Resource sharing across AWS accounts

Task Statement 1.5: Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud.

📘AWS Certified Advanced Networking – Specialty

1. Introduction

In many organizations, different teams, departments, or projects use separate AWS accounts. This is a recommended best practice because it provides:

  • Security isolation
  • Billing separation
  • Better management of resources
  • Controlled access between teams

However, even when accounts are separated, network resources often need to be shared.

For example, multiple accounts may need access to:

  • A centralized network
  • Shared subnets
  • A transit gateway
  • Private connectivity to on-premises infrastructure
  • Shared services such as DNS or security inspection

To support this, AWS provides several resource-sharing mechanisms.

Understanding these mechanisms is important for the exam, especially when designing connectivity between on-premises networks and AWS across multiple accounts.

2. Why Organizations Use Multiple AWS Accounts

Before learning resource sharing, it is important to understand why multiple AWS accounts exist.

Organizations commonly use multiple accounts for:

Security Isolation

Each account acts as a security boundary.

If a problem occurs in one account, it does not automatically affect other accounts.

Access Control

Different teams can have different permissions.

Example in an IT environment:

  • Networking team manages VPCs and connectivity.
  • Application teams deploy servers.
  • Security team monitors logs.

Billing Management

Costs can be tracked separately for each account.

Compliance

Certain workloads must be isolated for regulatory requirements.

Because of this separation, network connectivity must still allow controlled communication between accounts.

3. Key AWS Services Used for Resource Sharing

Several AWS services support cross-account resource sharing.

Important services include:

  • AWS Resource Access Manager (RAM)
  • Amazon VPC sharing
  • AWS Transit Gateway sharing
  • AWS Organizations
  • AWS PrivateLink
  • Amazon Route 53 Resolver sharing

Each of these enables controlled sharing of network resources across accounts.

4. AWS Resource Access Manager (AWS RAM)

What It Is

AWS Resource Access Manager (AWS RAM) is the primary service used to share AWS resources across multiple AWS accounts.

It allows an account to grant access to specific resources without transferring ownership.

The resource stays in the owner account, but other accounts can use it.

How AWS RAM Works

The process works as follows:

  1. Resource owner creates a resource share.
  2. The owner selects resources to share.
  3. The owner specifies which accounts can access the resource.
  4. The receiving account accepts the share (unless automatic acceptance is enabled).

After acceptance, the receiving account can use the shared resource.

Resources That Can Be Shared Using AWS RAM

Common networking resources that can be shared include:

  • Subnets
  • Transit Gateways
  • Route 53 Resolver rules
  • Prefix lists
  • Network firewall policies
  • License Manager configurations

These resources can be shared with:

  • Individual AWS accounts
  • Accounts in AWS Organizations
  • Organizational units (OUs)

5. VPC Sharing

Overview

Amazon VPC sharing allows multiple AWS accounts to deploy resources into the same VPC.

This is commonly used in centralized networking architectures.

How VPC Sharing Works

One account is designated as the VPC owner account.

Other accounts are called participant accounts.

The owner shares subnets using AWS RAM.

Participant accounts can then launch resources such as:

  • EC2 instances
  • Containers
  • Databases

inside the shared subnets.

Roles in VPC Sharing

VPC Owner Account

Responsible for:

  • Creating the VPC
  • Managing subnets
  • Configuring route tables
  • Configuring security controls

Participant Accounts

Responsible for:

  • Launching application resources
  • Managing instances
  • Managing application-level configuration

Participant accounts cannot modify the network configuration.

Benefits of VPC Sharing

Advantages include:

Centralized network control
Simplified architecture
Reduced VPC sprawl
Improved security governance

This model allows the networking team to control infrastructure, while application teams deploy workloads.

6. Transit Gateway Sharing

Overview

**AWS Transit Gateway is a highly scalable routing hub that connects multiple networks.

It can connect:

  • Multiple VPCs
  • Multiple AWS accounts
  • On-premises networks
  • VPN connections
  • Direct Connect gateways

Cross-Account Transit Gateway Sharing

A central networking account typically owns the Transit Gateway.

Using AWS RAM, the Transit Gateway can be shared with other accounts.

Those accounts can then create VPC attachments to connect their VPCs.

Benefits

Transit Gateway sharing enables:

  • Centralized routing control
  • Simplified hybrid connectivity
  • Reduced number of VPN tunnels
  • Scalable multi-account networking

This is commonly used in hub-and-spoke architectures.

7. AWS PrivateLink for Cross-Account Services

Overview

**AWS PrivateLink allows private access to services across accounts without exposing them to the internet.

PrivateLink uses interface endpoints.

How It Works

A service provider:

  • Hosts a service behind a Network Load Balancer

A consumer account:

  • Creates an interface endpoint
  • Connects privately to the service

Traffic remains inside the AWS network.

Benefits

PrivateLink provides:

  • Secure service access
  • No VPC peering required
  • No route table changes
  • Strong network isolation

It is often used for:

  • Shared internal APIs
  • Security inspection services
  • Shared monitoring services

8. Route 53 Resolver Rule Sharing

**Amazon Route 53 Resolver rules can also be shared using AWS RAM.

This is useful when organizations centralize DNS resolution.

Example architecture:

  • A central DNS account manages inbound and outbound resolvers.
  • Resolver rules are shared with other accounts.
  • Other VPCs can use centralized DNS.

This simplifies DNS management across many accounts.

9. Integration with AWS Organizations

**AWS Organizations simplifies cross-account sharing.

Benefits include:

Automatic resource sharing across accounts
Central governance
Simplified account management

When AWS RAM is integrated with Organizations:

  • Shares can automatically apply to entire organizational units (OUs).
  • New accounts can automatically receive shared resources.

This reduces administrative overhead.

10. Security Considerations

When sharing resources across accounts, several security practices are important.

Principle of Least Privilege

Grant only the minimum permissions required.

Centralized Network Control

Network resources should typically be owned by a central networking account.

This ensures consistent configuration.

Monitoring and Logging

Use monitoring services such as:

  • Amazon CloudWatch
  • AWS CloudTrail

to track resource usage and access.

Resource Ownership Awareness

Even when shared, the original account still owns the resource.

Only that account can delete or fully modify it.

11. Common Multi-Account Network Architectures

For the exam, you should understand common architectures.

Centralized Networking Model

In this model:

  • One account manages the network.
  • Other accounts host applications.

Shared resources include:

  • VPC subnets
  • Transit gateways
  • DNS services

This model improves governance and security.

Hub-and-Spoke Architecture

In this design:

Central hub account contains:

  • Transit Gateway
  • Security inspection
  • Shared services

Spoke accounts contain:

  • Application workloads

Traffic routes through the central hub.

This simplifies hybrid connectivity to on-premises networks.

12. Exam Tips for AWS Advanced Networking

Important concepts to remember:

1. AWS RAM is the main tool for resource sharing.

2. VPC sharing allows multiple accounts to use the same VPC.

3. Transit Gateway sharing enables centralized routing across accounts.

4. PrivateLink provides private service connectivity across accounts.

5. AWS Organizations simplifies large-scale resource sharing.

6. Centralized networking architectures are commonly used in enterprise environments.

13. Key Summary

Resource sharing across AWS accounts is essential for large, multi-account cloud environments.

Key points:

  • AWS environments commonly use multiple accounts for isolation and governance.
  • AWS Resource Access Manager (RAM) enables controlled sharing of resources.
  • VPC sharing allows multiple accounts to deploy workloads in a common network.
  • Transit Gateway sharing enables scalable multi-account connectivity.
  • PrivateLink provides secure cross-account service access.
  • Route 53 Resolver sharing supports centralized DNS architecture.
  • AWS Organizations simplifies management of sharing across many accounts.

Understanding these mechanisms is critical for designing secure, scalable hybrid networking architectures between on-premises networks and AWS.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by