AWS VPC Design Options

AWS VPC Design Options

AWS VPC Design Options

AWS VPC is critical components of Cloud Data Center deployment and gets deployed first. It creates core infrastructure for rest of services like EC2, RDS to get launched on Cloud. VPC Design needs to be carefully done because once VPC created, many of its core properties can’t be changed. VPC also creates basis for your Security, Isolation and Governance requirement on Cloud.

Important Points on VPC –

  1. AWS VPC supports single Address Space unlike Azure. This means that you can only have one Address Space like 192.168.0.0/16 attached to VPC and it can’t have other Private Subnets in it.
  2. VPC Peering can’t happen with other VPCs with overlapping subnets
  3. NAT Instance is part of Public Subnet, which is subset of the VPC Address Space
  4. Security Groups and Network ACLs provide firewall protection at EC2 and Subnet level respectively

AWS VPC Design Options

AWS VPC has below design options –

  1. Option 1 – Single AWS Account Single VPC
  2. Option 2 – Single AWS Account Multiple VPCs
  3. Option 3 – Multiple AWS Account and Multiple VPCs

Each Option has its own Pro’s and Con’s, and decision to pick one of them is completely on the business requirements. Let us understand each one of these options in details –

Option 1 – Single Account Single VPC

This is ideal for most scenarios but doesn’t provide cleaner isolation between servers or environments, this could be potential risk when two environments are not expected to communicate with each other e.g. Production and Stage environments. We may leverage Security Groups and Network ACLs but it can lead to human errors and may allow cross communication between subnets when it is not required, hence not cleaner isolation

single VPC

Option 2 – Single Account Multiple VPC

This is ideal for larger organizations who are looking for cleaner isolation between Production and Stage Environments. The Design has 3 VPCs in demonstrations and more VPCs for example Development can be added as needed. Three VPCs are –

  1. Production VPC – This will contain Web, App and DB Subnets along with Public Subnets (optional) for Outbound Internet access, and private subnet for hosting private subnets of Networking devices such as F5 load balancer
  2. Stage VPC – Similar to Production VPC but for Stage environments.
  3. Management VPC – This will host Infra Servers such as Active Directory, Patch Management Servers, AV Servers, Threat Management Servers, IPS/IDS, VPN Servers, Configuration Management servers etc.

Design Considerations –

  1. VPC peering will only occur between Management and Production, and Management and Stage VPCs. Production and Stage will not be peered together. On-Premise connections such as Direct Connect will connect to all 3 VPCs but will have route established such that Production and Stage don’t communicate with each other.
  2. Multiple Address Spaces are chosen so that they don’t overlap with each other subnets in other VPCs or On-Premise networks

single acc multi vpc

Option 3 – Multiple Account Multiple VPC

Multiple Account Multiple VPC is required for larger organizations with multiple business units and required greater level of isolation that includes authentication and authorization. Drawback with this design is AWS Support costs.

multi acc multi vpc

 

Pros and Cons of each Option

Option 1 Option 2 Option 3
Pros 1. Requires Single IP Address Space

2. Simple Cloud Datacenter layout and Network appliance integrations

1. Cleaner Isolation between environments

2. Cleaner Network layout

3. Network appliances like IPS/IDS, VPN can traverse traffic between VPCs with exception of load balancer like F5

1. Cleaner Isolation between environments

2. Isolated billing information

3. Stage account acts as sandbox or trail account for enterprise

4. Greater isolation using different IAM providers

Cons 1. Access between Production and Stage environment may get allowed due to human error

2. Isolation using IAM is complex

1. Required IP Multiple Address Space

2. Requires separate loadbalancer like F5 to manage Production and Stage environments

1. Requires IP Multiple Address Space

2. More AWS Support Costs

3. Requires separate loadbalancer like F5 to manage Production and Stage environments

About The Author

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *