The AWS VPN CloudHub is an architecture for the AWS site-to-site VPN service. However, it’s not an actual service that you can find in the console. CloudHub uses a VPG in a VPC to connect multiple remote sites each using a site-to-site VPN connection.
Building on the AWS managed VPN options described previously, you can securely communicate from one site to another using the CloudHub AWS VPN. The AWS VPN CloudHub uses a hub-and-spoke architecture that allows all spoke locations to communicate with each other. VPC services are not required but can be connected to CloudHub. Remote offices or small hubs can use VPNs and CloudHub as either their primary or backup networks.
AWS VPN CloudHub implements a VPC virtual private gateway and multiple customer gateways, and the gateways must use unique public or private BGP autonomous system numbers with no overlapping IP address ranges.
BGP route prefixes are advertised by the gateways over the VPN connections. The advertised routes are received and re-advertised by AWS to each BGP peer. This allows each VPN location to communicate with all other VPCs and the Internet if connected.
Many organizations deploy multiple accounts in AWS and require them to share resources, administration, accounting, monitoring, and shared billing. This is often done for security, segmentation, accounting, and many other reasons such as mergers or departmental segmentation. We will cover the overview of resource sharing in this chapter and go into more detail in Chapter 8, “Inter-VPC and Multi-Account Networking.”
When using the multiple organization approach to your AWS deployment, each account is often not an isolated island. AWS offers many options to manage multiple accounts and to share resources between these different accounts. When sharing a service or resource residing in your account to the outside world, you apply access policies and permissions in your account to allow these resources to be externally shared.
When the resource owner shares services with another account, that account accesses the resource as if they were the owners. All access techniques apply as if it were local to your account. This includes API calls, the CLI, or the GUI interface depending on the capabilities of the resources you are sharing and the granted permissions. Accessing a resource that is shared and when using that resource’s services, the same abilities and limitations exist as for the AWS account that owns the resource. When the resource is regional, you can access it only from the AWS region where it was created by the account owner.
There are two types of resources to consider, global and regional. Both global and regional resources can be shared. If the resource is global, access is allowed from any AWS region that the resource’s service console and tools support. While it may be confusing, global resources are displayed in the AWS console as either global or may show as being in the U.S. East Northern Virginia region, us-east-1, even though they are global. Examples of global services include IAM, Route 53, CloudFront AWS Organizations, Direct Connect, AWS Firewall Manager, AWS Web Application Firewall (WAF), and AWS Shield.