AWS Organizations and AWS Resource Access Manager (AWS RAM) (for example, multi-account Transit Gateway, Direct Connect, Amazon VPC,Route 53)

Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.

📘AWS Certified Advanced Networking – Specialty

1. Why This Topic Is Important for the Exam

In large AWS environments, companies do not use a single AWS account. Instead, they use multiple AWS accounts for:

  • Security isolation
  • Cost management
  • Team separation
  • Compliance requirements

For networking, this creates a challenge:
👉 How do you connect and share network resources across multiple AWS accounts?

This is where:

  • AWS Organizations
  • AWS Resource Access Manager (AWS RAM)

become critical.

2. AWS Organizations (Foundation of Multi-Account Design)

2.1 What is AWS Organizations?

AWS Organizations is a service that helps you:

  • Manage multiple AWS accounts centrally
  • Apply policies across accounts
  • Control permissions and billing

2.2 Key Components

1. Organization

A collection of AWS accounts.

2. Management Account (Root Account)

  • The main account that controls the organization
  • Can create and manage other accounts

3. Member Accounts

  • Individual AWS accounts inside the organization
  • Used for workloads (e.g., networking, applications)

4. Organizational Units (OUs)

  • Logical grouping of accounts
  • Used to apply policies

Example structure:

Root
 ├── Networking OU
 │    ├── Network Account
 ├── Application OU
 │    ├── App Account 1
 │    ├── App Account 2

2.3 Service Control Policies (SCPs)

SCPs define maximum permissions for accounts.

Important exam points:

  • SCPs do NOT grant permissions
  • They only limit permissions
  • Applied at:
    • Organization level
    • OU level
    • Account level

2.4 Why AWS Organizations Matters for Networking

It allows:

  • Centralized network control
  • Separation of networking and application accounts
  • Easier sharing of network resources

3. AWS Resource Access Manager (AWS RAM)

3.1 What is AWS RAM?

AWS RAM allows you to:

👉 Share AWS resources across accounts

Without AWS RAM:

  • Each account must create its own resources

With AWS RAM:

  • One account creates a resource
  • Other accounts can use it

3.2 Key Concepts

1. Resource Owner

  • Account that creates the resource

2. Resource Share

  • A container that defines:
    • Which resources are shared
    • Which accounts can access them

3. Principals

  • Accounts, OUs, or entire organization

3.3 Supported Resources (Important for Exam)

You must remember these:

  • Transit Gateway
  • Subnets (VPC sharing)
  • Route 53 Resolver rules
  • Prefix lists
  • License configurations

4. Multi-Account Networking Using AWS Organizations + AWS RAM

This is the most important part for the exam.

4.1 Centralized Networking Model

A common design:

  • One Network Account
  • Multiple Application Accounts

Network Account hosts:

  • Transit Gateway
  • Direct Connect
  • Shared services

Application Accounts:

  • Attach to shared resources

5. Multi-Account Transit Gateway (Very Important)

5.1 Problem

Each account has its own VPC, but needs connectivity.

5.2 Solution: Shared Transit Gateway

Steps:

  1. Create Transit Gateway in Network Account
  2. Share it using AWS RAM
  3. Other accounts:
    • Accept the share
    • Attach their VPCs to the Transit Gateway

5.3 Benefits

  • Centralized routing
  • Reduced complexity
  • Easier scaling

5.4 Key Exam Points

  • Transit Gateway can be shared via AWS RAM
  • Attachments are created in participant accounts
  • Route tables remain centrally managed

6. Multi-Account Direct Connect

6.1 Problem

Direct Connect is expensive and complex to manage per account.

6.2 Solution: Shared Direct Connect

Setup:

  1. Direct Connect created in Network Account
  2. Create:
    • Private Virtual Interface (VIF)
  3. Share VIF using AWS RAM
  4. Other accounts use the shared connection

6.3 Key Exam Points

  • Direct Connect Gateway can be shared
  • Multiple VPCs across accounts can connect
  • Works with Transit Gateway for scalability

7. VPC Sharing (Using AWS RAM)

7.1 What is VPC Sharing?

Allows multiple accounts to use:

👉 Same VPC (subnets)

7.2 How It Works

  • VPC owner account shares subnets
  • Other accounts:
    • Launch resources into shared subnets

7.3 Important Rules

  • Only subnets are shared (not entire VPC control)
  • VPC owner controls:
    • Route tables
    • Security groups (unless delegated)

7.4 Benefits

  • Centralized network management
  • Reduced IP address conflicts
  • Better security control

7.5 Exam Tips

  • Resources (like EC2) run in participant accounts
  • Networking remains in owner account

8. Route 53 and AWS RAM

8.1 What Can Be Shared?

Using AWS RAM:

  • Route 53 Resolver rules

8.2 Use Case

  • Central DNS resolution account
  • Shared rules across accounts

8.3 Key Points

  • Simplifies DNS architecture
  • Enables hybrid DNS (on-prem + AWS)

9. Integration with On-Premises Networks

This topic is directly tied to the main exam objective.

9.1 Centralized Hybrid Connectivity

Using:

  • AWS Organizations
  • AWS RAM
  • Transit Gateway
  • Direct Connect / VPN

You can:

  • Connect on-premises network once
  • Share connectivity with all accounts

9.2 Architecture Flow

  1. On-premises connects to:
    • Direct Connect or VPN
  2. Connects to:
    • Transit Gateway (Network Account)
  3. Transit Gateway connects to:
    • VPCs in multiple accounts

9.3 Benefits

  • Single connection point
  • Reduced cost
  • Centralized control

10. Security Considerations

10.1 Using AWS Organizations

  • Apply SCPs to:
    • Restrict network changes
    • Prevent unauthorized resource sharing

10.2 Using AWS RAM

  • Share only required resources
  • Use least privilege principle

10.3 Isolation

  • Each account remains isolated
  • Only shared resources are accessible

11. Common Exam Scenarios

You should be able to answer:

Scenario 1:

Question: How to connect multiple VPCs across accounts?

Answer:

  • Use Transit Gateway
  • Share using AWS RAM

Scenario 2:

Question: How to allow multiple accounts to use the same network?

Answer:

  • Use VPC sharing via AWS RAM

Scenario 3:

Question: How to centralize Direct Connect?

Answer:

  • Use shared Direct Connect Gateway
  • Integrate with Transit Gateway

Scenario 4:

Question: How to enforce restrictions across accounts?

Answer:

  • Use AWS Organizations + SCPs

12. Key Differences (Very Important for Exam)

FeatureAWS OrganizationsAWS RAM
PurposeAccount managementResource sharing
ScopeEntire organizationSpecific resources
ControlsPolicies (SCPs)Access to resources
Used forGovernanceNetworking sharing

13. Final Exam Tips

You must remember:

  • AWS Organizations = Account control
  • AWS RAM = Resource sharing
  • Transit Gateway = Central hub
  • Direct Connect = Hybrid connectivity
  • VPC Sharing = Shared subnets across accounts
  • Route 53 Resolver = Central DNS

14. Simple Summary

  • AWS Organizations organizes accounts
  • AWS RAM shares resources between accounts
  • Together they enable:
    • Centralized networking
    • Multi-account connectivity
    • Hybrid cloud integration
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by