Build CoreOrdered learning track

Multi-Account Networking Foundation

Learn AWS Networking and Content Delivery - Part 021

Fondasi desain multi-account networking di AWS: account boundary, ownership model, centralized network account, shared services, routing domain, DNS authority, egress, inspection, IPAM, dan invariants untuk platform produksi skala enterprise.

12 min read2309 words
PrevNext
Lesson 2172 lesson track14–39 Build Core
#aws#networking#content-delivery#cloud-architecture+7 more

Part 021 — Multi-Account Networking Foundation

VPC yang rapi belum tentu menghasilkan platform yang rapi.

Di organisasi nyata, problem networking jarang berhenti di satu VPC. Begitu ada banyak team, environment, produk, data sensitivity, region, vendor, on-prem, audit, dan incident boundary, pertanyaannya berubah:

Bukan lagi: bagaimana membuat VPC?
Tetapi: siapa boleh menghubungkan apa, melalui path mana, dengan policy siapa, dan failure-nya berhenti di mana?

Multi-account networking adalah disiplin untuk menjawab pertanyaan itu.

Tujuannya bukan membuat topologi kelihatan canggih. Tujuannya adalah membuat connectivity menjadi:

explicit
owned
auditable
segmented
repeatable
recoverable
cost-visible
safe under partial failure

Part ini adalah fondasi sebelum kita masuk ke VPC Peering, Transit Gateway, Cloud WAN, Direct Connect, VPN, PrivateLink, dan VPC sharing.


1. Core Thesis: Account Boundary Bukan Network Boundary

Kesalahan umum:

"Sudah beda AWS account, berarti aman."

Tidak cukup.

AWS account adalah boundary untuk ownership, billing, IAM, service quota, dan blast-radius administratif. Tetapi traffic network tetap bisa melewati banyak mekanisme:

VPC peering
Transit Gateway
PrivateLink
VPC Lattice
VPN
Direct Connect
Route 53 Resolver forwarding
shared VPC/subnet
public internet path
CloudFront/ALB/API Gateway entrypoint

Jadi account boundary harus diterjemahkan menjadi network boundary yang konkret:

route table
security group
NACL
endpoint policy
resource policy
firewall policy
DNS rule
SCP/IAM guardrail
inspection path
logging path

Mental model-nya:

Account = administrative cell
VPC     = network cell
Subnet  = placement + routing cell
Route   = reachability statement
Policy  = permission statement
DNS     = naming authority
Logs    = evidence stream

Top 1% engineer tidak menilai desain dari diagramnya saja. Mereka bertanya:

Kalau account A compromise, account mana yang ikut reachable?
Kalau route salah propagate, environment mana yang bocor?
Kalau DNS forwarding salah, service mana resolve ke target salah?
Kalau NAT/inspection VPC mati, traffic mana yang terhenti?
Kalau app team membuat VPC sendiri, siapa mencegah CIDR overlap?
Kalau vendor minta koneksi, apakah kita expose network atau hanya service?

2. Kenapa Multi-Account Ada: Bukan Karena AWS Suka Banyak Account

Multi-account biasanya muncul karena kombinasi alasan berikut.

2.1 Separation of duty

Network platform team tidak boleh otomatis punya akses ke data aplikasi.

Application team tidak boleh bebas mengubah global routing.

Security team harus bisa melihat evidence tanpa menjadi operator workload.

Network account  -> owns connectivity primitives
Security account -> owns detection, logs, inspection governance
Workload account -> owns application runtime
Shared account   -> owns common internal services

2.2 Blast-radius control

Satu account untuk semua workload mencampur:

prod and non-prod
regulated and non-regulated
internet-facing and internal
team A and team B
experiments and critical services

Akibatnya satu kesalahan IAM, route, endpoint, atau security group bisa berdampak terlalu luas.

2.3 Billing and quota isolation

NAT Gateway, inter-AZ transfer, TGW data processing, endpoint hourly cost, CloudFront transfer, Direct Connect, dan logging cost harus bisa dikaitkan ke owner.

2.4 Compliance and audit

Auditor biasanya tidak puas dengan jawaban:

"Network-nya shared, tapi trust us."

Mereka butuh evidence:

who can create routes
who can attach VPC to core network
which accounts have internet egress
which accounts can receive inbound traffic
where logs go
which policy blocks bypass

2.5 Platform scalability

Tanpa account model, setiap team akan membuat versi sendiri dari:

CIDR plan
VPC module
NAT pattern
DNS pattern
endpoint pattern
inspection pattern
logging pattern

Hasil akhirnya bukan cloud. Hasilnya datacenter spaghetti dalam bentuk API.


3. Reference Account Taxonomy

Ini bukan satu-satunya model, tetapi cukup matang untuk organisasi menengah sampai besar.

Penamaan bisa berbeda, tetapi responsibility harus jelas.

AccountPrimary OwnershipNetworking Responsibility
Management accountOrganization administrationMinimal workload. Jangan menjadi tempat network runtime.
Network accountPlatform/network teamTransit Gateway, Cloud WAN, centralized egress, ingress, inspection, Direct Connect/VPN attachment, shared network automation.
Shared services accountPlatform/shared infra teamDirectory, internal tools, metadata service, artifact service, central CI runners jika perlu.
DNS accountNetwork/platform teamPublic hosted zones, private hosted zone strategy, Resolver forwarding rules, DNS Firewall baseline. Bisa digabung dengan network account jika kecil.
Log archive accountSecurity/platformCentral immutable logs: VPC Flow Logs, CloudTrail, DNS query logs, firewall logs.
Security tooling accountSecurity engineeringSIEM integration, GuardDuty/Security Hub/Macie-style aggregation, inspection analytics.
Workload accountApplication teamVPC/workload resources sesuai platform guardrail.
Sandbox accountDevelopers/experimentsIsolated, quota-limited, no default production connectivity.

Prinsip:

Account yang mengelola routing global tidak sama dengan account yang menyimpan data bisnis sensitif.

4. Network Account: The Chokepoint yang Harus Sengaja Dibangun

Network account adalah tempat untuk menaruh primitive yang memengaruhi connectivity lintas account.

Contoh resource yang sering dikelola di network account:

Transit Gateway
Cloud WAN core network
Direct Connect Gateway association
Site-to-Site VPN attachment
centralized ingress VPC
centralized egress VPC
inspection VPC
shared interface endpoints
Route 53 Resolver inbound/outbound endpoints
Network Firewall
Gateway Load Balancer appliances
IPAM administration
network automation pipeline

Network account bukan berarti semua traffic harus dipaksa lewat satu VPC. Itu anti-pattern jika dilakukan buta.

Makna yang benar:

Network account owns the policy and shared control points.
Workload accounts own their local workload and local blast radius.

5. Multi-Account Network = Graph, Bukan Tree

Organizational hierarchy biasanya tree:

Org -> OU -> Account

Network reachability bukan tree. Ia graph.

Karena network adalah graph, governance harus menjawab:

node mana boleh attach?
edge mana boleh dibuat?
route mana boleh dipropagate?
DNS name mana boleh resolve ke mana?
traffic mana wajib inspect?
traffic mana dilarang transitive?

6. Routing Domain: Unit Segmentation yang Sering Dilupakan

Di AWS, segmentation bukan hanya akun dan VPC. Segmentation sebenarnya hidup di route domain.

Route domain adalah kumpulan route table dan propagation rule yang menentukan reachability.

Contoh route domain:

prod-core
nonprod-core
shared-services
internet-egress
inspection
partner
regulated
sandbox

Transit Gateway route table atau Cloud WAN segment dapat menjadi route domain.

Pattern sederhananya:

Prinsip penting:

Jangan membuat semua attachment propagate ke semua route table.

Itu mengubah TGW menjadi flat LAN raksasa.


