Task Statement 1.6: Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
🔷 What is VPC Sharing?
VPC Sharing allows multiple AWS accounts to use the same Amazon VPC (Virtual Private Cloud) and its resources.
- The VPC owner account creates and manages the VPC.
- Participant accounts can use subnets inside that VPC.
- Each account still retains account-level isolation, but shares the network infrastructure.
This is enabled using AWS Resource Access Manager (RAM).
🔷 Key Capabilities of VPC Sharing
1. Shared Networking Across Accounts
- A single VPC can be shared with multiple AWS accounts.
- Participant accounts can launch resources (like EC2 instances) into shared subnets.
- Networking components (like route tables, NAT gateways, Internet Gateways) are centrally managed by the VPC owner.
2. Subnet-Level Isolation
- While the VPC is shared, subnets are assigned to specific accounts.
- Each account can only use the subnets shared with it.
- This helps maintain logical separation within a shared network.
3. Independent Resource Management
- Participant accounts can:
- Launch and manage their own EC2 instances
- Attach their own security groups (depending on configuration)
- However, they cannot modify core VPC settings (like route tables or VPC CIDR).
4. Centralized Network Control
- The VPC owner controls:
- CIDR blocks
- Route tables
- Network ACLs
- Internet access and NAT configuration
- This ensures consistent and secure network design across all accounts.
🔷 Advantages of VPC Sharing
1. Reduced Operational Complexity
- Instead of managing multiple VPCs across accounts, teams use a central shared VPC.
- Network configuration is simplified and standardized.
2. Cost Optimization
- Shared infrastructure reduces duplication of:
- NAT Gateways
- VPN connections
- Transit resources
- Fewer VPC-level components are needed overall.
3. Improved IP Address Management
- Centralized control avoids overlapping CIDR blocks across accounts.
- Easier planning of IP space for large organizations.
4. Faster Environment Provisioning
- New teams or projects can quickly use pre-created shared subnets.
- No need to build networking from scratch in every account.
5. Strong Governance and Compliance
- Network security and routing rules are controlled centrally.
- Easier to enforce policies such as:
- Traffic inspection
- Logging
- Controlled internet access
6. Multi-Tenant Architecture Support
- Useful for:
- Different business units
- Development, testing, and production environments
- Separate teams or projects
- Each account remains isolated at the AWS account level, but shares network infrastructure.
🔷 How VPC Sharing Works (Conceptually)
- The VPC owner creates a VPC.
- The owner shares the VPC (or specific subnets) using AWS RAM.
- Participant accounts accept the share.
- Participant accounts can:
- Launch resources into shared subnets
- The VPC owner manages routing and network configuration.
🔷 Security Considerations
- Account-level isolation still applies:
- IAM policies control what each account can do.
- Subnets can be shared with specific accounts only.
- Security groups can be:
- Managed per account
- Or controlled centrally (depending on setup)
- Network traffic control still depends on:
- Route tables
- NACLs
- Security groups
🔷 Limitations of VPC Sharing
1. Not All Resources Are Shared
- Only subnets are shared.
- Other resources like:
- Internet Gateways
- NAT Gateways
- Route Tables
are controlled by the VPC owner.
2. No Cross-VPC Traffic Control via VPC Sharing
- VPC Sharing is not the same as VPC Peering or Transit Gateway.
- It does not connect different VPCs—it shares one VPC across accounts.
3. Limited Flexibility for Participant Accounts
- Participant accounts cannot:
- Modify network topology
- Change route tables
- Create Internet Gateways
4. Requires Planning for CIDR and IP Usage
- IP address planning is critical because:
- Multiple accounts share the same IP space
- Overlapping or poor planning can lead to issues
🔷 VPC Sharing vs Other Connectivity Options (Exam Tip)
| Feature | VPC Sharing | VPC Peering | Transit Gateway |
|---|---|---|---|
| Shared VPC across accounts | ✅ | ❌ | ❌ |
| Centralized network control | ✅ | ❌ | Partial |
| Connect multiple VPCs | ❌ | Limited | ✅ |
| Scalable for many VPCs | Limited | No | ✅ |
| Cross-region support | ❌ | Limited | ✅ |
🔷 When to Use VPC Sharing (Exam Scenarios)
Use VPC Sharing when:
- You want centralized networking in one account
- Multiple teams or accounts need to:
- Use the same network
- Launch resources in shared subnets
- You need:
- Strong governance
- Consistent network architecture
- You are designing multi-account architectures with shared infrastructure
🔷 When NOT to Use VPC Sharing
Avoid VPC Sharing when:
- You need full network isolation per account
- You want fully independent VPCs per workload
- You need complex inter-VPC routing across regions
- You require advanced routing control between VPCs
In such cases, use:
- AWS Transit Gateway
- VPC Peering
- PrivateLink
🔷 Exam Tips
- VPC Sharing is always within a single VPC (not between VPCs).
- It is enabled using AWS RAM.
- The VPC owner controls the network, participant accounts only use it.
- It is ideal for multi-account environments with centralized networking.
- Remember:
👉 Shared network, but separate accounts
🔷 Simple Summary
VPC Sharing allows multiple AWS accounts to use the same VPC while keeping control centralized in one account. It reduces complexity, improves security governance, and enables efficient multi-account networking. However, it does not replace inter-VPC connectivity solutions like Transit Gateway or VPC Peering.
