- 新しい順
- 投票が多い順
- コメントが多い順
You should keep your management account as empty as possible.
I would deploy a central AWS Network account and VPN into there and then either use transit gateway or VPC peering to dev.
Hi Gary,
Sorry for late and thanks for helping!
I'm using AWS SSO.
I've created a Networking Account and Shared the Private Subnets with MGMT Account via RAM.
Now I'm using the VPN in MGMT account (with SSO) accessing the EKS Cluster (private).
I'll try to follow your recommendation and move the VPN to the Networking Account and setup an IDP in this account authenticating with the MGMT SSO.
No worries you should keep your management account as empty as possible and use workload accounts for things such as eks and network account for networking stuff. It follows AWS SRA. Transit gateway is great for your use case but does cost to run it. Any questions please just shout.
関連するコンテンツ
AWS公式更新しました 2年前- AWS公式更新しました 2年前
- AWS公式更新しました 1年前
Agree, but in this case I'm not able to use VPN on SSO, right?
No that’s not correct. You can still have SSO on the VPN
In the network account in IAM you setup an IDP pointing to your SSO and then the vpn client is configured to use the IDP in iam and it all works. I’ve set this up before with azure AD SSO. What’s your SSO provider?