Using VPC sharing in a multi-account setup

Task Statement 1.6: Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns.

📘AWS Certified Advanced Networking – Specialty

1. What is VPC Sharing?

VPC sharing allows multiple AWS accounts to use the same VPC within a single AWS Region.

  • A VPC owner account creates and manages the VPC.
  • Participant accounts are granted permission to use specific subnets inside that VPC.
  • Resources (like EC2 instances, RDS, Lambda in VPC) are deployed in the shared subnets.

This feature is part of AWS Resource Access Manager (RAM).

2. Why Use VPC Sharing?

In a multi-account environment, organizations often separate workloads by account (for security, billing, and governance). However, managing separate VPCs for each account can become complex.

VPC sharing solves this by:

  • Reducing the number of VPCs to manage
  • Enabling centralized networking
  • Allowing consistent security controls
  • Improving IP address utilization
  • Simplifying connectivity between workloads

3. Architecture Overview

In a VPC sharing setup:

VPC Owner Account:

  • Creates the VPC
  • Controls:
    • Route tables
    • Internet gateways
    • NAT gateways
    • Security architecture
    • Subnets
  • Shares subnets with other accounts via AWS RAM

Participant Accounts:

  • Can:
    • Launch resources into shared subnets
  • Cannot:
    • Modify VPC networking components
    • Change route tables or IP addressing

4. Key Concepts You Must Know for the Exam

4.1 Subnet Sharing (Important)

  • You share subnets, not the entire VPC.
  • Each subnet can be shared with multiple accounts.
  • Resources from different accounts can coexist in the same subnet.

4.2 AWS Resource Access Manager (RAM)

VPC sharing is done through AWS Resource Access Manager.

Steps:

  1. VPC owner creates a resource share
  2. Selects subnets to share
  3. Adds participant AWS accounts
  4. Participants accept the share

4.3 Permissions and Control

Owner account controls:

  • IP addressing (CIDR blocks)
  • Route tables
  • Internet/NAT gateways
  • Network ACLs

Participant account controls:

  • Launch EC2, Lambda, RDS in shared subnet
  • Attach security groups to resources
  • Cannot change VPC-level networking

4.4 Security Groups Behavior

  • Security groups are account-specific
  • You can reference:
    • Security groups in the same VPC (including shared ones)
  • Helps enforce isolation even within shared infrastructure

4.5 Routing and Traffic Flow

  • Traffic between resources in shared subnets follows:
    • Same routing rules defined by the VPC owner
  • Participant accounts do not control routing decisions

5. When to Use VPC Sharing

Use VPC sharing when:

  • You want centralized network control
  • Multiple teams or business units need isolated compute environments
  • You want to reduce VPC sprawl
  • You need consistent IP address management
  • You want to avoid complex inter-VPC connectivity (like peering or Transit Gateway)

6. Advantages (Exam Points)

  • ✅ Centralized network management
  • ✅ Efficient IP address usage
  • ✅ Reduced operational overhead
  • ✅ Better governance and compliance
  • ✅ Easier service deployment across accounts
  • ✅ No need for VPC peering between every account

7. Limitations and Restrictions

These are critical for exam questions:

7.1 Region Limitation

  • VPC sharing works only within the same AWS Region

7.2 CIDR Overlap

  • You must carefully plan CIDR ranges
  • No overlapping IP ranges between shared VPCs and other connected networks

7.3 Limited Control for Participants

  • Cannot:
    • Modify routes
    • Change VPC settings
    • Attach internet gateways
  • Only deploy resources

7.4 No Cross-Region Sharing

  • You cannot share a VPC across regions

8. Comparison with Other Connectivity Options

VPC Peering

  • Connects two VPCs directly
  • Requires route management in both VPCs
  • Not scalable for many accounts

Transit Gateway

  • Hub-and-spoke model
  • Connects many VPCs and on-prem networks
  • More scalable but adds complexity and cost

VPC Sharing (Key Difference)

  • One VPC, multiple accounts
  • Centralized network
  • Best for tightly controlled environments

9. Exam Scenarios (Very Important)

You may see questions like:

Scenario 1:

Multiple teams need to deploy workloads but must follow strict network controls.

Answer: Use VPC Sharing

Scenario 2:

You want to reduce the number of VPCs and centralize networking across accounts.

Answer: Use VPC Sharing

Scenario 3:

You need independent network control for each account.

❌ VPC sharing is NOT suitable
✔ Consider VPC peering or Transit Gateway instead

10. Best Practices

  • Use separate subnets per environment (dev, test, prod)
  • Apply least privilege access using AWS RAM
  • Use centralized logging and monitoring
  • Clearly define CIDR planning
  • Combine with:
    • Transit Gateway (for broader connectivity)
    • IAM policies for access control

11. Key Exam Takeaways (Quick Revision)

  • VPC sharing = one VPC, multiple accounts
  • Uses AWS RAM
  • Sharing happens at subnet level
  • Owner controls networking; participants deploy resources
  • Works within the same Region only
  • Helps reduce VPC sprawl and complexity

Final Tip for Exam Success

If a question emphasizes:

  • Centralized networking
  • Multi-account resource deployment
  • Reduced operational overhead
  • Shared network control

👉 The correct answer is very likely VPC Sharing.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by