7. Golden Invariants untuk Multi-Account Networking

Invariant adalah aturan yang harus tetap benar walaupun jumlah account, team, dan workload bertambah.

Invariant 1 — Tidak ada CIDR overlap tanpa desain explicit

CIDR overlap membatasi VPC Peering, Transit Gateway, VPN, Direct Connect, DNS, observability, dan incident response.

Gunakan IPAM atau minimal registry yang enforced by automation.

BAD:
Team bebas memilih 10.0.0.0/16.

GOOD:
Account/VPC creation meminta CIDR dari pool terkontrol.

Invariant 2 — Semua inter-account connectivity punya owner

Jangan ada koneksi orphan:

pcx-... created 2 years ago, nobody knows why
TGW attachment without business owner
resolver rule forwarding to unknown DNS server
public hosted zone delegated but no owner

Minimal metadata:

owner: platform-network
business_service: payments
source_account: prod-payments
connected_to: shared-services
approved_by: security-architecture
data_classification: confidential
expiry_review: 2026-12-31

Invariant 3 — Internet egress harus diketahui

Pertanyaan audit:

Dari account mana workload bisa keluar ke internet?
Melalui NAT mana?
Apakah diinspect?
Apakah DNS-nya difilter?
Apakah egress domain allowlist/blocklist diterapkan?

Jika jawabannya “tergantung VPC masing-masing”, desain belum matang.

Invariant 4 — Ingress publik harus sempit

Public ingress sebaiknya hanya melalui entrypoint yang terkontrol:

CloudFront + WAF
Global Accelerator + NLB/ALB
public ALB with WAF
API Gateway + WAF

Bukan:

random public EC2
random public RDS
random public OpenSearch

Invariant 5 — DNS authority harus jelas

Network failure sering terlihat seperti app failure karena DNS salah.

Harus jelas:

public zone dikelola account mana?
private zone dikelola account mana?
zone mana associate ke VPC mana?
resolver forwarding rule dibuat siapa?
on-prem domain diarahkan ke mana?
AWS private domain diarahkan ke mana?

Invariant 6 — Prod dan non-prod tidak otomatis transitive

Non-prod sering punya kontrol lebih longgar.

Jangan membuat:

nonprod -> shared -> prod

kecuali route, SG, DNS, dan auth layer memang mendukung boundary itu.

Invariant 7 — Shared services bukan dump semua dependency

Shared services account sering menjadi “mini-monolith platform”.

Setiap service shared harus punya:

consumer model
network exposure model
auth model
logging model
rate limit model
backup/failover model
owner

Invariant 8 — Semua shared network primitive harus IaC-managed

Manual network change adalah sumber outage yang sulit direkonstruksi.

Minimal semua resource berikut harus dikelola IaC:

VPC CIDR
subnet
route table
TGW attachment
TGW route table association/propagation
peering route
resolver rule association
endpoint
security group baseline
NACL baseline
NAT route
egress inspection route
CloudFront/WAF entrypoint

8. Centralized vs Decentralized Networking

Tidak ada jawaban tunggal. Yang ada adalah trade-off.

8.1 Fully decentralized

Setiap workload account punya VPC, NAT, endpoints, routes sendiri.

+ autonomy tinggi
+ blast radius lokal
+ sederhana untuk team kecil
- policy drift
- cost duplication
- sulit audit
- sulit hybrid connectivity
- sulit enforce inspection

Cocok untuk:

startup kecil
isolated workloads
sandbox/experiment
highly autonomous product units dengan guardrail kuat

8.2 Fully centralized

Semua ingress, egress, inspection, endpoints, DNS, hybrid connectivity melalui network account.

+ governance kuat
+ audit mudah
+ consistent egress/inspection
+ hybrid simpler
- central bottleneck
- routing complexity tinggi
- blast radius network account besar
- potential cross-AZ/cross-region cost
- platform team bisa jadi blocker

Cocok untuk:

regulated enterprise
hybrid-heavy organization
strict egress control
central security inspection requirement

8.3 Federated platform model

Network account mengontrol global primitive dan guardrail. Workload account tetap memiliki local VPC sesuai module standar.

