Provisioning Capacity on Demand: AWS Landing Zone




Our customer leads the delivery of education and development services to children, young people and adults in Victoria.

Case Study


Our customer’s existing on-premises data centre environment, hosted in a heritage-listed building, was becoming a problem to maintain. Capacity issues abounded, and restrictions on what can be done with the building meant that adding hardware faced a series of complex and bureaucratically-charged uphill battles. 

At the same time, demand for improved services was on the rise as student enrolments increased with Victoria’s swelling population. The Infrastructure Manager had to find a solution that allowed them to move faster without significant cost outlay. In addition, because the organisation deals with such large amounts of student data, security had to be top priority.

It was clear that the old ways of performing a labour-intensive and complex physical data centre migration wasn’t a viable option. Significant up-front planning, high levels of very specific expertise, costly up-front physical equipment purchases as well as negotiating and signing complex multiple-year contracts made the prospect unappealing. 

Instead, they wanted to adopt a DevOps approach to increasing their capacity, which would allow for incremental, iterative development based on the needs of the department as they evolved, and drawing on the existing skill sets they had.

Case Study


Cevo already had an existing relationship with the organisation, helping to build and deploy a learning management solution based on the Moodle platform. As a result of this successful collaboration, they wanted to utilise Cevo’s skills and experience again to assist with this challenge.

Cevo proposed an AWS Landing Zone implementation, connected to the existing on-premises environments via a Transit Gateway with redundant VPN connections to the remaining network infrastructure.

The Landing Zone solution ticked all the boxes: security, speed to implementation, integration with their existing infrastructure, cost control, and self-service for internal teams; and all the while, providing the much-needed capacity required in order to support the learning needs of students in the state.

Cevo recommended using AWS Services and Best Practices to deliver the Landing Zone and its associated components:

  • CloudFormation for Infrastructure as Code, so that changes could be made in a repeatable, controlled manner;
  • Service Catalog to enable self-service of add-on components;
  • Organisations and the associated security controls like Service Control Policies, CloudTrail, and Guard Duty to enable security from the top-down along with easy cost control and allocation;
  • Transit Gateway for the simplicity of network connectivity back to the on-premises network environment, plus connection of new accounts as they were provisioned


Through the process of delivering the solution, the Cevo team worked closely with internal teams to build understanding, share knowledge, and to identify issues and work through them. 

Delivery of the solution was performed using the suite of AWS DevOps tools where appropriate, including CodeCommit, CodePipeline, and CodeBuild. This allows the delivered solution to grow iteratively, as further requirements are identified and new AWS service offerings and features are released which may improve the solution.

Case Study_1


After the initial design and approval phase, the Landing Zone implementation was completed in a matter of days. Beginning February 2019, the base Organisation account was created, Landing Zone with its dependent accounts deployed, a Transit Gateway with attachments to those accounts, and security and management controls to meet the stringent requirements of the organisation. By the end of February 2019, the Landing Zone initial implementation was complete, and ready for use.

The delivery of the solution using a DevOps approach has won fans within the organisation, and several teams are adopting the iterative, you-build-it, you-run-it mindset for a number of their future projects.

Since that time, Cevo has been engaged to further enhance and improve the Landing Zone solution, by:

  • adding accounts and connectivity for a VMware Cloud on AWS (VMC) Software-Defined Data Centre (SDDC) which has been used to demonstrate the ability to move workloads rapidly from the existing on-premises environment to AWS;
  • integration of centralised logging from our customer’s Zscaler network security implementation into their existing Splunk Cloud Security Incident Event Management (SIEM) solution


Ultimately, our customer has realised their desire to be able to provision capacity on demand in a secure, repeatable manner through the use of AWS services, and to explore and develop further service offerings for students, teachers, and educational institutions in a rapid, iterative manner. The roadmap for exiting the old and unmaintainable (but beautiful) on-premises data centre is clear.