Decide on VPC NAT Strategy
DRAFT
Context and Problem Statementβ
Considered Optionsβ
Option 1 - One VPC per Region, Per Platform Account with Dedicated NAT Gateways per AZ (Recommended)β
originates from a specific set of IPs
--img src="-assets-refarch-image-20220712-201801.png" />
Prosβ
-
Easily managed with terraform
-
Easier for third parties to restrict IPs for ingress traffic
-
Keep accounts symmetrical
Consβ
- More expensive to operate as more NAT gateways are deployed (mitigated by reducing the number of gateways in lower stages)
Option 2 - One VPC per Region, Per Platform Account with Centralized NAT Gateways per AZ in Network Accountβ
--img src="-assets-refarch-image-20220712-201801.png" />
The Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) advocates for a strategy like this, whereby in the Network (transit) account, there will be a DMZ with a Firewall.
--img src="-assets-refarch-image-20220624-172541.png" />
Prosβ
- Ideally suited for meeting specific compliance frameworks
Consβ
-
All traffic from all accounts egress through the same NAT IPs, making it hard for third-parties to restrict access (e.g. staging accounts can access third-party production endpoints)
-
Shared NAT gateways are βsingletonsβ used by the entire organization; changes to these gateways are not be rolled out by stage. Risky to make changes - in the critical path of everything.
Option 3 - Shared VPCs with Dedicated NAT Gatewaysβ
Prosβ
- Less expensive
Consβ
-
All traffic from all accounts egress through the same NAT IPs, making it hard for third-parties to restrict access (e.g. staging accounts can access third-party production endpoints)
-
Shared VPCs are βsingletonsβ used by multiple workloads; changes to these VPCs are not be rolled out by stage. Risky to make changes.
Referencesβ
-
Compliant Framework for Federal and DoD Workloads in AWS GovCloud (US) https://aws.amazon.com/solutions/implementations/compliant-framework-for-federal-and-dod-workloads-in-aws-govcloud-us/