# Appendix: multi-account landing zone (MALZ) onboarding consideration list
<a name="apx-malz-questions"></a>

There are a number of key considerations you'll need to think about in planning your AMS multi-account landing zone deployment. Your choices will provide AMS with the information it requires to determine the infrastructure components you will need. Your Cloud Architect (CA) will provide you with a questionnaire to assist in this work.

**Topics**
+ [AMS multi-account landing zone account configuration](core-questions-account.md)
+ [AMS multi-account landing zone monitoring alerts](og-ma-monitoring-alerts.md)
+ [Network configuration](core-questions-network.md)
+ [Active Directory configuration](core-questions-ad.md)
+ [Trend Micro Endpoint Protection (EPS)](core-questions-eps.md)
+ [Access: Bastions, SSH and RDP](core-questions-bastion.md)
+ [Federation](core-questions-federation.md)

**Note**  
For more information on instance types, see [Amazon EC2 Instance Types](https://aws.amazon.com/ec2/instance-types/).  
For more information on database instance types, see [Amazon RDS Instance Types](https://aws.amazon.com/rds/instance-types/).  
If you require Direct connect, see the AMS single-account landing zone Onboarding Guide to create a Direct Connect connection.

You will receive an onboarding questionnaire from your Cloud Service Delivery Manager (CSDM) containing questions about your desired configuration settings for your account. Work with your CSDM to complete the questionnaire before proceeding.

# AMS multi-account landing zone account configuration
<a name="core-questions-account"></a>
+ New Account ID

  The AWS account ID that you created for AMS multi-account landing zone. Should not be part of an AWS organization.
+ Service Region

  The primary Region in which the AMS multi-account landing zone environment will be deployed.
+ The core account emails for notifications. (these should all be in the same domain). Provide an email address for each:
  + Shared Services account
  + Networking account
  + Logging account
  + Security account
+ Your service type, Premium or Plus

  This determines the service level agreements (SLAs) for resolving issues in your environment

# AMS multi-account landing zone monitoring alerts
<a name="og-ma-monitoring-alerts"></a>

AMS provides a way for you to be directly alerted (versus getting AMS service notifications) for certain monitoring alerts. To sign up for this, make sure that your Cloud Architect (CA) or Cloud Service Delivery Manager (CSDM) receive this information:

**Direct Alerts Email**: These are the email addresses that you want AMS to send certain resource-based alerts to. For details of which alerts are sent directly to email, see [Alerts from baseline monitoring in AMS](https://docs.aws.amazon.com/managedservices/latest/onboardingguide/monitoring-default-metrics.html) in the *AMS Advanced User Guide*. For more information on AMS monitoring, see [Monitoring Management](https://docs.aws.amazon.com/managedservices/latest/userguide/monitoring.html) in the AMS User Guide for Single-Account Landing Zone.

# Network configuration
<a name="core-questions-network"></a>
+ Transit Gateway ASN Number

  This is the Autonomous System Number (ASN) for the AWS side of a Border Gateway Protocol (BGP) session, it must be unique and cannot be the same one used for your Direct Connect or VPN.  The range is 64512 to 65534 (inclusive) for 16-bit ASNs.
+ Your AMS multi-account landing zone infrastructure VPC CIDR ranges.

  These CIDR ranges cannot overlap with your on-premise network

  You can either include a /22 CIDR range, or provide each VPC CIDR individually. Note that only these CIDR ranges are allowed:
  + 10.0.0.0 - 10.255.255.255 (10/8 prefix)
  + 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
  + 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

  Note that IP range 198.18.0.0/15 may not be used (it is reserved by AWS Directory Service).
  + Core Infrastructure VPC CIDR range (/22 range recommended)
  + Networking VPC CIDR range (/24 range recommended)
  + Shared Services VPC CIDR range (/23 range recommended)
  + DMZ VPC CIDR range (/25 range recommended)
+ VPN ECMP (enable or disable)

  For VPN ECMP support, choose enable if you need Equal Cost Multipath (ECMP) routing support between VPN connections. If connections advertise the same CIDRs, the traffic is distributed equally between them.

