Unique Landing Zone

Owned by Andreas Hauri
Jun 24, 2024
13 min read

Scope

The Confluence page "Unique Landing Zone" outlines the implementation and management of a customized Azure Landing Zone designed to meet specific client needs. It includes an overview of the Azure Landing Zone framework and its benefits, reasons for customizing the standard Azure Landing Zone to address unique client requirements and risks, a detailed explanation of risk-based approaches, automation, and resource organization, steps for code delivery, CI/CD pipeline, provisioning, access control, and compliance, management and segregation of resources into Main, Sensitive, Audit, and Vnet groups, roles and responsibilities to ensure security and efficiency, requirements and best practices for hosting a chat application, and tools needed for managing deployments, including storage, authentication, version control, CI/CD, and container management.

Audience

The primary audience includes Cloud Architects designing and implementing cloud environments, DevOps Engineers automating, deploying, and managing cloud infrastructure, Security Engineers ensuring security and compliance, IT Administrators managing day-to-day cloud operations, Project Managers overseeing cloud adoption projects, and Clients/Stakeholders understanding the customized solutions for their needs.

Introduction to Azure Landing Zone

Azure (Application) Landing Zone is a comprehensive framework provided by Microsoft to facilitate the adoption of Azure services. It offers best practices, guidance, and blueprints for creating a secure, scalable, and well-governed cloud environment. ALZ ensures that cloud resources are managed efficiently, compliant with industry standards, and ready for production workloads. Key components of ALZ include structured governance, automated deployments, resource organization, security baselines, and cost management practices.

Azure Landing zone subscription see link

image-20240517-214217.png

 

Reasons for Deviation from Azure Landing Zone

While the Azure Landing Zone provides a solid foundation for cloud environments, certain client-specific requirements and risk profiles necessitated deviations. Our derived solution addresses these unique needs by:

  1. Focused Risk Mitigation: Emphasizing specific risks such as data exfiltration, Kubernetes data plane security, and cost management, which are critical for our clients.

  2. Enhanced Automation: Prioritizing automation to improve security, reduce human error, and ensure consistent implementation of policies and procedures.

  3. Customized Resource Segregation: Organizing resources to minimize risk exposure and enhance control over sensitive data.

  4. Tailored Role Management: Implementing custom roles to align with the specific operational and security requirements of our clients.

Unique Landing Zone

 

Unique CMT Infra Chat.png

 

The Unique Landing Zone is designed based on best practices to meet the specific needs and risk profiles of our clients. Below are the key components:

Risk-based Approach

  • Targeted Risk Mitigation:

    • Data Exfiltration: Comprehensive measures to prevent unauthorized data extraction.

    • Kubernetes Data Plane: Security for data exfiltration through the Kubernetes data plane.

    • Privileged Roles: Ensuring secure use of privileged roles.

    • Cloud Resource Misconfiguration: Preventing and addressing misconfigurations.

    • Cost Management: Strategies to avoid over-provisioning and manage costs effectively.

    • Third-party Security: Managing vulnerabilities in third-party applications.

  • Utilizes Privileged Identity Management (PIM) or Just in Time (JIT) access to minimize risk.

Automation First

  • Strong Automation Emphasis:

    • Enhances control over changes.

    • Minimizes lateral movement risks.

    • Strictly enforces the principle of least privilege.

    • Maintains a comprehensive audit trail.

    • Promotes modern collaboration practices.

  • Automation reduces the need for manual roles and permissions, positively impacting costs and timelines.

 

  • Automation and Source Control:

    • GitHub Repository (Client GitHub): The central repository where the client manages infrastructure as code (IaC).

    • CI/CD Pipeline (e.g., Azure DevOps): Pull requests (PRs) are submitted to the repository, reviewed, and merged. On merge, automation scripts are triggered for provisioning.

    • PIM RBAC Assignments: Privileged Identity Management (PIM) is used to assign RBAC roles dynamically, enhancing security by granting just-in-time (JIT) access.

 

Workflow

  1. Code Delivery:

    • Unique employees make infrastructure changes via pull requests to the client’s GitHub repository.

    • These changes are reviewed and approved by client administrators.

  2. CI/CD Pipeline:

    • Upon approval, the CI/CD pipeline pulls the latest code and triggers automation scripts.

    • These scripts provision or update resources across the defined resource groups.

  3. Provisioning:

    • Provisioners have the necessary permissions to deploy resources into both Main and Sensitive Resource Groups.

    • Automation ensures that sensitive data is handled securely, and access is restricted as needed.

