SecureKloud proposes a network design to govern multiple AWS accounts and support continuous innovation and agility.
Our team of DevOps engineers at SecureKloud diligently examined and assessed the requirement specifications presented by the client. Following a thorough analysis, we devised a network design blueprint utilizing AWS Control Tower. In conjunction with this solution architecture, our team constructed the client's network infrastructure, compliance mechanisms, and monitoring solutions using an Infrastructure-as-a-Code (IaaC) tool, specifically Cloud Formation. This tool streamlines the process of deploying and configuring infrastructure through automation. Additionally, we successfully implemented a centralized virtual private network (VPN) to establish a secure network connection between the on-premises system and the AWS network.
By incorporating AWS Organizations, we have implemented the best practices of a well-architected multi-account AWS environment. AWS Organizations encompass Organizational Units (OUs), which effectively organize accounts for enhanced governance. Following our solution, in addition to having an OU for each environment, a central OU was established to unite accounts and enable cohesive operations. The consolidated billing capability offered by AWS Organizations empowered the client to receive a unified invoice for their extensive array of 40+ accounts, simplifying the monitoring of expenses associated with these accounts.
Given the over 40 AWS accounts owned by our client, we employed AWS Control Tower to establish and manage their multi-account AWS infrastructure in adherence to the best practices. This entailed the creation of an automated landing zone through AWS Organizations, consolidating ongoing account management and governance into a centralized framework. Additionally, AWS Control Tower furnished a foundational environment conducive to implementing a multi-account architecture, encompassing identity and access management, data security, network design, and logging.
The icing on the cake for the solution is a centrally managed account (shared service account) that shares the resources (VPCs, subnets, etc.) with the rest of the 40+ AWS accounts. In our solution, the centrally managed account comprises of AWS Organizations, AWS Control Tower, AWS SSO, and CloudTrail. A single Transit Gateway was implemented to connect shared service accounts, shared application accounts, and on-premises over the VPN. This paved the way to inspect the traffic sent to Transit Gateway via Palo Alto Firewall before it reached the destination.
Furthermore, implementation of strong monitoring practices and backup solutions were enabled for all their accounts. A robust monitoring solution (AWS CloudWatch) was set up to the centrally managed account, to migrate the data into a software application (Exporter), maintained by the client.