Tutorial / Cram Notes
Virtual Private Cloud (VPC) sharing is a powerful capability in AWS that facilitates multiple AWS accounts to securely share a common VPC, while keeping individual account resources isolated. This is particularly advantageous in an organization that uses a multi-account setup, often the case for separating different business units or environments for better resource management, cost tracking, and security.
Benefits of VPC Sharing
VPC sharing comes with several benefits:
- Cost-Efficiency: By sharing a single VPC, organizations can reduce the number of VPCs they need to create and manage, saving on operational costs.
- Simplified Network Management: With VPC sharing, you can have a centralized team manage the network, while development teams can focus on their resources independently.
- Security and Compliance: Centralized control of the shared VPC ensures consistent implementation of security practices and compliance across all participating accounts.
- Resource Isolation: Even though the VPC is shared, resources within it are isolated at the account level, ensuring privacy and security boundaries are maintained.
How VPC Sharing Works
In a VPC sharing setup, there’s a central account known as the “owner” account that creates the VPC. This account can then share subnets within that VPC with other AWS accounts, which are known as “participants.” Participants can launch their own resources, such as Amazon EC2 instances, Amazon RDS databases, or AWS Lambda functions, in the shared subnets but cannot view or modify resources belonging to other participants or the owner account.
Network Sharing Process Steps:
- Create a VPC and Subnets: Firstly, the owner account creates a VPC and subnets.
- Enable Resource Sharing: The owner then uses AWS Resource Access Manager (RAM) to share the subnets with other AWS Accounts.
- Accept Resource Share: Participant accounts accept the shared subnets and can then deploy their AWS resources into the shared subnet.
- Governance: The shared VPC can be monitored and managed by the owner account, providing centralized control over the network infrastructure while allowing participant accounts to manage their own resources.
Example Workflow:
| Step | Action | Description |
|---|---|---|
| 1 | Create a VPC (Owner Account) | Set up a VPC with the necessary configurations such as CIDR blocks, subnet creation, internet gateway, route tables, etc. |
| 2 | Share Subnets (Owner Account) | Utilize AWS RAM to enable sharing of the created subnets with participant accounts. |
| 3 | Accept Resource Share (Participant Accounts) | Participant accounts accept the invitation and can now launch their resources in these subnets. |
| 4 | Resource Deployment (Participant Accounts) | Participants deploy AWS resources such as EC2 instances into the shared subnets. |
| 5 | Monitor and Manage (Owner Account) | The owner keeps an overview of the network, ensuring compliance and security standards. |
Service Limitations and Considerations
It’s important to understand that certain limitations exist with VPC sharing:
- Only subnets can be shared, not entire VPCs.
- The owner account is responsible for managing NACLs, Security Groups, and VPC peering connections.
- Participant accounts need permission from the owner to create specific types of resources, such as NAT Gateways.
- Not all AWS services support launching in a shared VPC.
Security in VPC Sharing
Security is one of the principal considerations in a VPC sharing setup. AWS facilitates this through:
- Resource-level isolation: Resources are inherently isolated at the account level, and participants cannot see each other’s resources.
- IAM Permissions: Fine-grained access control via AWS IAM ensures that participants have only the permissions they require.
- Networking Controls: The owner account can implement security groups and network access lists to enforce networking policies.
- Centralized Monitoring: Utilizing services like AWS CloudTrail and VPC Flow Logs, the VPC owner can monitor actions and traffic within the shared VPC for auditing and compliance.
VPC sharing is highly relevant for enterprises looking to adopt a multi-account strategy on AWS. When preparing for the AWS Certified Advanced Networking – Specialty (ANS-C01) exam, understanding the intricacies of VPC sharing is critical. It’s part of a broader set of network design and implementation scenarios that require a deep mastery of AWS network architectures and best practices.
Practice Test with Explanation
True or False: VPC sharing allows multiple AWS accounts to share a single VPC.
- True
- False
Answer: True
Explanation: VPC sharing allows multiple AWS accounts within the same organization to share a single VPC. It enables resources from different accounts to communicate over private IP addresses as if they were within the same VPC.
Which of the following are benefits of VPC sharing? (Select TWO)
- Cost saving on NAT gateways
- Each account has its own route table in the shared VPC
- Simplified network management
- Decreased performance due to shared resources
- Isolation of resources between accounts
Answer: Cost saving on NAT gateways, Simplified network management
Explanation: VPC sharing helps in cost saving on network resources like NAT gateways and simplifies network management by reducing the number of VPCs to manage. Shared resources don’t necessarily decrease performance, and resources are still isolated between accounts.
True or False: In a shared VPC, secondary accounts have the ability to modify the shared network resources.
- True
- False
Answer: False
Explanation: In a shared VPC, secondary (participant) accounts cannot modify shared network resources such as subnets, route tables, network ACLs, and internet gateways. These resources are managed by the primary (owner) account.
What permissions are needed to share a subnet from the master account to other accounts?
- ec2:CreateSubnet
- resource-share:CreateResourceShare
- ram:CreateResourceShare
- ec2:ModifyVpcEndpoint
Answer: ram:CreateResourceShare
Explanation: AWS Resource Access Manager (RAM) is used to share subnets across accounts, not the EC2 service itself. Therefore, the `ram:CreateResourceShare` permission is needed to create a resource share.
Which AWS service is primarily used for VPC sharing between accounts?
- AWS Direct Connect
- AWS Organizations
- AWS Resource Access Manager (RAM)
- Amazon EC2
Answer: AWS Resource Access Manager (RAM)
Explanation: AWS Resource Access Manager (RAM) is the service used to share VPCs and subnets with other accounts within your organization.
True or False: When sharing a VPC, the owner account can view and terminate EC2 instances belonging to participant accounts.
- True
- False
Answer: False
Explanation: When a VPC is shared, the owner account does not have the ability to view or terminate EC2 instances belonging to participant accounts. Each account maintains the privacy and control over its own resources.
Which of the following resources cannot be shared in a VPC sharing setup?
- Subnets
- Security groups
- Internet gateways
- VPC Endpoints
Answer: Security groups
Explanation: In a VPC sharing setup, certain resources such as subnets and VPC endpoints can be shared among accounts, but security groups cannot be shared. Each account must create its own security groups.
How does a participant account access a shared subnet in VPC sharing?
- By creating a peering connection to the owner’s VPC
- By accepting the shared subnet invitation through AWS RAM
- By modifying the VPC settings in their account
- By provisioning a new EC2 instance in the shareable subnet
Answer: By accepting the shared subnet invitation through AWS RAM
Explanation: Participant accounts access a shared subnet by accepting resource share invitations sent by the owner account through AWS RAM, not by peering connections or modifying VPC settings.
True or False: DNS resolution between VPCs maintained by different accounts is automatically enabled in VPC sharing.
- True
- False
Answer: False
Explanation: DNS resolution between VPCs maintained by different accounts is not automatically enabled; it must be configured to allow resolver rules to be shared with participating accounts for private DNS resolution.
True or False: VPC sharing allows sharing of Amazon RDS instances between accounts.
- True
- False
Answer: False
Explanation: VPC sharing allows the sharing of the VPC’s networking layer, such as subnets, but not specific services or instances such as Amazon RDS instances. These are still managed individually by each account.
In a multi-account setup using VPC sharing, who is in charge of updating network ACLs and security group rules for shared subnets?
- The secondary account
- The master account
- AWS support
- Both accounts can manage ACLs and security groups independently
Answer: The master account
Explanation: In a VPC sharing scenario, the master (or owner) account retains control over the VPC, including network ACLs and security groups for shared subnets. The secondary accounts cannot update these components for shared resources.
True or False: Cross-account VPC sharing supports transitive peering relationships between VPCs.
- True
- False
Answer: False
Explanation: AWS does not support transitive peering relationships between VPCs. This means that if VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A and VPC C are not automatically peered. Each peering connection must be directly established.
Interview Questions
What is VPC sharing in AWS, and how does it benefit a multi-account environment?
VPC sharing allows multiple AWS accounts to create their application resources, like EC2 instances, RDS databases, or Lambda functions, inside a centrally managed Virtual Private Cloud (VPC). This enables resource sharing while keeping the administrative ownership with the VPC owner account. The benefit is that it minimizes the number of VPCs to manage, ensures consistent security practices, and can potentially reduce costs by avoiding duplicate resources.
How does AWS enable VPC sharing across accounts?
AWS enables VPC sharing via the AWS Resource Access Manager (RAM) service, which allows you to share AWS resources with any AWS account or within your AWS Organization. When sharing a VPC, the VPC owner account shares one or more subnets with other AWS accounts, allowing those accounts to launch resources into a shared environment.
What are the prerequisites for setting up VPC sharing?
The prerequisites for VPC sharing include enabling AWS Resource Access Manager (RAM) within your organization, ensuring all accounts are part of the same AWS Organization, and that the Service Control Policies (SCPs) allow for VPC sharing. Additionally, the VPC must be associated with a CIDR block that doesn’t overlap with any other VPCs in the participant accounts.
Can you modify the Network Access Control Lists (NACLs) of a shared subnet? If so, who has the permissions to do this?
Only the owner account of the shared VPC can modify the Network Access Control Lists (NACLs) for the shared subnets. The participants in the shared VPC do not have the permissions to modify NACLs of the shared subnets as they do not have the ownership of the underlying VPC infrastructure.
When using VPC sharing, are there any limitations regarding Security Groups?
Yes, when using VPC sharing, one limitation is that participant accounts can only reference Security Groups that are shared with them or are within their own account. They cannot reference Security Groups from other VPCs that are not shared or owned by their account.
Describe the process of sharing a subnet within a VPC to other AWS accounts.
To share a subnet within a VPC, the owner account must first create the subnet in the VPC. Then, using AWS RAM, the owner account can share the desired subnet or subnets with other AWS accounts by creating a Resource Share and adding the AWS accounts as principals to the Resource Share. The participating accounts then accept the share, and can start launching resources in the shared subnet.
Are there any resources or services that cannot be used within shared subnets?
Most AWS services can be used within shared subnets, but certain services and features, such as VPC Peering connections, AWS Transit Gateway attachments, and AWS Direct Connect gateways, are restricted and cannot be used within shared subnets as they are tied to the VPC owner account.
How does DNS resolution work in a shared VPC setup?
DNS resolution in a shared VPC setup works the same way as in a regular VPC. Each account can manage its own private DNS within the shared VPC and can resolve public DNS names. However, if the VPC has a custom DNS server or Route 53 Resolver set up by the VPC owner account, it will affect all participating accounts in the shared VPC setup.
What happens to the resources within the shared subnet if the sharing invitation is revoked?
If the sharing invitation is revoked or if the participant account leaves the shared subnet, resources belonging to that account will remain running but will be unable to perform certain functions, such as launching new instances or modifying the VPC attributes. It’s recommended to migrate the necessary resources before revoking the sharing invitation to avoid disruption.
What is the difference between VPC peering and VPC sharing in terms of inter-account connectivity?
VPC peering is a networking connection between two VPCs, allowing instances within those VPCs to communicate with each other using private IP addresses. Each VPC in a VPC peering relationship remains separately managed and can exist in different accounts. In contrast, VPC sharing involves multiple AWS accounts launching resources into a single, centrally managed VPC, which allows for shared network resources and centralized governance but still requires separate management of application-level resources.
How do IAM policies affect VPC sharing in a multi-account setup?
IAM policies affect VPC sharing by determining what actions users and roles in the participating accounts can perform within the shared VPC. The VPC owner can set permissions that restrict the actions participants can perform, such as restricting the creation of certain resources or modifying VPC configurations. It’s crucial to carefully configure IAM policies to ensure security and proper access control in a multi-account setup.
Can you share a VPC with an account outside of your AWS Organization, and what considerations should be taken in such a case?
It is possible to share a VPC with an account outside of your AWS Organization using AWS Resource Access Manager (RAM). However, you must consider the trust relationship between the accounts, as sharing critical infrastructure like a VPC can pose security risks. Additionally, the VPC owner must manually share the VPC with external accounts (as opposed to automatic sharing within an organization), and explicitly accept resource shares from external accounts.
Great article! VPC sharing is such a useful feature for multi-account setups.
Thanks for the detailed explanation. This will definitely help in optimizing our AWS architecture.
Can VPC sharing be restricted to specific subnets within the same VPC? Anyone tried that?
I appreciate this write-up. It’s been challenging to find clear information on VPC sharing.
Does anyone know if VPC sharing incurs additional costs compared to regular VPC hosting?
We implemented VPC sharing across 5 different AWS accounts and it saved us so much time and complexity!
This was a great post on VPC sharing for multi-account setups. Thanks!
Very informative post, I had some confusion around VPC sharing before. Appreciate it!