+ scalable ownership
+ consistent baseline
+ local autonomy
+ governance tetap kuat
- butuh automation matang
- butuh contract jelas
- butuh observability lintas account

Ini biasanya pilihan paling sehat untuk organisasi besar.


9. Three Planes of Multi-Account Networking

Untuk desain serius, pisahkan tiga plane.

9.1 Control plane

Siapa boleh membuat dan mengubah network?

AWS Organizations
IAM roles
SCP
RAM share
CloudFormation/Terraform pipelines
approval workflow
config rules
service control guardrails

9.2 Data plane

Traffic benar-benar lewat mana?

VPC route table
TGW route table
Cloud WAN segment
NAT Gateway
Network Firewall
GWLB appliance
PrivateLink endpoint
CloudFront edge
Global Accelerator edge
Direct Connect/VPN

9.3 Observability plane

Bagaimana membuktikan apa yang terjadi?

VPC Flow Logs
TGW Flow Logs
Route 53 Resolver query logs
Network Firewall logs
WAF logs
CloudFront logs
ELB access logs
CloudTrail
AWS Config
Reachability Analyzer
Network Access Analyzer
CloudWatch metrics

Desain buruk biasanya mencampur tiga plane ini dalam satu pikiran:

"Karena IaC bilang route ada, berarti traffic pasti lewat sana."

Tidak cukup. Control plane intent harus diverifikasi dengan data plane evidence.


10. Shared VPC vs Separate VPC per Account

AWS memungkinkan subnet sharing melalui Resource Access Manager, sehingga satu VPC/subnet dapat digunakan oleh beberapa account. Ini berguna, tapi jangan otomatis menjadi default.

10.1 Shared VPC mental model

Network owner owns:

VPC
subnet
route table
NACL
gateway
network-level structure

Participant account owns resources it launches:

EC2
ECS/EKS worker/node resources if applicable
ENI created by participant-owned resources
security groups depending on service/resource model

10.2 When shared VPC makes sense

central network team must own subnet/routing strictly
many small workload accounts use common network zones
legacy migration wants fewer VPCs
platform wants standardized subnet placement

10.3 When separate VPC per account is better

application needs route autonomy
blast radius must be account-local
team needs isolated VPC-level quotas/settings
security boundary should be stronger
multi-region/cell architecture needs repeated units

10.4 Hidden risk

Shared VPC can blur responsibility:

App team: network team owns route.
Network team: app team owns SG.
Security team: nobody knows why this traffic exists.

So if shared VPC is used, define a responsibility matrix.

ConcernNetwork OwnerParticipant AccountSecurity Team
CIDR/subnetOwnsConsumesAudits
Route tableOwnsRequests changesAudits
NACLOwnsRequests exceptionsAudits
SGProvides baseline / guardrailOwns app-specific rulesAudits risky rules
Flow LogsOwns destination/policyConsumes evidenceMonitors
Incident isolationExecutes network containmentExecutes app containmentCoordinates

11. Multi-Account DNS Foundation

DNS adalah control plane kedua.

Banyak architecture review fokus pada route, tetapi lupa bahwa route hanya bekerja jika name resolution mengarah ke IP yang benar.

11.1 DNS authority map

Buat inventory seperti ini:

Zone / DomainTypeOwner AccountAssociated VPCsForwarding RulePurpose
example.compublic hosted zonedns-prodpublic internetnonepublic app names
corp.example.comprivate hosted zonedns-sharedprod/shared VPCsnoneinternal services
onprem.corpforwardeddns-shared/networkprod/nonprod/sharedoutbound resolver to on-premlegacy systems
aws.internalprivate hosted zonedns-sharedworkload VPCsnoneinternal AWS service names

11.2 Resolver architecture

11.3 DNS invariants

Do not create duplicate private zones with different records unless intentionally split-horizon.
Do not forward all DNS to on-prem by default without understanding AWS private names.
Do not depend on public DNS for private service discovery if private DNS is required.
Log resolver queries for sensitive environments.
Document PHZ association ownership.

12. Egress Foundation

Egress is where governance dreams go to die.

Jika setiap account membuat NAT Gateway sendiri, semua workload bisa keluar ke internet kecuali ada guardrail tambahan.

Ada tiga common model.

12.1 Local egress per workload VPC

Good:

simple
AZ-local
low central blast radius
team autonomy

Bad:

difficult central inspection
cost duplication
harder egress allowlist
harder audit

12.2 Centralized egress VPC

Good:

central inspection
consistent egress policy
central NAT/domain filtering
clear audit path

Bad:

route complexity
TGW data processing cost
cross-AZ cost risk
central blast radius
must design appliance scaling and failover

12.3 No-internet private service access

Use VPC endpoints/PrivateLink for AWS services and internal SaaS/provider connectivity.

Good:

least public exposure
smaller egress surface
works for regulated workloads

Bad:

endpoint sprawl
Private DNS complexity
policy evaluation complexity
not every external dependency supports PrivateLink

Top-tier network platform often combines all three:

local egress for low-risk/simple accounts
central egress for regulated/prod accounts
VPC endpoints for AWS service access

13. Ingress Foundation

Ingress is not “open port 443”.

Ingress is a chain:

DNS -> edge -> L7/L4 entrypoint -> policy -> route -> target -> app authorization

Common ingress models:

ModelTypical ServicesFit
CDN-first public webRoute 53, CloudFront, WAF, ALB/S3/API GatewayWeb/API with cache/security/edge requirements
Anycast static ingressGlobal Accelerator, NLB/ALBTCP/UDP/static IP/low-latency multi-region apps
Regional public ALBRoute 53, ALB, WAFSimpler regional HTTP apps
Private ingressPrivateLink, internal ALB/NLB, VPC LatticeInternal services / partner / SaaS-style exposure
Hybrid ingressDirect Connect/VPN + internal LBOn-prem to AWS private apps

Ingress invariant:

Public inbound should be rare, named, logged, protected, and owned.

14. Shared Services: Connectivity Contract

Shared services are tempting because everyone needs them:

Active Directory / LDAP
internal DNS
certificate authority
artifact registry
CI/CD runners
observability endpoints
metadata/config service
bastion or SSM access pattern
central API gateways

But shared service connectivity must have a contract.

Example contract:

service: internal-artifact-registry
producer_account: shared-services-prod
producer_vpc: shared-prod-vpc
exposure_model: PrivateLink
consumer_accounts:
  - prod-apps-ou
  - nonprod-apps-ou
ports:
  - 443
identity_required: true
network_policy:
  allowed_sources:
    - prod workload endpoint SG
    - nonprod workload endpoint SG
logs:
  - NLB access logs
  - VPC Flow Logs
  - application audit logs
availability:
  azs: 3
  failover: multi-AZ NLB targets
review_cycle: quarterly

Without a contract, shared services become invisible dependencies.


15. Resource Sharing with RAM: Powerful but Easy to Abuse

AWS Resource Access Manager enables sharing supported resources across accounts or within AWS Organizations.

Common networking uses:

share Transit Gateway for VPC attachments
share subnets for VPC sharing
share Route 53 Resolver rules
share IPAM pools
share prefix lists

Principle:

Sharing a resource shares operational coupling.

Before sharing a resource, answer:

Who owns lifecycle?
Who approves participant accounts?
Who pays?
Who can detach/delete?
What happens during incident containment?
How is drift detected?
What logs prove usage?

16. Multi-Account CIDR Strategy

Without CIDR governance, you will eventually pay with migrations.