  4. Access Control:

    • Observers and Sensitive Data Observers have read-only access to their respective groups to monitor and review configurations.

    • Client Control has full oversight and can make necessary adjustments to ensure compliance and security.

  5. Audit and Compliance:

    • All operations and changes are logged in the Audit Resource Group, which is write-only for Unique and fully accessible by client administrators for compliance monitoring.

    • Regular reviews and audits are conducted to ensure that all changes are compliant with organizational policies.

 

Resource Groups

  • Segregation Based on Risk Management:

    • Main: Contains primary resources required to run the solution, excluding sensitive data.

    • Sensitive: Stores all customer data, with minimal human access and only JIT privileges.

    • Audit: Centralized, tamper-proof audit logs. Accessible only for writing, not reading, with automated modifications.

    • Vnet: Networking setup, often managed by the client due to its security impact.

  • This segregation helps in better risk management and rigorously follows the principle of least privilege.

Resource Groups and Permissions

Group

Content

High-level Permissions

Group

Content

High-level Permissions

Main

Primary resources needed to run core services but no resources that contain data

  • Managed by responsible parties (either Unique or the client, see Responsibilities)

 

 

  • Includes basic infrastructure and non-sensitive configurations

Sensitive

All customer data, including prompts, uploaded files, and encryption keys

  • Least privilege access, primarily through JIT (Just in Time)

 

 

  • Automation is highly recommended to manage access and minimize human intervention

Audit

Centralized, tamper-proof audit logs

  • Only write access by Unique and their workloads

 

 

  • No read access; modifications should be made by the client or through automated processes

Vnet

Networking setup, including limited internet access for pulling necessary content

  • Typically managed by clients due to its significant security impact

 

 

  • Automation preferred for managing network configurations

Terraform

Storage for Terraform state files

  • Restricted access to a few individuals or automation

 

 

  • Ensures infrastructure state is securely maintained and modifications are tracked

 

Roles and Access Control in the Unique Landing Zone

In the Unique Landing Zone, a robust roles and access control framework is crucial for maintaining security, compliance, and efficiency. This framework enforces the principle of least privilege, segregates duties, and minimizes risks. Leveraging Azure best practices, including Privileged Identity Management (PIM) and Just-in-Time (JIT) access, the Unique Landing Zone dynamically manages permissions to enhance security and operational efficiency.

Roles and Responsibilities

  1. Observer

    • Access Level: Read (rwd) in the Resource Group Main.

    • Responsibilities:

      • View and monitor resources within the Resource Group Main.

      • Access secrets stored in the Main Key Vault.

    • Limitations: No access to the Resource Group Sensitive.

  2. Maintainer

    • Access Level: Read, Write, Delete (rwd) in the Resource Group Main.

    • Responsibilities:

      • Maintain and manage resources within the Resource Group Main.

      • Handle secrets stored in the Main Key Vault.

    • Limitations: No access to the Resource Group Sensitive.

  3. Provisioner

    • Access Level: Read, Write, Delete (rwd) in the Resource Group Main; Read, Write, Delete (rw(d)) in the Resource Group Sensitive.

    • Responsibilities:

      • Deploy and configure resources within both the Resource Group Main and Resource Group Sensitive.

      • Transfer configuration values and secrets from the Main Key Vault to the Sensitive Key Vault to ensure maintainers do not access sensitive data directly.

    • Limitations: Full access to both resource groups but responsible for securing sensitive data by segregating access.

  4. Sensitive Data Observer

    • Access Level: Read (r) in the Resource Group Sensitive.

    • Responsibilities:

      • View and monitor sensitive data and resources within the Resource Group Sensitive.

    • Limitations: No write or delete permissions, ensuring read-only access to sensitive data.

Resource Groups and Access

  1. Resource Group Main

    • Content: Primary resources needed to run core services, excluding any sensitive data.

    • Access:

      • Observer and Maintainer: Full read, write, and delete permissions for monitoring and managing non-sensitive resources.

      • Provisioner: Full access to manage configuration values and ensure segregation of sensitive data.

  2. Resource Group Sensitive

    • Content: All customer data, including prompts, uploaded files, and encryption keys.

    • Access:

      • Sensitive Data Observer: Read-only access to monitor sensitive data.

      • Provisioner: Full access to manage sensitive data, ensuring maintainers do not access sensitive information directly.

  3. Secrets Management

    • Main Key Vault: Stores secrets required for operations in the Resource Group Main.

