DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • When (Tech Service) Relationships Don’t Work Out
  • Pilot VPC and Advanced NAT: Securely Connect Overlapping Networks to AWS VPC
  • Analyze Your ALB/NLB Logs With ClickHouse
  • Strategic Deployments in AWS: Leveraging IaC for Cross-Account Efficiency

Trending

  • Breaking Bottlenecks: Applying the Theory of Constraints to Software Development
  • Fraud Detection Using Artificial Intelligence and Machine Learning
  • Build Your First AI Model in Python: A Beginner's Guide (1 of 3)
  • Mastering Fluent Bit: Installing and Configuring Fluent Bit on Kubernetes (Part 3)
  1. DZone
  2. Software Design and Architecture
  3. Cloud Architecture
  4. AWS VPC Sharing Model for Multiple Accounts

AWS VPC Sharing Model for Multiple Accounts

VPC sharing with multiple accounts is a simple way to design multi-account networking and avoid a complex hub-and-spoke model.

By 
Rahul Nagpure user avatar
Rahul Nagpure
·
May. 01, 23 · Opinion
Likes (1)
Comment
Save
Tweet
Share
5.0K Views

Join the DZone community and get the full member experience.

Join For Free

As more organizations adopt cloud computing, managing multiple AWS accounts and virtual private clouds (VPCs) can become complex and challenging. When it comes to managing network resources in AWS, there are two main approaches: using a dedicated VPC or a shared VPC. Each approach has its own pros and cons, and choosing the right approach depends on your specific use case and requirements.

AWS VPC sharing is one approach that allows you to share VPC resources across multiple AWS accounts, simplifying network management and reducing costs. In this blog post, we'll explore VPC sharing, its benefits, use cases, and the shared VPC model.

What Is a Multi-Account Strategy?

A multi-account strategy is an approach to managing AWS resources using multiple AWS accounts, each with a specific purpose or function. A multi-account strategy can help you achieve several goals, such as:

  1. Improved security: By using separate AWS accounts for different workloads or departments, you can reduce the risk of unauthorized access and data breaches. You can also enforce security policies and compliance requirements more easily.
  2. Increased efficiency: By using separate AWS accounts for different environments, such as development, testing, and production, you can improve resource utilization and reduce costs. You can also manage resources more efficiently by centralizing administration and monitoring.
  3. Simplified billing: By using separate AWS accounts for different business units or customers, you can simplify billing and cost allocation. You can also use AWS Organizations to manage billing and payment methods across multiple AWS accounts.

Why VPC Sharing?

VPC sharing is a feature that allows you to share VPC resources, such as subnets, route tables, and security groups, with other AWS accounts. With VPC sharing, you can centralize your network resources and manage them more efficiently. You can also control access to your VPC resources and enforce security policies across multiple AWS accounts.

VPC sharing enables customers to share subnets with other AWS accounts within the same AWS Organization. This concept has many benefits, including:

  1. Separation of duties, as the VPC structure, routing, and IP address allocation can be centrally controlled.
  2. Application owners can still own their resources, accounts, and security groups.
  3. VPC-sharing participants can reference each other's security group IDs.
  4. Efficiency gains through higher subnet density and better use of VPNs and AWS Direct Connect.
  5. Simplified network architecture can help avoid hard limits, such as the 50 VIFs per AWS Direct Connect connection limit.
  6. Cost optimization through the reuse of NAT gateways, Transit gateway, Network Firewalls, VPC interface endpoints, and intra-Availability Zone traffic.
  7. VPC sharing allows for the decoupling of accounts and networks, enabling customers to have fewer, larger, centrally managed VPCs while maintaining highly interconnected applications.

Shared VPC Model

There are many ways to design shared VPC subnet configuration. When designing your shared VPC, there are several factors to consider, such as how to align subnets with VPC participants. It is common for individuals to create a dedicated set of subnets for each VPC participant, with one subnet for each Availability Zone in a three-AZ AWS Region. 

This approach minimizes the impact of any issues that arise since each participant has their own set of subnets, reducing the risk of exhausting all available IPs and affecting other participants. Additionally, you can allocate a separate set of subnets for VPC infrastructure purposes.

Shared VPC Model

One of the most common models is to have multiple security zones within the same shared VPC.

  • The VPC owner has centralized control over the Network ACLs and routing for all subnets.
  • All participant accounts automatically utilize the transit gateway in the owner account to route traffic to on-premises resources.
  • All participant accounts to access the internet through the NAT gateway configured in the owner account, and traffic is always inspected through the owner account's AWS Network Firewall.
  • The VPC owner is responsible for managing VPC-related logs, such as Flow Logs and VPC DNS query logs.
  • GuardDuty findings are only accessible to the AWS accounts that own the resources where malicious activity is detected.
  • The owner VPC is responsible for managing DNS resolutions and forwarding rules, and there is no need for any additional configuration for participant VPCs to use this DNS.
  • Participant VPCs can use the endpoints configured in the owner account's VPC subnets.

Use Cases for Multi-Account Strategies With VPC Sharing

Multi-account strategies with VPC sharing can be used in several scenarios, such as:

  1. Enterprise IT: If you're an enterprise IT organization, you can use multi-account strategies with VPC sharing to manage resources for different business units or departments. You can also use VPC sharing to control access to network resources and enforce security policies.
  2. Managed service providers: If you're a managed service provider, you can use multi-account strategies with VPC sharing to manage resources for multiple customers. You can also use VPC sharing to centralize network resources and improve efficiency.
  3. Software as a service (SaaS) providers: If you're a SaaS provider, you can use multi-account strategies with VPC sharing to manage resources for different tenants or customers. You can also use VPC sharing to control access to network resources and enforce security policies.

Conclusion

Multi-account strategies with VPC sharing provide a powerful approach to managing AWS resources across multiple AWS accounts. By using separate AWS accounts for different workloads or departments and sharing VPC resources, you can improve security, increase efficiency, and reduce costs. By following the best practices outlined in this blog post, you can set up multi-account strategies with VPC sharing and start reaping their benefits.

AWS Virtual private cloud

Opinions expressed by DZone contributors are their own.

Related

  • When (Tech Service) Relationships Don’t Work Out
  • Pilot VPC and Advanced NAT: Securely Connect Overlapping Networks to AWS VPC
  • Analyze Your ALB/NLB Logs With ClickHouse
  • Strategic Deployments in AWS: Leveraging IaC for Cross-Account Efficiency

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!