A practical hierarchy:

Enterprise private range
  Region pool
    Environment pool
      Business unit / product pool
        VPC allocation
          Subnet allocation

Example:

10.0.0.0/8 enterprise
10.32.0.0/11 ap-southeast-1
10.32.0.0/13 prod
10.40.0.0/13 nonprod
10.48.0.0/14 shared
10.52.0.0/14 network

VPC allocation example:

prod payments account       -> 10.32.0.0/16
prod case-management account -> 10.33.0.0/16
prod analytics account       -> 10.34.0.0/16
nonprod payments account     -> 10.40.0.0/16
shared services              -> 10.48.0.0/16
network inspection           -> 10.52.0.0/16

Subnet allocation inside VPC:

/20 per AZ per subnet class for large platforms
/24 or /23 for smaller specialized subnet classes
reserve future subnet classes from day one

CIDR design must include:

AWS workload ranges
on-prem ranges
partner/vendor ranges
future region ranges
IPv6 plan
overlap exception process

17. Environment Segmentation Model

Do not rely on naming.

prod-vpc
nonprod-vpc

Names do not isolate traffic. Routes do.

A useful segmentation table:

SourceDestinationDefault DecisionAllowed Mechanism
prod workloadprod shared servicesallow specificTGW route + SG + auth
nonprod workloadnonprod shared servicesallow specificTGW route + SG + auth
nonprod workloadprod workloaddeny defaultexception only, preferably service-level not network-wide
sandboxprod/nonproddenyno route
prod workloadinternetcontrolledendpoint or inspected egress
on-premprod workloadallow specificDX/VPN + TGW + firewall + SG
partnerinternal servicesservice-specificPrivateLink preferred

This table is more valuable than a beautiful architecture diagram.


18. Connectivity Pattern Decision Matrix

RequirementPreferAvoid
Two VPCs, simple direct private routing, low scaleVPC PeeringTGW if unnecessary
Many VPCs need controlled routingTransit Gateway / Cloud WANPeering mesh
Consumer should access only one service, not networkPrivateLink / VPC LatticeVPC Peering / TGW full routing
Cross-account application service mesh-like accessVPC LatticeManual peering per service
Centralized hybrid connectivityTGW + DX/VPNPer-VPC VPN sprawl
Centralized global network policyCloud WANMany independent TGWs without governance
Shared subnet ownershipVPC SharingDuplicating VPCs if network must be centrally owned
AWS service access without internetVPC EndpointsNAT to public service endpoint by default
Public web acceleration/securityCloudFront + WAFDirect public EC2
Static anycast IP / TCP accelerationGlobal AcceleratorDNS-only failover for low-latency TCP requirement

19. Platform API: Treat Networking as Product

For a large organization, network team should not ask every app team to understand every AWS networking primitive.

Expose a platform API or module catalog:

create workload VPC
attach workload VPC to route domain
request private service exposure
request shared service consumer access
request private hosted zone association
request egress exception
request partner connectivity
request public ingress

Behind each request, platform automation creates:

CIDR allocation
VPC/subnet/route tables
TGW attachment
route table association/propagation
security group baseline
endpoint baseline
resolver rule association
flow logs
tags/metadata
cost allocation
Config rules

This is how you avoid tribal knowledge.


20. Example: Enterprise Multi-Account Baseline

But never accept this diagram alone. Ask:

Which route table is ProdVpcA associated with?
Which routes does it receive?
Does DevVpc receive routes to ProdVpcA?
Does SharedVPC receive return routes to every workload?
Is inspection symmetric?
Where do DNS queries go?
Where are flow/firewall/DNS logs stored?
Can workload teams create public IGW route?
Can they create peering that bypasses TGW?

21. Failure Modes

21.1 Accidental full mesh through TGW

Symptom:

Dev can reach prod private IP.

Likely cause:

All TGW attachments propagate to one shared route table.