    • Sensitive Key Vault: Stores sensitive keys and data, with strict access controls.

Workflow

  1. Unique Employees:

    • Assigned specific roles (Observer, Maintainer, Provisioner, Sensitive Data Observer) based on responsibilities.

    • Each role has defined access levels to ensure segregation of duties and minimize risk.

  2. Configuration Management:

    • Provisioners: Responsible for putting necessary configuration values into the Main Key Vault.

    • Ensure that maintainers never see sensitive data by handling the configuration transfers securely.

Hosting Unique / Dedicated Resources for "Chat" Use Case

Clients must provide the necessary resources to support the "Chat" use case within the Unique Landing Zone. The following table outlines the required services, their use cases, and the best practices for provisioning and managing these resources.

Required Services for "Chat" Use Case

Service

Use Case

Best Practices

Service

Use Case

Best Practices

Container Orchestrator

Host chat application services

  • Use Azure Kubernetes Service (AKS) for scalability and management.

  • Implement network policies and RBAC for secure access control.

Telemetry Exported to Orchestrator

Monitor application performance

  • Utilize Azure Monitor and Azure Log Analytics for telemetry data collection and analysis.

  • Set up alerts for real-time monitoring and incident response.

Logging Solution Attached to Orchestrator

Retain application logs

  • Deploy Azure Log Analytics for centralized log management.

  • Configure log retention policies to comply with data governance standards.

Secure Storage for Audit Logs

Retain audit logs

  • Use Azure Blob Storage with immutability policies for tamper-proof audit log storage.

  • Implement encryption at rest and in transit for data protection.

Postgres Server

Persisting application data

  • Use Azure Database for PostgreSQL for scalable and managed database solutions.

  • Enable automated backups and geo-replication for data resilience.

Redis Cache

Manage session state and caching

  • Utilize Azure Cache for Redis to improve application performance and responsiveness.

Tyk API Gateway, Frontend Websockets

  • Configure high availability and disaster recovery settings.

LLMs (Large Language Models)

Provide chat features, Reporting features

  • Integrate Azure OpenAI Service for advanced language understanding and generation.

  • Ensure proper authentication and access control measures are in place.

Compatible Storage

Store chat logs and media, Knowledge features, SharePoint Connector

  • Use Azure Blob Storage or Azure Data Lake Storage for scalable and durable storage solutions.

  • Implement lifecycle management policies to optimize storage costs and performance.

Azure AD Application Registration

User authentication and authorization

  • Register applications in Azure AD for secure user authentication and single sign-on (SSO).

  • Implement Conditional Access policies for enhanced security.

 

 

Supporting Tooling for Unique Landing Zone

To ensure the successful implementation and management of the Unique Landing Zone, both Customer Managed Tenants and On-Premise installations require robust supporting tools. This section outlines the essential tools, their use cases, best practices, and examples to help clients efficiently manage their deployments while maintaining security and compliance.

Tool

Use Case

Best Practices

Examples

Tool

Use Case

Best Practices

Examples

Git or Another VCS

Store versioned Unique artefacts as code for audits, infrastructure as code, customization, and automation

  • Implement branch protection rules to ensure code quality. - Use pull requests for code reviews and approvals. - Regularly backup repositories.

GitHub (Cloud), GitHub Enterprise, Azure DevOps, GitLab Enterprise

CI/CD Automation

Automation and principals that apply code changes published by Unique

  • Use pipeline as code to version control CI/CD configurations. - Automate testing and security scans. - Implement rollback strategies for failed deployments.

GitHub Actions, Azure DevOps Agents, GitLab CI, Bitbucket Pipelines, Octopus, FluxCD, ArgoCD

Container Registry

Cache, scan, analyze container images delivered by Unique as part of the releases

  • Enable image vulnerability scanning. - Use signed images to ensure integrity. - Implement role-based access control (RBAC).

Azure Container Registry, Harbor, DockerHub, GitHub Packages

Helm Chart Gallery

Cache, validate Helm charts delivered by Unique as part of the releases

  • Regularly update Helm charts to the latest versions. - Validate charts in a staging environment before production. - Implement access controls for chart repositories.

Azure Container Registry, Harbor, Chart Museum

Summary

By following these best practices, clients can ensure their "Chat" use case is efficiently supported and securely managed within the Unique Landing Zone. This approach leverages Azure's powerful services and features to provide a robust and scalable environment tailored to specific application needs.

 

Author

@Serghei Goineanu

 

© 2024 Unique AG. All rights reserved. Privacy PolicyTerms of Service