Remove members of the Alibaba Cloud account type
To delete a resource directory, you must first remove all of its members, which are Alibaba Cloud accounts.
Procedure
Log on to the Resource Management console.
In the navigation pane on the left, choose Resource Directory > Overview.
Click the Resource Organization or Member List tab.
In the member list, find the target Alibaba Cloud account and click Remove in the Actions column.
In the Remove dialog box, click OK. After the member is removed, the following occurs:
The member becomes an independent Alibaba Cloud account. It is no longer managed by the management account of the resource directory or subject to any control policies of the resource directory.
The member's payment relationship does not change. To update the payment relationship for the account, go to the finance system. For more information, see Enterprise Finance.
Delete a folder
You can delete a folder only if it contains no members or subfolders. This operation cannot be undone. Proceed with caution.
Log in to the Resource Management console.
In the navigation pane on the left, choose Resource Directory > Overview.
Click the Resource Organization tab.
Under the Root folder, find the target folder.
On the folder page, click Delete Folder.
NoteThe Delete Folder button is displayed only when the folder contains no members or subfolders.
In the Delete Folder dialog box, click OK.
Disable a resource directory
If you no longer need the Resource Directory service, you can disable it. This is an irreversible operation, so proceed with caution.
Before you disable a resource directory, ensure that you have completed the following operations:
All members in the resource directory have been removed.
All folders in the resource directory, except for the Root folder, have been deleted.
Procedure
Log in to the Resource Management console.
In the navigation pane on the left, choose Resource Directory > Settings.
Click Disable Resource Directory.