## Network access control list (NACL)
<a name="core-questions-network-nacl"></a>

A network access control list (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see [ Comparison of security groups and network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison).

However, in AMS multi-account landing zone, in order for AMS to effectively manage and monitor Infrastructure, the use of NACLs is limited to following scope:
+ NACLs are not supported in the multi-account landing zone core accounts: Management, Networking, Shared-services, Logging, and Security.
+ NACLs are supported in multi-account landing zone Application accounts as long as they are only used as a "Deny" list. Additionally, they must have "Allow All" configured to ensure AMS monitoring and management operations.

In large scale multi-account environments, you can also leverage features like centralized egress firewalls to control outbound traffic and/or AWS Transit Gateway routing tables in AMS multi-account landing zone to segregate network traffic among VPCs.

# Active Directory configuration
<a name="core-questions-ad"></a>

Domain FQDN for AMS managed Active Directory

# Trend Micro Endpoint Protection (EPS)
<a name="core-questions-eps"></a>
+ Instance sizes for your EC2 instances and Auto Scaling groups

  Trend Micro Endpoint Protection (EPS) is the primary component within AMS for operating system security. The system is comprised of Deep Security Manager (DSM) EC2 instances, relay EC2 instances, and an agent present within all of AMS data plane and your EC2 instances.
  + Relay instance type (minimum supported by AMS is m5.large)
  + DB instance size (200 GB recommended)
  + RDS instance type (only db.m5.large or db.m5.xlarge allowed)
+ DSM License type (Marketplace or BYOL)

  If you already have a license, choose BYOL (bring your own license). AMS will contact you to obtain the necessary information about the license. 
+ AWS IAM user or role Amazon resource name (ARN) for Trend Micro Deep Security Subscription (Role ARN: arn:aws:iam::*ACCOUNT\$1ID*:role/*ROLE\$1NAME*)

  Provide us an IAM role; ARN, or an IAM user ARN from one of your existing AWS accounts to which you have access. AMS creates an IAM role; in your AMS multi-account landing zone Shared Services account and adds the role or user provided in the trust of an IAM role in Shared Services so that the role can be assumed by you to subscribe to the Trend Micro Deep Security in AWS Marketplace.

# Access: Bastions, SSH and RDP
<a name="core-questions-bastion"></a>
+ SSH Bastion settings

  AMS provides SSH bastions in your Shared Services account to access hosts in the AMS environment. In order to access the AMS network as an SSH user, you must use SSH Bastions as the entry point. The network path originates from the On-Prem network, goes through DX/VPN to the transit gateway (TGW), and then is routed to the Shared Services VPC. Once you are able to access the bastion, you can jump to other hosts in your AMS environment, provided that the proper access request has been granted.
  + Desired instance count (2 recommended)
  + Maximum instances (4 recommended)
  + Minimum instances (2 recommended)
  + Instance type (m5.large recommended)
  + Ingress CIDRs: IP address ranges from which users in your network will access SSH Bastions (ip range 1, ip range 2, ip range 3, ... etc)
+ RDP Bastion settings

  AMS optionally provides RDP bastions in your Shared Services account to access hosts in the AMS environment. In order to access the AMS network as an RDP user, you must use RDP Bastions as the entry point. The network path originates from the On-Prem network, goes through DX/VPN to the TGW, and then is routed to Shared Services VPC. Once you are able to access the bastion, you can jump to other hosts in the AMS environment, provided that the proper access request has been granted.
  + Instance type (t3.medium recommended)
  + Desired minimum sessions (2 recommended)
  + Desired maximum sessions (10 recommended)
+ RDP Bastion Configuration Type, Shared Standard or Shared HA (default is Shared Standard)

  SecureStandard = A user receives one bastion and only one user can connect to the bastion.

  SecureHA = A user receives two bastions in two different AZ's to connect to and only one user can connect to the bastion.

  SharedStandard = A user receives one bastion to connect to and two users can connect to the same bastion at once.

  SharedHA = A user receives two bastions in two different AZ's to connect to and two users can connect to the same bastion at once.

# Federation
<a name="core-questions-federation"></a>

Identity Provider (IDP) Name

Defaults to `customer-saml`