Inter-VPC and Multi-account Networking – ANS-C01 Study Guide

THE AWS CERTIFIED ADVANCED NETWORKING – SPECIALTY EXAM OBJECTIVES COVERED IN THIS CHAPTER MAY INCLUDE, BUT ARE NOT LIMITED TO, THE FOLLOWING:

  • Domain 2: Network Implementation 

Task Statement 2.2: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.

Networking Services of VPCs

This chapter will focus on interconnecting AWS virtual private clouds (VPCs) and go into detail from a networking perspective about the different options, architectures, and services available from AWS. You will learn the specifics of enabling networking connections between VPCs and outside services as well as the wide-area networking services used to provide access and interconnects. VPC networking is a core component in the AWS Advanced Networking exam certification, and it is strongly suggested you really understand all the details before sitting for the exam.

VPC Sharing

VPC sharing connects resources from multiple accounts and groups into a common, shared network. Sharing VPCs uses internal AWS network links for added security and sharing of resources. By interconnecting VPCs and AWS resources such as RDS databases, DynamoDB, EC2 instances, or any other service, you are able to create a shared private network. VPC sharing gives you the ability to centrally manage your VPCs across multiple accounts.

VPC sharing gives AWS users the ability to share IP subnets with other AWS accounts in the same AWS organization. This gives us centralized control over routing, IP addressing, the sharing of security groups, larger and higher-density VPCs, less duplication of resources such as NAT gateways, endpoints, and cross-AZ traffic. It provides all this while allowing the application owners to continue to manage their own resources, security, and account structure.

The account VPC owners can create, manage, and delete VPC resources such as IP subnets, route tables, access control lists, VPC peering connections, service endpoints, PrivateLink endpoints, Internet gateways, NAT gateways, virtual private gateways, and Transit Gateway attachments. However, the owner of a VPC is not able to delete or modify other VPCs that they do not manage. They can view the network interfaces and security groups that are attached to other VPCs for troubleshooting and auditing.

When considering using VPC sharing, keep in mind that you must use AWS organizations. There is a limitation that sharing the default VPC and its subnets is prohibited. You can’t launch resources using security groups that are owned by other participants or the owner. Charges apply for data transfers associated with inter-availability zone data transfers, Internet gateways, VPC peering connections, data transfer through AWS Direct Connect, NAT gateways, virtual private gateways, Transit Gateway instances, AWS PrivateLink, and VPC endpoints.

VPC sharing uses the AWS Resource Access Manager (RAM) to define subnets that are shared between accounts. When RAM is enabled, sharing is enabled for your entire AWS organization. If you need to turn off RAM, you can create service control policies, which are discussed later in this chapter.

For more information on VPC sharing, reference the following link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html#vpc-share-unsupported-services.