Over the years AWS has made managing multi-account AWS environments easier. They have introduced consolidated billing, AWS Organizations, cross-account IAM roles delegation, and various ways to share resources like snapshots, AMIs, etc.
In this blog post, I will discuss cross-account VPC sharing using AWS RAM which is a cool new service launched by AWS in November 2018. AWS RAM enables us to share our resources with an AWS account or through AWS Organizations. If you have multiple AWS accounts, you can create resources centrally and use AWS RAM to share those resources with other accounts.
VPC sharing is a very powerful concept with many benefits:
- Separation of duties: centrally controlled VPC structure, routing, IP address allocation.
- Application owners continue to own resources, accounts, and security groups.
- VPC sharing participants can reference security group IDs of each other.
- Efficiencies: higher density in subnets, efficient use of VPNs and AWS Direct Connect.
- Hard limits can be avoided, for example, 50 VIFs per AWS Direct Connect connection through simplified network architecture.
- Costs can be optimized through reuse of NAT gateways, VPC interface endpoints, and intra-Availability Zone traffic.
AWS RAM gives us the provision to share following services till date:
- Transit Gateways
- Resolver Rules
- License Configuration
When you share a resource with another account, then that account is granted access to the resource. Any policies and permissions in that account apply to the shared resource
I will now share subnets from the account (A) which will be the owner account to account (B), say participant account.
Setting up AWS organization:
Create an AWS organization in account A and add the participant account B in the Organization.
Invite the account B in the AWS organization by sending a request from the console.
Create a Custom VPC and few subnets in the owner account which will be shared with the participant account.
Next, enable the resource sharing for your organization from the AWS Resource Access Manager settings in account A.
Now let’s start with resource sharing by creating a resource share in “shared by me tab”.
After providing a description for the shared resource, select “Subnets” in the resource tab and then go ahead and select the subnets which you wish to share with participant account.
The principal will be the destination account or the AWS Organization to which the subnets will be shared. I will go with AWS organization and select account B in the organization.
After creating the resource share in owner account A, go to the participant account B and check if the resource share is visible in AWS RAM dashboard “shared with me” tab.
The shared subnets will now appear in the participant account B along with the VPC.
Let’s use this VPC to launch resources in Participant account. Navigate to the EC2 dashboard and while launching the instance, in the configure instance section check the availability of shared VPC and subnets.
Voila! The magic is done!
Things to know:
- At this moment VPC sharing is only available within the same AWS Organization.
- We cannot share default VPC’s.
- Participants accounts can’t launch resources using security groups that are owned by other participants or the owner.
- Participants can’t launch resources using the default security group for the VPC because it belongs to the owner.
- Participants pay for their resources and also pay for data transfer charges associated with Inter-Availability Zone data transfer, internet gateway, VPC peering connections, and data transfer through an AWS Direct Connect.
- VPC owners pay hourly charges (where applicable), data processing and data transfer charges across NAT gateways, virtual private gateways, transit gateways, AWS PrivateLink, and VPC endpoints.