Network account feature in AWS Landing Zone Architecture

Question

Hi guys,

I work on a project that requires design a Landing Zone architecture for multi-account environment.
When I design Network account, I know that this account is used for ingress/egress network traffic for other accounts. However, I don't know how public internet traffic from Internet to resources like ALB in other accounts such as Workload account or Prod account can be managed. Does the traffic go directly to these accounts or we have to design to let the traffic go through Network account.
If you have experience about this issue, please give me some advice.

Thanks

Answer

Hello.  
The purpose of the network account is to manage inbound and outbound communications.  
In other words, if you create a resource that is publicly accessible outside of your network account, you will lose control of your traffic.  
So, if you are going to create a public ALB, etc., it would be better to create it in a network account.  
https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/network.html

Answer

To add to Riku’s answer, in order to achieve this you will certainly have to design your routing with either peering/transit gateway. Both ingress and egress routes need to be designed to control the flow of traffic.

Traffic will only route via the network account and not directly.

Concurrently DNS will need to be part of the central design.

Traffic will only route via the network account and not directly.

Concurrently DNS will need to be part of the central design.

Network account feature in AWS Landing Zone Architecture

Contenido relevante