Landing zone design in Google Cloud
This document provides an overview on how to design landing zones inGoogle Cloud. A landing zone, also called acloud foundation, is a modular and scalable configuration thatenables organizations to adopt Google Cloud for their business needs. Alanding zone is often a prerequisite to deploying enterprise workloads in acloud environment.
Alanding zone is not azone orzonal resources.
This document is aimed at solutions architects, technical practitioners, andexecutive stakeholders who want an overview of the following:
- Typical elements of landing zones in Google Cloud
- Where to find detailed information on landing zone design
- How to deploy a landing zone for your enterprise, including options todeploy pre-built solutions
This document is part of a series that helps you understand how to design andbuild a landing zone. The other documents in this series help guide youthrough the high-level decisions that you need to make when you design yourorganization's landing zone. In this series, you learn about the following:
- Landing zone design in Google Cloud (this document)
- Decide how to onboard identities to Google Cloud
- Decide the resource hierarchy for your Google Cloud landing zone
- Decide the network design for your Google Cloud landing zone
- Decide the security for your Google Cloud landing zone
This series does not specifically address compliance requirements fromregulated industries such as financial services or healthcare.
What is a Google Cloud landing zone?
Landing zones help your enterprise deploy, use, and scale Google Cloudservices more securely. Landing zones are dynamic and grow as your enterpriseadopts more cloud-based workloads over time.
To deploy a landing zone, you must firstcreate an organization resource andcreate a billing account,either online or invoiced.
A landing zone spans multiple areas and includes different elements, such asidentities, resource management, security, and networking. Many other elementscan also be part of a landing zone, as described inElements of a landing zone.
The following diagram shows a sample implementation of a landing zone. It showsan Infrastructure as a Service (IaaS) use case with hybrid cloud and on-premisesconnectivity in Google Cloud:
The example architecture in the preceding diagram shows a Google Cloudlanding zone that includes the following Google Cloud services andfeatures:
Resource Manager defines aresource hierarchy withorganizational policies.
ACloud Identity account synchronizes with an on-premises identity provider andIdentity and Access Management (IAM) providing granular access to Google Cloud resources.
A network deployment that includes the following:
- AShared VPC network for each environment (production, development, and testing)connects resources from multiple projects to the VPC network.
- Virtual Private Cloud (VPC) firewall rules control connectivity to and from workloads in theShared VPC networks.
- ACloud NAT gateway allows outbound connections to the internet from resources inthese networks without external IP addresses.
- Cloud Interconnect connects on-premises applications and users. (You canchoose between different Cloud Interconnect options, includingDedicated Interconnect orPartner Interconnect.)
- Cross-Cloud Interconnect (orCloud VPN)connects to other cloud service providers.
- ACloud DNS private zone hosts DNS records for your deployments in Google Cloud.
Multiple service projects are configured to use theShared VPC networks. These service projects host your application resources.
Google Cloud Observability includesCloud Monitoring for monitoring andCloud Logging for logging.Cloud Audit Logs,Firewall Rules Logging andVPC Flow Logs help ensure all necessary data is logged and available for analysis.
AVPC Service Controls perimeter isolates service and resources,which helps to mitigate the risk of data egress to Google Cloudservices outside the perimeter. Traffic from hybrid environments isconfigured with authorized private access to communicate with servicesinside the perimeter.
The diagram above is only an example, because there is no single or standardimplementation of a landing zone. Your business must make many design choices,depending on different factors, including the following:
- Your industry
- Your organizational structure and processes
- Your security and compliance requirements
- The workloads that you want to move to Google Cloud
- Your existing IT infrastructure and other cloud environments
- The location of your business and customers
When to build a landing zone
We recommend that you build a landing zone before you deploy your firstenterprise workload on Google Cloud, because a landing zone provides thefollowing:
- A foundation that's designed to be secure
- The network for enterprise workloads
- The tools that you require to govern your internal cost distribution
However, because a landing zone is modular, your first iteration of a landingzone is often not your final version. Therefore, we recommend that you design alanding zone with scalability and growth in mind. For example, if your firstworkload does not require access to on-premises network resources, you couldbuild connectivity to your on-premises environment later.
Depending on your organization and the type of workloads that you plan to run onGoogle Cloud, some workloads might have very different requirements. Forexample, some workloads might have unique scalability or compliancerequirements. In these cases, you might require more than one landing zone foryour organization: one landing zone to host most of the workloads and a separatelanding zone to host the unique workloads. You can share some elements such asidentities, billing, and the organization resource across your landing zones.However, other elements, such as the network setup, deployment mechanisms, andfolder-level policies, might vary.
