AWS Cross-Account Network Sharing Implementation Guide

Overview

This document outlines the implementation steps for sharing a centrally managed network across multiple AWS accounts using AWS Organizations and AWS Resource Access Manager (RAM). This solution enables centralized network management while allowing individual accounts to deploy resources within shared subnets.

Architecture Components

AWS Organizations
AWS Resource Access Manager (RAM)
VPC and associated networking components
IAM roles and permissions

Prerequisites

AWS Organizations set up and configured
A dedicated infrastructure account for network management
Target accounts organized into appropriate Organizational Units (OUs)
Administrative access to both the Organizations management account and infrastructure account

Implementation Steps

Log in to the AWS Organizations management account
Navigate to AWS Organizations console
Go to Settings

Enable sharing for AWS RAM

aws organizations enable-sharing-with-aws-organization

Step 2: VPC Setup in Infrastructure Account

Log in to the infrastructure account
Create a VPC with appropriate CIDR range
```
aws ec2 create-vpc --cidr-block 10.0.0.0/16
```

Create subnets with desired CIDR ranges

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24
aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.2.0/24

Configure routing tables, internet gateway, and other network components

Log in to the infrastructure account
Navigate to AWS RAM console

Create a new resource share:

aws ram create-resource-share \
  --name "central-network-share" \
  --resource-arns arn:aws:ec2:<region>:<account-id>:subnet/<subnet-id> \
  --principals arn:aws:organizations::<org-id>:ou/<ou-id>

Add subnets to the resource share
Specify the target Organizational Units (OUs)

Step 4: Verify Shared Subnets in Member Accounts

Log in to a member account
Navigate to VPC console
Check "Shared with me" section
Verify subnet availability

Network Management Controls

Infrastructure Account Permissions

Full network management capabilities
Ability to modify VPC configurations
Control over subnet sharing
Management of routing and security

Member Account Permissions

Ability to view shared subnets
Permission to create resources in shared subnets
No ability to modify network configurations
Limited to resource-level operations

Resource Creation in Shared Subnets

Allowed Operations in Member Accounts

Launch EC2 instances
Create load balancers
Deploy RDS instances
Create Lambda VPC endpoints
Deploy ECS tasks

Restricted Operations in Member Accounts

Modify subnet configurations
Change routing tables
Modify network ACLs
Create or modify VPC endpoints

Best Practices

Use consistent tagging across accounts
Implement proper CIDR planning for future expansion
Document shared subnet allocations
Regularly audit resource sharing configurations
Implement network monitoring in the infrastructure account

Security Considerations

Implement proper security groups in the infrastructure account
Use Network ACLs for additional security
Monitor VPC Flow Logs
Regular security audits
Implement proper IAM policies

Monitoring and Maintenance

Infrastructure Account Responsibilities

Monitor network utilization
Manage subnet sharing
Update network configurations
Security group management
Network troubleshooting

Member Account Responsibilities

Monitor resource utilization
Manage security groups for their resources
Report network issues to infrastructure team
Comply with network policies

Troubleshooting

Common Issues

Subnet sharing not visible in member accounts
- Verify Organizations sharing is enabled
- Check OU assignments
- Verify RAM configurations
Unable to launch resources in shared subnets
- Check IAM permissions
- Verify security group configurations
- Ensure subnet has available IP addresses
Network connectivity issues
- Verify routing tables
- Check security group rules
- Validate network ACL settings

Documentation and Support

Maintain updated network diagrams
Document CIDR allocations
Keep sharing configurations documented
Establish support procedures
Regular review and updates of documentation

Conclusion

This implementation provides centralized network management while allowing individual accounts to deploy resources efficiently. Regular monitoring and maintenance ensure optimal performance and security across the organization.

PreviousAWS PrivateLink Implementation Guide for Third-Party SaaS Integration NextCross-Account Route 53 Private Hosted Zone Implementation Guide

Last updated 1 year ago

hashtag

hashtagOverview

hashtagArchitecture Components

hashtagPrerequisites

hashtagImplementation Steps

hashtagStep 1: Enable Resource Sharing in AWS Organizations

hashtagStep 2: VPC Setup in Infrastructure Account

hashtagStep 3: Configure Resource Sharing using AWS RAM

hashtagStep 4: Verify Shared Subnets in Member Accounts

hashtagNetwork Management Controls

hashtagInfrastructure Account Permissions

hashtagMember Account Permissions

hashtagResource Creation in Shared Subnets

hashtagAllowed Operations in Member Accounts

hashtagRestricted Operations in Member Accounts

hashtagBest Practices

hashtagSecurity Considerations

hashtagMonitoring and Maintenance

hashtagInfrastructure Account Responsibilities

hashtagMember Account Responsibilities

hashtagTroubleshooting

hashtagCommon Issues

hashtagDocumentation and Support

hashtagConclusion