Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Network account feature in AWS Landing Zone Architecture

0

Hi guys,

I work on a project that requires design a Landing Zone architecture for multi-account environment. When I design Network account, I know that this account is used for ingress/egress network traffic for other accounts. However, I don't know how public internet traffic from Internet to resources like ALB in other accounts such as Workload account or Prod account can be managed. Does the traffic go directly to these accounts or we have to design to let the traffic go through Network account. If you have experience about this issue, please give me some advice.

Thanks

Argomenti
Gestione e amministrazione
Tag
Organizzazioni AWS
Lingua
English
Steven
posta 10 mesi fa365 visualizzazioni
2 Risposte
1

Hello.
The purpose of the network account is to manage inbound and outbound communications.
In other words, if you create a resource that is publicly accessible outside of your network account, you will lose control of your traffic.
So, if you are going to create a public ALB, etc., it would be better to create it in a network account.
https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/network.html

profile picture
ESPERTO
Riku_Kobayashi
con risposta 10 mesi fa
1

To add to Riku’s answer, in order to achieve this you will certainly have to design your routing with either peering/transit gateway. Both ingress and egress routes need to be designed to control the flow of traffic.

Traffic will only route via the network account and not directly.

Concurrently DNS will need to be part of the central design.

profile picture
ESPERTO
Gary Mclean
con risposta 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente