AWS Multi-Account Network Architecture with Infrastructure Account

Overview

This document outlines the design and implementation of a multi-account AWS network architecture using a dedicated Infrastructure Account for centralized network management. The solution leverages AWS Transit Gateway for inter-VPC connectivity and automates VPC creation across member accounts using CloudFormation Stack Sets.

Architecture Components

Account Structure

Management Account
- Primary purpose: AWS Organizations management
- Responsibilities:
  - Organization-wide governance
  - Account management
  - Service control policies (SCPs)
  - Billing and cost management
Infrastructure Account
- Primary purpose: Centralized network management
- Responsibilities:
  - Transit Gateway management
  - Network resource deployment automation
  - Network monitoring and operations
  - Network security controls
Member Accounts
- Purpose: Workload hosting
- Contain: Application-specific VPCs
- Connect: Via Transit Gateway attachments

Implementation Guide

Phase 1: Account Setup

Infrastructure Account Creation

# Create dedicated Infrastructure Account through Organizations
aws organizations create-account \
    --email network-infra@company.com \
    --account-name "Network Infrastructure"

Required IAM Roles

# infrastructure-account-roles.yaml
Resources:
  NetworkAdminRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AWSNetworkAdministrator

Phase 2: Transit Gateway Setup

Create Transit Gateway

# transit-gateway.yaml
Resources:
  CentralTransitGateway:
    Type: AWS::EC2::TransitGateway
    Properties:
      AmazonSideAsn: 64512
      AutoAcceptSharedAttachments: enable
      DefaultRouteTableAssociation: enable
      DefaultRouteTablePropagation: enable
      Description: Central Transit Gateway for Organization
      Tags:
        - Key: Environment
          Value: Production

Configure Resource Sharing

# resource-sharing.yaml
Resources:
  TransitGatewayShare:
    Type: AWS::RAM::ResourceShare
    Properties:
      Name: OrganizationTransitGatewayShare
      Principals: 
        - '*'
      ResourceArns:
        - !Ref CentralTransitGateway

Phase 3: Stack Set Configuration

Stack Set IAM Roles

# stackset-roles.yaml
Resources:
  StackSetAdminRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action: sts:AssumeRole
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/AdministratorAccess

VPC Template

# member-vpc-template.yaml
Parameters:
  TransitGatewayId:
    Type: String
    Description: ID of the shared Transit Gateway

Resources:
  MemberVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: !Sub 10.${AWS::AccountId}.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Purpose
          Value: Workload

  TransitGatewayAttachment:
    Type: AWS::EC2::TransitGatewayAttachment
    Properties:
      TransitGatewayId: !Ref TransitGatewayId
      VpcId: !Ref MemberVPC
      SubnetIds: !Ref PrivateSubnets

Phase 4: Automation Implementation

Stack Set Deployment

# Deploy from Infrastructure Account
aws cloudformation create-stack-set \
    --stack-set-name member-vpc-deployment \
    --template-body file://member-vpc-template.yaml \
    --capabilities CAPABILITY_NAMED_IAM \
    --permission-model SERVICE_MANAGED

Stack Instance Creation

aws cloudformation create-stack-instances \
    --stack-set-name member-vpc-deployment \
    --regions us-east-1 \
    --deployment-targets OrganizationalUnitIds='["ou-xxxx-xxxxxxxx"]'

Network Operations

Monitoring Setup

VPC Flow Logs Configuration
Transit Gateway Network Manager
CloudWatch Metrics and Alarms

Security Controls

Network Access Controls
- Security Groups
- NACLs
- Route Table management
Compliance Requirements
- Traffic monitoring
- Security assessments
- Compliance reporting

Operational Procedures

New Account Onboarding
Route Management
Troubleshooting Process

Best Practices

Architecture Principles

Centralization
- Single point of network control
- Consistent policy enforcement
- Unified monitoring
Automation
- Infrastructure as Code
- Automated deployments
- Version control
Security
- Least privilege access
- Network segmentation
- Continuous monitoring

Cost Management

Transit Gateway pricing considerations
VPC networking costs
Cross-AZ traffic optimization

Troubleshooting Guide

Common Issues

Stack Set Deployment Failures
- Permission issues
- Network constraints
- Resource limits
Connectivity Problems
- Route table configuration
- Security group rules
- Transit Gateway attachments

Resolution Steps

Verification Procedures
Logging Analysis
Escalation Process

Maintenance and Updates

Regular Tasks

Route table audits
Security group reviews
Compliance checking

Change Management

Network changes
Stack Set updates
Security patches

Appendix

Reference Architecture

[Include the architecture diagram]

Useful Commands

# Check Transit Gateway status
aws ec2 describe-transit-gateways

# List Stack Set operations
aws cloudformation list-stack-set-operations

# Verify route propagation
aws ec2 describe-transit-gateway-route-tables

Documentation Links

AWS Transit Gateway
AWS Organizations
CloudFormation Stack Sets

Version History

Version

Date

Author

Changes

1.0

2025-01-11

Network Team

Initial document

End of Document

PreviousAWS Transit Gateway Multi-Account Implementation Guide NextLinks

Last updated 5 months ago

Was this helpful?