Table of Contents:
- Introduction
- High Level Architecture for sharing subnets across AWS accounts
- Testing For Reachability
- References
Introduction
Sometimes it may be desired to stretch subnets across AWS VPCs in different AWS accounts. This could be a requirement for some sort of application High Availability or it could be a requirement to segregate administrative responsibilities for tiers of applications.
AWS supports VPC Subnet Sharing for this purpose. You could spin up a VPC/Subnet in AWS Account X and share that subnet to AWS Account Y using AWS RAM (Resource Access Manager).
This solution also works with CNC Fabric
⚠️ There are some limitations you should know about sharing subnets. 2 of the important ones are listed below:
- Owners can share subnets only with other accounts or organizational units that are in the same organization from AWS Organizations.
- Owners cannot share subnets that are in a default VPC.
High Level Architecture for sharing subnets across AWS accounts
The figure below shows an example of a high level architecture example of sharing CNC Tenant subnet across AWS accounts.
Figure 1: architecture for sharing subnets across AWS Tenant Account in CNC Fabric
Points to note in the above figure as follows:
- The initial CNC tenant with VPC/Region/subnet in AWS Account X was created with NDO.
- The EPG is stretched across onPrem ACI Fabric and CNC AWS Tenant (Acct: X) Fabric
- Using AWS RAM on Acct: X the subnet is stretched to AWS Acct: Y. NDO/CNC is not aware of AWS Account Y
- Availabilty Zone us-east-1a in Account X and Account Y are infact different AWS Data Centers, you can verify that the Zone ID for us-east-1a are different in the 2 different accounts (please see figure above). This ensures High Availability in case of zonal failures.
⚠️ Note that when onPrem VM tries to access AWS Acct:Y VM, the packets actually traverse through AWS Acct: X. If there is a complete zone failure in Acct: X then in this case, onPrem cannot reach EC2 on AWS Acct: Y either.
The IPs of the VMs/EC2s are as follows:
| Location | Description | IP |
|---|---|---|
| onPrem VM | the onPrem VM | 10.240.1.10/24 |
| AWS Acct: X EC2 | This VPC/subnet has been shared to AWS Acct Y: | 10.40.1.17/25 |
| AWS Acct: Y EC2 | The VPC/subnet shared from AWS Account X | 10.40.1.122/25 |
Testing For Reachability
The following screenshots show that onPrem VM can ping EC2 in AWS Account X and EC2 in AWS Account Y
Figure 2: Testing for Reachability
References
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html#vpc-share-limitations