Fix:

separate TGW route tables per environment
explicit propagation
Network Access Analyzer policy
SCP guardrails for attachment creation

21.2 DNS route bypass

Symptom:

App calls prod-looking name but reaches nonprod/internal endpoint.

Likely cause:

duplicate private hosted zone
wrong VPC association
resolver forwarding rule precedence surprise

Fix:

central PHZ inventory
query logging
domain ownership model
review PHZ associations in IaC

21.3 Central egress outage

Symptom:

Many workloads cannot call external APIs.

Likely cause:

inspection appliance/NAT path failure
route table blackhole
AZ-local path not preserved

Fix:

multi-AZ inspection
per-AZ TGW attachment subnet design
health-based appliance routing if applicable
break-glass local egress plan for critical workloads

21.4 Orphan peering bypasses inspection

Symptom:

Two accounts communicate outside approved TGW path.

Likely cause:

manual VPC peering created by application admin

Fix:

SCP deny ec2:CreateVpcPeeringConnection except platform role
AWS Config rule / inventory
CloudTrail alert
route table drift detection

21.5 CIDR overlap blocks acquisition/migration

Symptom:

New business unit cannot connect to core network.

Likely cause:

both sides use 10.0.0.0/16 or broad overlapping RFC1918 ranges

Fix:

IPAM
NAT translation design
PrivateLink service-level exposure
long-term renumbering plan

22. Governance Controls That Actually Matter

22.1 Prevent bypass creation

Use SCP/IAM guardrails for actions like:

ec2:CreateVpcPeeringConnection
ec2:AcceptVpcPeeringConnection
ec2:CreateTransitGatewayVpcAttachment
ec2:CreateInternetGateway
ec2:AttachInternetGateway
ec2:CreateNatGateway
ec2:CreateRoute
ec2:ReplaceRoute
ec2:AssociateRouteTable
route53:CreateHostedZone
route53resolver:CreateResolverRule
ram:CreateResourceShare

Do not blindly deny all. Build exception roles and pipelines.

22.2 Enforce logging baseline

Every production VPC should have:

VPC Flow Logs
Route 53 Resolver query logs where relevant
ELB/ALB/NLB access logs where relevant
CloudFront logs for public edge
WAF logs for protected web entrypoints
Network Firewall logs for inspection paths
CloudTrail and Config

22.3 Enforce tagging and metadata

Tags are not just billing labels. They are incident response metadata.

Minimum network tags:

environment: prod | nonprod | sandbox
owner: team/platform
business_service: name
network_domain: prod-core | shared | inspection | sandbox
data_classification: public | internal | confidential | restricted
connectivity_approved_by: person/team
created_by_pipeline: true

22.4 Drift detection

Network drift is dangerous because it changes reachability silently.

Detect:

route table route changed outside pipeline
new peering created
new IGW route added
new resolver forwarding rule created
new public subnet created
new wildcard SG ingress added
NACL changed
new endpoint policy changed to allow all

23. Design Review Checklist

Use this before approving a new multi-account network design.

Account and ownership

Which accounts exist and why?
Who owns network account?
Who owns DNS?
Who owns shared services?
Who approves connectivity changes?
Who can break-glass during incident?

IP and topology

Are VPC CIDRs non-overlapping?
Are future regions reserved?
Are subnet classes sized for growth?
Are route domains documented?
Are prod/nonprod/sandbox separated by route, not name?

Connectivity

Which VPCs can talk to which VPCs?
Is connectivity network-wide or service-specific?
Is PrivateLink better than routing?
Is TGW/Cloud WAN justified?
Is VPC Peering becoming a mesh?

Ingress and egress

Where does public traffic enter?
Is WAF/CloudFront/GA/ALB required?
Where does internet egress happen?
Is egress inspected?
Are AWS service calls using endpoints?

DNS

Where are public hosted zones?
Where are private hosted zones?
How are VPC associations controlled?
How does on-prem DNS interact?
Are resolver query logs enabled?

