Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

Network account feature in AWS Landing Zone Architecture

0

Hi guys,

I work on a project that requires design a Landing Zone architecture for multi-account environment. When I design Network account, I know that this account is used for ingress/egress network traffic for other accounts. However, I don't know how public internet traffic from Internet to resources like ALB in other accounts such as Workload account or Prod account can be managed. Does the traffic go directly to these accounts or we have to design to let the traffic go through Network account. If you have experience about this issue, please give me some advice.

Thanks

Tópicos
Gestão e governança
Tags
Organizações da AWS
Idioma
English
Steven
feita há 9 meses363 visualizações
2 Respostas
1

Hello.
The purpose of the network account is to manage inbound and outbound communications.
In other words, if you create a resource that is publicly accessible outside of your network account, you will lose control of your traffic.
So, if you are going to create a public ALB, etc., it would be better to create it in a network account.
https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/network.html

profile picture
ESPECIALISTA
Riku_Kobayashi
respondido há 9 meses
1

To add to Riku’s answer, in order to achieve this you will certainly have to design your routing with either peering/transit gateway. Both ingress and egress routes need to be designed to control the flow of traffic.

Traffic will only route via the network account and not directly.

Concurrently DNS will need to be part of the central design.

profile picture
ESPECIALISTA
Gary Mclean
respondido há 9 meses

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante