Help Center/ Virtual Private Cloud/ User Guide/ VPC Sharing/ Usage Examples for VPC Sharing
Updated on 2024-06-13 GMT+08:00
View PDF
Share

Usage Examples for VPC Sharing

Suppose you have two types of workloads running on the cloud. One type of workloads needs to access the Internet and the other type does not. To make resource management easier, you can use account A to manage basic, public IT resources, such as VPCs, subnets, and route tables. And you can share subnets in a VPC in account A with accounts B, C, and D, so the principals can create resources, such as ECSs, RDS instances, and load balancers, in the shared subnets. You can plan your VPC sharing by referring to Figure 1, and plan accounts and resources as described in Table 1.

Figure 1 Planning on VPC sharing
Table 1 Planning on VPC sharing

Account

Role

Resource Permissions

Account A

Owner
  • Creates a VPC and subnets and shares the subnets with other accounts.
  • Creates a NAT gateway with an EIP bound and configures SNAT rules to enable Subnet-01 to connect to the Internet.

Account B

Principal

Creates ECSs and RDS instances in Subnet-01 to deploy applications that can be accessed over the Internet.

Accounts C and D

Principal

Create ECSs, RDS instances, and load balancers in Subnet-02. These resources do not need to connect to the Internet.
Subnets in the same VPC can communicate with each other by default. However, if instances are associated with different security groups, they are isolated from each other. If you want the resources to communicate with each other, you need to add security group rules to allow the communications.
  • Resources in account A are protected by security group Sg-A.
  • Resources in account B are protected by security group Sg-B.
  • Resources in account C are protected by security group Sg-C.
  • Resources in account D are protected by security group Sg-D.

To enable resources in accounts C and D to communicate with each other, add inbound rules to security groups Sg-C and Sg-D.

Table 2 Inbound rules

Security Group

Direction

Priority

Action

Type

Protocol & Port

Source

Sg-C

Inbound

1

Allow

IPv4

Specify the protocol and port as needed.

Example: Protocol/All

Security group Sg-D

Sg-D

Inbound

1

Allow

IPv4

Specify the protocol and port as needed.

Example: Protocol/All

Security group Sg-C
Parent Topic: VPC Sharing