Study Guide925 words
AWS Advanced Networking: Mastering VPC Sharing
Capabilities and advantages of VPC sharing
AWS Advanced Networking: Mastering VPC Sharing
Learning Objectives
After studying this guide, you should be able to:
- Explain the role of AWS Resource Access Manager (RAM) and AWS Organizations in VPC sharing.
- Differentiate between the responsibilities of a VPC Owner and a VPC Participant.
- Identify the primary cost and operational advantages of sharing subnets across accounts.
- Evaluate when to use VPC Sharing versus VPC Peering or Transit Gateway.
- Recognize specific limitations, such as the prohibition on sharing default VPCs.
Key Terms & Glossary
- VPC Owner: The account that creates the VPC and owns the infrastructure (subnets, route tables, gateways).
- VPC Participant: An account within the same AWS Organization that has been granted access to subnets within the owner's VPC.
- Resource Access Manager (RAM): The service used to define and manage the sharing of AWS resources (like subnets) across accounts.
- Implicit Routing: The behavior within a shared VPC where resources in different subnets (owned by different accounts) can communicate via the local VPC route by default.
The "Big Idea"
In a traditional multi-account strategy, every team manages their own VPC, leading to a "sprawl" of NAT Gateways, Interface Endpoints, and complex peering meshes. VPC Sharing flips this model by allowing a central networking team to manage the "pipes" (IP space, routing, egress) while application teams simply "plug in" their resources (EC2, RDS) to a shared, high-density environment. It treats the network as a common utility rather than a per-project overhead.
Formula / Concept Box
| Function | Owner Account | Participant Account |
|---|---|---|
| Create/Delete Subnets | ✅ | ❌ |
| Manage Route Tables/IGW/NAT | ✅ | ❌ |
| Launch EC2/RDS/Lambda | ✅ | ✅ |
| Manage own Security Groups | ✅ | ✅ |
| Delete other's Resources | ❌ | ❌ |
| View other's Network Interfaces | ✅ (Audit only) | ❌ |
Hierarchical Outline
- I. Foundational Requirements
- AWS Organizations: Must be enabled; sharing is restricted to accounts within the same org.
- Resource Access Manager (RAM): The mechanism used to share subnets (not the whole VPC).
- II. Functional Mechanics
- Subnet Selection: Owners share specific subnets, not the entire CIDR block.
- Resource Isolation: Participants see only the shared subnets and can only interact with resources they own or that are explicitly allowed via Security Groups.
- III. Advantages of Sharing
- Efficiency: Larger, high-density VPCs lead to better IP address utilization.
- Cost Savings: Centralized NAT Gateways and VPC Endpoints reduce duplicate hourly charges.
- Security: Centralized control over NACLs and IGW/VGW configuration.
- IV. Constraints
- No Default VPCs: You cannot share the default VPC or its subnets.
- Security Group Ownership: Participants cannot use Security Groups owned by the VPC owner or other participants.
Visual Anchors
The Sharing Process
Loading Diagram...
Architectural Topology
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- Resource Consolidation: The practice of using one resource to serve multiple accounts.
- Example: Instead of five accounts each paying ~$32/month for their own NAT Gateway, all five share one NAT Gateway in the VPC Owner account, saving ~$128/month in fixed costs.
- Cross-Account Security Group Referencing: Although you cannot use another account's SG, you can reference it in rules.
- Example: A Participant Account's Web Server SG can have an inbound rule allowing traffic from the Owner Account's Load Balancer SG, even though they live in different accounts.
Worked Examples
Scenario: The Overlapping IP Crisis
Problem: A company has 10 accounts, each with a VPC using 10.0.0.0/16. They now need to interconnect them, but VPC Peering is impossible due to CIDR overlap.
Solution using VPC Sharing:
- Consolidate: Create one large VPC in a Networking Hub account with a massive CIDR (e.g.,
10.100.0.0/15). - Segment: Create subnets for "Production," "Testing," and "Shared Services."
- Distribute: Use RAM to share the "Production" subnet with Account A and Account B.
- Migrate: Teams move their workloads into these shared subnets. Since they are in the same VPC, they use the same non-overlapping IP space, resolving the conflict and enabling direct private communication.
Checkpoint Questions
- Can a VPC Participant modify the Route Table of a shared subnet? (No, only the Owner can manage infrastructure components).
- What happens to data transfer costs between two EC2 instances in different accounts but the same Availability Zone in a shared VPC? (It is free, just like a standard VPC).
- True or False: You can share a VPC with an account outside of your AWS Organization. (False; RAM sharing for VPC subnets requires AWS Organizations).
Muddy Points & Cross-Refs
- Confusion with Peering: Remember that Peering connects two different VPCs (separate routing tables, separate quotas). Sharing allows multiple accounts to live inside one VPC.
- Security Group Limitations: A common "gotcha" is trying to assign an SG owned by the VPC Owner to a Participant's EC2 instance. This will fail. Participants must create their own SGs within their own accounts, even if those SGs are associated with the shared subnets.
- Cross-Ref: For complex scenarios where sharing isn't enough (e.g., connecting to on-premises), see the Transit Gateway section.
Comparison Tables
| Feature | VPC Sharing | VPC Peering | Transit Gateway |
|---|---|---|---|
| Network Boundary | Single VPC | Multiple VPCs | Multiple VPCs + On-prem |
| IP Management | Centralized | Decentralized (No overlaps) | Decentralized (No overlaps) |
| NAT/Endpoints | Shared (Low Cost) | Duplicated (High Cost) | Centralized via TGW |
| Transitivity | Native (Single VPC) | Non-transitive | Fully Transitive |
| Best Use Case | Teams in one Org | Mergers/Acquisitions | Large scale, hybrid Cloud |