With the AWS Cloud revolution in full swing, everyone seems to be diving headfirst as to not be left behind. However, with everyone rushing to move their workloads to the cloud, there are more and more customers that require connecting their cloud tenants with the tenants of other customers. Luckily, AWS offers many solutions to assist – the only problem is what are they and when is the best time to use them?
What is it? PrivateLink provides the ability to allow other AWS tenants network layer access to your services. It essentially allows you to expose designated ports of an ENI (behind a Network Load Balancer for high availability) in other VPCs without those VPCs connected by other means. These VPCs can even be in different accounts.
Final word: AWS PrivateLink is great for allowing other VPCs or other AWS accounts access to your internal services without exposing your entire network. Limited use cases but perfect when it’s what you need.
What is it? VPC Peering allows connecting VPCs to allow resources in each to access each other.
Final word: VPC Peering was a great option early in AWS’s history. However, every one of its use cases has been replaced by a new feature in AWS that is much more robust. Only use in very simple network sharing scenarios.
What is it? AWS Transit Gateway is a cloud-based virtual routing and forwarding (VRF) service for establishing network layer connectivity with multiple networks.
Final word: Transit Gateway is one of AWS’s newer networking solutions. Its scalability and its abilities to leverage multiple routing domains make it a great resource for networking as well as security.
What is it? VPC Sharing is a new approach that allows sharing individual subnets in your VPCs with other accounts to allow them ability to create and manage resources in it. Resources may include: EC2 instances, RDS, Redshift, Lambda, and other VPC-hosted resources.
Final Word: VPC sharing is a great option when simplifying network architecture is a priority. Accounts only have access to the resources they create still allow for role-based access.
VPC Sharing vs. Transit Gateway?
Between the two, what is the better option when you need to share AWS networks with other accounts?
There’s no reason why you couldn’t leverage both. Consider the following AWS accounts which are all a part of an AWS organization:
The networking team could share their VPCs with the Windows and Linux teams, allowing each to create their own resources in the pre-defined networks. Perhaps there are SCPs on each account that prevent the creation of unauthorized resources (Windows team can’t create Linux and vice versa, only networking team can create and edit networking resources). The security team needs the ability to scan all the resources across VPCs and has their appliances (e.g. Splunk, Nessus, Sonarqube) in a separate VPC. All the VPCs are attached to Transit Gateway. The Dev, Test, and Production VPCs however are placed in separate routing domains to prevent them from communicating with each other.
This way the networking team only has to worry about networking, the Windows and Linux team doesn’t have to worry about which subnet or security group select, and the security team can watch over your network all within clearly defined roles.