Elements of a landing zone
A landing zone requires you to design the following core elements onGoogle Cloud:
In addition to these core elements, your business might have additionalrequirements. The following table describes these elements and where you canfind more information about them.
| Landing zone element | Description |
|---|---|
| Monitoring and logging | Design a monitoring and logging strategy that helps ensure allrelevant data is logged and that you have dashboards that visualizethe data and alerts that notify you of any actionable exceptions. For more information, seeGoogle Cloud Observability documentation |
| Backup and disaster recovery | Design a strategy for backups and disaster recovery. For more information, see the following: |
| Compliance | Follow the compliance frameworks that are relevant to yourorganization. For more information, see theCompliance resource center. |
| Cost efficiency and control | Design capabilities to monitor and optimize cost for workloads in your landing zone. For more information, see the following: |
| API management | Design a scalable solution for APIs that you develop. For more information,seeApigee APIManagement. |
| Cluster management | Design Google Kubernetes Engine (GKE) clusters that follow bestpractices to build scalable, resilient, and observable services. For more information, see the following: |
Best practices for designing and deploying a landing zone
Designing and deploying a landing zone requires planning. You must have theright team to perform the tasks, and use a project management process. We also recommend that you followthe technical best practices that are described in this series.
Build a team
Bring together a team that includes people from multiple technical functionsacross the organization. The team must include people who can build all landingzone elements, including security, identity, networks, and operations. Identifya cloud practitioner who understands Google Cloud to lead the team. Yourteam should include members who manage the project and track achievements, andmembers who collaborate with application or business owners.
Make sure that all stakeholders are involved early in the process. Yourstakeholders must come to a common understanding of the scope of the processand make high-level decisions when the project gets kicked off.
Apply project management to your landing zone deployment
Designing and deploying your landing zone can take multiple weeks, so projectmanagement is essential. Ensure that project goals are clearly defined andcommunicated to all stakeholders and that all parties receive updates on anyproject changes. Define regular checkpoints and agree on milestones withrealistic timelines that take operational processes and unexpected delays intoaccount.
To best align with business requirements, plan the initial landing zonedeployment around the use cases that you want to deploy first inGoogle Cloud. We recommend that you first deploy workloads that can mosteasily run on Google Cloud, such as horizontally scaling multi-tier webapplications. These workloads might be new or existing workloads. Toassess existing workloads for migration readiness, seeMigration to Google Cloud: Getting started.
Because landing zones are modular, center the initial design around the elementsthat are required to migrate your first workloads and plan to add other elementslater.
Follow technical best practices
Consider usingInfrastructure as Code (IaC),with, for example,Terraform.IaC helps you make your deployment repeatable and modular. Having aCI/CD pipeline that deploys cloud infrastructure changes usingGitOps helps you ensure that you follow internal guidelines and put the rightcontrols in place.
When you design your landing zone, ensure that you and your team take technicalbest practices into consideration. For more information on decisions to make inyour landing zone, see the other guides in this series.
In addition to this series, the following table describes frameworks, guides,and blueprints that can also help you follow best practices, depending on youruse cases.
| Related documentation | Description |
|---|---|
| Google Cloud Setup | A high-level guided flow to help you set up Google Cloud for scalable,production-ready, enterprise workloads. |
| Enterprise foundationblueprint | An opinionated view of Google Cloud security bestpractices, aimed at CISO, security practitioners, risk managers, orcompliance officers. |
| Google Cloud Well-Architected Framework | Recommendations and best practices to help architects,developers, administrators, and other cloud practitioners design andoperate a cloud topology that's secure, efficient, resilient,high-performing, and cost-effective. |
| Terraform blueprints | A list of blueprints and modules that are packaged as Terraformmodules and that you can use to create resources forGoogle Cloud. |
Identify resources to help implement your landing zone
Google Cloud offers the following options to help you set up your landingzone:
- Design and deploy a landing zone that is customized to your requirements withGoogle Cloudpartners or Google Cloudprofessional services.
- Onboard a workload with theGoogle CloudCustomer Onboarding program.
- Deploy a generic landing zone with thesetup guide in the Google Cloud console.
- Deploy a highly opinionated landing zone by using theTerraform example foundation.
All these offerings have approaches that are designed specifically to meet the needs of different industries and business sizes, across the globe. To help you make the best selection for your use case, we recommend that you work with yourGoogle Cloud account team to make the selection and help to ensurea successful project.
What's next
- Decide how to onboard identities to Google Cloud (next document in this series).
- Decide the resource hierarchy for your Google Cloud landing zone.
- Decide the network design for your Google Cloud landing zone.
- Decide the security for your Google Cloud landing zone.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-01-02 UTC.