Instant Observability of your AWS Control Tower Landing Zone with New Relic

A previous version of this post was published in December 2020 in the AWS Marketplace Blog. Welly Siaw, Sr. Technical Account Manager, AWS, contributed to this blog post.

AWS Control Tower: Multi-account setup and governance

Amazon Web Services (AWS) best practices for a well-architected environment recommend that you should separate your workloads into multiple AWS accounts. Using multiple AWS accounts provides a natural billing boundary for costs, isolates resources for security, gives flexibility for individuals and teams, in addition to being adaptable for new business processes.

AWS Control Tower helps customers of all sizes, across the globe, looking for the easiest way to set up their new multi-account AWS environment, and govern at scale. You have the confidence knowing accounts in your organization are compliant with established policies while your teams provision new AWS accounts quickly.

Using AWS Control Tower, you can set up an automated landing zone that employs best-practice blueprints for identity, federated access, centralized logging, and account structure among others.

Instant observability: Key to governance and operational agility

The AWS Control Tower dashboard provides continuous visibility into your AWS environment including AWS Organizations organizational units (OU) and accounts provisioned, guardrails enabled, and the compliance status of OUs and accounts against the guardrails. This dashboard is a good starting point for high-level visibility into your landing zone. Most landing zones develop over time. As you scale, the number of teams, workloads, and the number of organizations and accounts in your landing zone increases.

To scale with agility, you need instant observability and the ability to move faster. This is possible with the consolidation of operational data across all of your workloads and infrastructure, spanning across multiple accounts and regions, and sometimes across on-premises hybrid environments. This is critical for robust governance, risk management, and operational agility—at the scale of operating on potentially tens or even hundreds of accounts.

Landing zone observability with New Relic

New Relic is an AWS Partner Network (APN), Advanced Technology Partner, focused on making observability available to all and simple to embrace. New Relic One is New Relic’s observability platform, available for free in the AWS Marketplace.

This blog post describes our new AWS Quick Start solution for landing zone observability and why it’s powerful. Learn how to:

1. Deploy the Quick Start in your AWS environment.
2. Use instant observability for proper governance and operational agility in your landing zone with New Relic.

AWS Quick Start for New Relic’s AWS Control Tower integration

AWS Marketplace now offers third-party software solutions for AWS Control Tower. You can find New Relic’s AWS Control Tower solution in the AWS Marketplace under the operational intelligence use case. In the spirit of making observability simple and available to all, New Relic is committed to providing open source solutions to our customers and everyone looking for observability. As a result of our strategic collaboration agreement with AWS, we are launching AWS Quick Start for New Relic’s AWS Control Tower solution, which streamlines the observability of your landing zone. With this solution, enrolled accounts in your AWS Control Tower managed organization are automatically observable with your New Relic One account from the moment they are launched. It also lets you observe existing accounts with New Relic, in case you've already set up your landing zone.

Why use the Quick Start?

• Instant observability: Your accounts are automatically observable right from the moment they are launched or enrolled. No delays or configuration needed.
• Frictionless onboarding: Use simple one-click deployment that finishes in a few minutes using the AWS Management Console or AWS Command Line Interface (AWS CLI). If you’ve already set up your landing zone, any existing accounts (already enrolled) will also be observable from the get-go. No work needed to onboard them. Moreover, you no longer need to link your landing zone accounts from your New Relic account, it’s all done for you automatically.
• Effortless: After the Quick Start deploys in a few minutes, spend no further time managing your monitoring setup, as you scale your landing zone. More time at hand to build features and deliver value to your customers.
• Moving faster with centralized governance: With New Relic, you can manage all operational data from your landing zone along with all the workloads running on it (and anything else not running on AWS) from one place, with no need to hop back and forth between multiple AWS accounts or another set of observability tools. With New Relic Explorer you gain access to immersive, high density, at-a-glance health or compliance views of your multi-account environment in New Relic, with no time spent setting things up. You can find sudden changes and anomalies faster so you know what to pay attention to at any given moment.
• Flexible: Instrument your entire landing zone (default), or choose which accounts or organizations to monitor with New Relic.
• Scale with ease: Monitor large landing zones spanning multiple AWS Regions and hundreds of accounts.
• Ubiquitous: Launch and enroll your accounts using the tool you prefer, observing them instantly.

Quick Start overview

The Quick Start deploys the New Relic AWS integration into your landing zone accounts. The Quick Start is deployed using AWS CloudFormation. New Relic AWS integrations require you to grant New Relic permission to read operational data from your AWS accounts. This is achieved by using AWS Identity and Access Management (IAM) cross-account access. The New Relic AWS integration uses the Amazon CloudWatch API to obtain telemetry data for the AWS services you choose to observe. New Relic also pulls AWS tags from AWS Resource Groups Tagging API and other metadata from AWS services in order to decorate telemetry with enriched metadata collected from AWS Services APIs. This is done using API polling-based integrations to collect telemetry for more than 50 AWS services.

Note that this contrasts with our new Amazon CloudWatch Metric Streams integration mode where all metrics from all AWS services and custom namespaces are available in New Relic at the same time, without needing a specific integration to be built or updated. Support for the Metric Streams integration mode will be added to the Quick Start in the future.

Also note that the Quick Start enables all the AWS services supported by New Relic so you don’t have to manually turn them on as you begin using a new service. You can always disable any integrations so you don’t pay for something you don’t use. In order to disable integrations at scale, see our NerdGraph examples. 

The following architecture diagram illustrates the deployment view of the Quick Start in an AWS Control Tower environment.