Security and governance

What SCP prevents bypass?
What IAM role can mutate routes?
Are endpoint policies least privilege?
Are SG/NACL baselines defined?
Are firewall policies central or local?

Observability and operations

Can we prove packet path?
Where are Flow Logs stored?
Can security query logs across accounts?
Is there a runbook for reachability failure?
Is cost attribution available?

24. Implementation Blueprint

A practical build order:

1. Define account taxonomy and OUs.
2. Define IPAM pool hierarchy.
3. Define network account and DNS/shared-services accounts.
4. Create VPC module standard.
5. Create logging baseline.
6. Create central route domains.
7. Create egress/ingress baseline.
8. Create resolver baseline.
9. Add workload VPC attachment workflow.
10. Add connectivity request workflow.
11. Add drift detection and policy guardrails.
12. Add periodic reachability review.

Do not start with “deploy TGW”.

Start with ownership and invariants. TGW is only a router.


25. Minimal Platform Contract Example

network_contract_version: 1
account:
  id: "123456789012"
  name: prod-payments
  environment: prod
  owner: payments-platform
vpc:
  cidr_source: ipam
  region: ap-southeast-1
  subnet_classes:
    - private-app
    - private-data
    - endpoint
connectivity:
  route_domain: prod-core
  allowed_destinations:
    - shared-services:443
    - inspection-egress:0.0.0.0/0
  denied_destinations:
    - nonprod-core
    - sandbox
internet:
  ingress: none
  egress: centralized-inspected
dns:
  private_zones:
    - corp.example.com
  resolver_rules:
    - onprem.corp
observability:
  flow_logs: required
  resolver_query_logs: required
  logs_destination: log-archive
change_control:
  route_changes: platform-pipeline-only
  peering: denied
  tgw_attachment: platform-approved

A contract like this is more useful than a 60-page network diagram.


26. What Excellent Looks Like

A mature multi-account networking platform has these properties:

A new workload account can be created without inventing networking from scratch.
CIDR allocation is automated and non-overlapping.
Every connectivity path has owner, purpose, and review cycle.
Prod/non-prod/sandbox are segmented by route domain and policy.
Public ingress is narrow and protected.
Internet egress is known and measurable.
DNS ownership is explicit.
Shared services expose contracts, not tribal routes.
Bypass mechanisms are blocked or alerted.
Packet path can be proven from logs and analyzers.
Cost is attributable to account/service/path.
Incident containment can remove routes or attachments safely.

That is the difference between “we use AWS networking” and “we operate a cloud network platform”.


27. Key Takeaways

Multi-account networking is not primarily about AWS account count. It is about ownership and controlled reachability.

Remember these mental anchors:

Account boundary is administrative, not automatically network-isolating.
Route domains are the real segmentation primitive.
DNS is part of the network control plane.
Shared services require contracts.
Centralization improves governance but can create bottlenecks.
Decentralization improves autonomy but can create drift.
The right model is usually federated: central guardrails, local workload ownership.

In the next part, we zoom into the simplest direct VPC-to-VPC connectivity primitive: VPC Peering.

We will treat it not as a checkbox, but as a design tool with strict scaling limits, route semantics, DNS behavior, and failure modes.


References

  • AWS Prescriptive Guidance — Infrastructure OU: Network account
  • AWS Prescriptive Guidance — Infrastructure OU: Shared Services account
  • AWS Prescriptive Guidance — Transitioning to multiple AWS accounts
  • AWS Prescriptive Guidance — Network connectivity for a multi-account architecture
  • AWS Transit Gateway documentation — shared transit gateways and AWS RAM
  • AWS Resource Access Manager documentation — sharing resources across AWS Organizations
  • AWS VPC documentation — VPC, route tables, endpoints, DNS, and flow logs
Lesson Recap

You just completed lesson 21 in build core. Use the series map if you want to review the broader track, or continue directly into the next lesson while the context is still warm.

Continue The Track

Keep the momentum while the lesson is still fresh. Move backward for review or continue forward into the next concept.