How to regain control of your cloud footprint with AWS Landing Zone

 In |

Reading Time: 3 minutes

A state health agency, which purchases health care for more than 2 million people, found itself with a visibility problem – it didn’t have any.

The health agency had zero visibility into its Amazon Web Services (AWS) billing or its overall AWS signature, leaving it frustrated with its AWS reseller.

With an annual $500,000 cloud spend and optimization budget, the health agency knew that without properly understanding how its billing correlated with deployment, it would struggle to plan for future engagements within AWS, including a data center migration it had planned.

SHI learned about the health agency’s struggles and reached out to offer our professional services.

The agency switched its managed billing over to SHI and got its management of cloud costs under control. But this was just the beginning of the engagement.

Impressed with SHI’s cloud capabilities, the organization presented SHI with a new challenge: migrate its existing on-premises data center to AWS.

Assessing the situation

The health agency wanted to move its current AWS workload and a separate standalone environment – consisting of its encryption-protected health care applications – to AWS Landing Zone. It wanted to add security monitoring and hardening.

But most importantly, the health agency wanted to reduce the number of hours required every time it wanted to spin up a development environment into the cloud.

SHI performed an AWS migration assessment and discovered the health agency had a bunch of AWS accounts to consolidate, all with their own silos. The environment was not built to AWS’ best practices. The health agency didn’t have control of its accounts and couldn’t pursue DevOps with its current environment.

This was not going to be a simple migration. But that didn’t mean it couldn’t be done.

Devising a plan, migrating to AWS Landing Zone, and incorporating AWS Direct Connect

SHI built out the customer’s new accounts using AWS Well-Architected Review and AWS Landing Zone.

Before migrating to AWS Landing Zone, however, SHI crafted a new organizational structure for the health agency by setting up service control policies (SCPs) with AWS Organizations on each of its AWS accounts. This would give the health agency central governance and management for its multiple accounts and would allow it to expand its AWS footprint.

SHI also created a service catalogue that lets developers request an environment that fits pre-defined parameters. Development request times shrunk from days to minutes. Given the health agency’s small cloud team, this would be invaluable moving forward.

While this wasn’t a simple migration, as all the workloads were encrypted, SHI took snapshots of the workloads, decrypted them, and encrypted them in the new AWS Landing Zone. SHI documented this process, showed the health agency how to do it, and helped it perform migrations of its own. SHI also attended bi-weekly state networking meetings to help the health agency troubleshoot its network architecture.

The final piece of the puzzle was setting up AWS Direct Connect. The health agency had been using a VPN to connect to its environment in AWS. While this was stable, it couldn’t offer guaranteed high performance and bandwidth. AWS Direct Connect could, which is why it was always in the agency’s roadmap.

The health agency didn’t know how to implement AWS Direct Connect in a way that would provide failover from the VPN, so SHI handled that as well. Now the state health agency has two ways to connect to its AWS environment, as well as redundant connections.

Gaining more control over AWS

This state health agency had a laundry list of needs. It wanted to be able to migrate workloads to AWS Landing Zone. But it also wanted to gain legitimate visibility into its AWS billing and footprint.

SHI provided the organization with a framework and collection of best practices, an improved managed billing solution, redundant connections to its AWS cloud, and its AWS accounts organized under one master account in AWS Landing Zone.

SHI’s actions, knowledge transfer, and regular communication with the customer made an impression – so much so that this engagement led to SHI managing the billing of six other state agencies since. All of them have gained the visibility and environments they need to take full advantage of the cloud.