Shared VPC Subnets across AWS accounts with ACI/CNC Fabric

Table of Contents:

  1. Introduction
  2. High Level Architecture for sharing subnets across AWS accounts
  3. Testing For Reachability
  4. References


Sometimes it may be desired to stretch subnets across AWS VPCs in different AWS accounts. This could be a requirement for some sort of application High Availability or it could be a requirement to segregate administrative responsibilities for tiers of applications.

AWS supports VPC Subnet Sharing for this purpose. You could spin up a VPC/Subnet in AWS Account X and share that subnet to AWS Account Y using AWS RAM (Resource Access Manager).

This solution also works with CNC Fabric

⚠️ There are some limitations you should know about sharing subnets. 2 of the important ones are listed below:

  • Owners can share subnets only with other accounts or organizational units that are in the same organization from AWS Organizations.
  • Owners cannot share subnets that are in a default VPC.

High Level Architecture for sharing subnets across AWS accounts

The figure below shows an example of a high level architecture example of sharing CNC Tenant subnet across AWS accounts.

Figure 1: architecture for sharing subnets across AWS Tenant Account in CNC Fabric

Points to note in the above figure as follows:

  • The initial CNC tenant with VPC/Region/subnet in AWS Account X was created with NDO.
  • The EPG is stretched across onPrem ACI Fabric and CNC AWS Tenant (Acct: X) Fabric
  • Using AWS RAM on Acct: X the subnet is stretched to AWS Acct: Y. NDO/CNC is not aware of AWS Account Y
  • Availabilty Zone us-east-1a in Account X and Account Y are infact different AWS Data Centers, you can verify that the Zone ID for us-east-1a are different in the 2 different accounts (please see figure above). This ensures High Availability in case of zonal failures.

⚠️ Note that when onPrem VM tries to access AWS Acct:Y VM, the packets actually traverse through AWS Acct: X. If there is a complete zone failure in Acct: X then in this case, onPrem cannot reach EC2 on AWS Acct: Y either.

The IPs of the VMs/EC2s are as follows:

Location Description IP
onPrem VM the onPrem VM
AWS Acct: X EC2 This VPC/subnet has been shared to AWS Acct Y:
AWS Acct: Y EC2 The VPC/subnet shared from AWS Account X

Testing For Reachability

The following screenshots show that onPrem VM can ping EC2 in AWS Account X and EC2 in AWS Account Y

Figure 2: Testing for Reachability


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.