Networking in AWS

Networking is one of the core pillars of the cloud computing model. Amazon VPC(virtual private cloud) helps you launch a secure, isolated private cloud hosted within a public cloud.

In a multi-account environment, you must find a way to create VPCs and associated objects across managed accounts. AWS recommends creating a Network account under the Infrastructure OU.

AWS SRA Infrastructure OU - Network Account

AWS Security Reference Architecture states that the Network account is the gateway between your apps and the Internet. Network resources are defined at one account, and then, leveraging another managed service called RAM(Resource Access Manager), these resources can be shared with accounts in the organization or only with the accounts within one or more specified organizational units (OUs).

GitHub Repository

The source code can be found HERE

Building the Connectivity

In one of the blogs, I talk about setting up an AWS landing zone using the control tower.

Followed these steps from the control tower section of the Management account

• Create an OU named Infrastructure

• Create an AWS account named Network from the account factory.

• Disable automatic creation of VPCs in all regions by the Account Factory in AWS Control Tower.

In another post, I discussed the steps to integrate GitHub with AWS using OIDC. In the same way, HCP Terraform must also be integrated with AWS for infrastructure provisioning. Add HCP as the OIDC provider on the AWS and create an IAM role. This role must be added as a variable on your HCP workspace/organization.

Virtual Private Cloud(VPC)

Our new VPC contains the following resources:

• Two public subnets
• Two private subnets
• One internet gateway
• Four routing tables

Network Account

Connect to the Network account and verify the VPC creation.

Resource Access Manager(RAM)

The last step is to create a resource share using AWS Resource Access Manager(RAM) to share all four VPC subnets with the “Sandbox” OU.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

# Creates a Resource Access Manager (RAM) Resource Share
resource "aws_ram_resource_share" "subnet_share" {
  name = var.ram_name
  tags = local.tags
}

# Associates Private Subnets to RAM
resource "aws_ram_resource_association" "private_subnets" {
  count              = length(var.private_subnet_cidr)
  resource_arn       = aws_subnet.private[count.index].arn
  resource_share_arn = aws_ram_resource_share.subnet_share.arn
}

# Associates Public Subnets to RAM
resource "aws_ram_resource_association" "public_subnets" {
  count              = length(var.public_subnet_cidr)
  resource_arn       = aws_subnet.public[count.index].arn
  resource_share_arn = aws_ram_resource_share.subnet_share.arn
}

# Share resources to Sandbox OU
resource "aws_ram_principal_association" "ram_principal_association" {
  principal          = var.ou_arn
  resource_share_arn = aws_ram_resource_share.subnet_share.arn
}

Tip

One quick tip is to add the ARN of Sandbox OU to the Terraform workspace.

Resource share has been created and will look like the one below. Notice “shared by me”, ie, the Network Account

Development Account

Connect to the “development” account, and you will see “shared with me” under RAM.

In this way, all future accounts within Sandbox OU will inherit the shared VPC from the Network account.

Reference

• AWS SRA

• RAM