You can use a resource directory to manage multiple Alibaba Cloud accounts and share a virtual private cloud (VPC) with them.

Background

As cloud computing is popularized, an increasing number of enterprises deploy services in the cloud. When more cloud resources are purchased by enterprises, a problem arises: How can enterprises manage cloud resources in an efficient way? Due to the requirements of structured business, business isolation, and multiple payment methods, the single-account mode cannot support the sustainable development of enterprises. If enterprises simply use the multi-account mode to meet business development requirements, the following problems may arise:

  • Multi-account management problems

    Enterprises may not be able to manage multiple isolated Alibaba Cloud accounts in a centralized manner. Therefore, more refined management is required.

  • Multi-account communication problems

    Enterprises can use Cloud Enterprise Network (CEN) to enable VPCs that belong to different Alibaba Cloud accounts to communicate with each other. This way, cloud resources that belong to different Alibaba Cloud accounts can communicate with each other. However, when the business complexity increases, the following problems may occur:

    • Complicated network operations and management (O&M) due to isolated deployment of network resources

      The network of an enterprise can be large and complex because the network resources may be deployed and managed by different Alibaba Cloud accounts. As a result, it is difficult for O&M personnel to manage an enterprise network in a centralized manner.

    • Increased costs due to frequent network resource configurations

      O&M and instance costs are increased due to frequent VPC configurations by different Alibaba Cloud accounts.

    • Increased network complexity due to an increasing number of VPCs

      To meet more business requirements, the number of VPCs keeps increasing. As a result, problems such as network complexity, management difficulty, and resource quota limits arise. For example, the number of VPCs attached to a CEN instance may reach the upper limit due to the increased number of VPCs.

Solution

Alibaba Cloud offers resource directories to resolve multi-account management problems. In addition, Alibaba Cloud offers resource sharing and shared VPCs to resolve multi-account communication problems. Details:

  • Use a resource directory to manage multiple Alibaba Cloud accounts

    Resource directories offered by Alibaba Cloud support hierarchical structures, and facilitate resource and account management. You can construct a resource directory by creating subdirectories based on your business requirements. Then, you can deploy Alibaba Cloud accounts of your enterprise on the subdirectories as required. This way, you can manage your Alibaba Cloud accounts and resources in a centralized manner. In addition, your requirements for resources, security, audit, and compliance can be met. For more information, see Resource Directory.

    Resource directories
  • Use resource sharing to share resources with member accounts within the same resource directory

    The resource sharing feature provided by Alibaba Cloud allows you to share resources with one or more member accounts within a resource directory. To use this feature, create a resource share and add Alibaba Cloud accounts with which you want to share resources to the resource share. For more information, see Resource sharing overview.

    Resource sharing
    Term Description
    resource share A resource share is an instance of the Resource Sharing service. It is also a cloud resource and has a unique ID and an Alibaba Cloud Resource Name (ARN). A resource share consists of a resource owner, shared targets, and shared resources.
    resource owner A resource owner initiates resource sharing and owns shared resources. It is the master account or a member account of a resource directory.
    shared target A shared target shares the resources of resource owners. It has specific operation permissions on the shared resources. A shared target is a member account of a resource directory. Multiple shared targets can share the same resource.
    Note The operation permissions of each shared target on the shared resources are determined based on the Alibaba Cloud service to which the resources belong. For example, the operation permissions of shared targets on the shared vSwitches in a VPC are determined based on the VPC service. For more information, see Permissions related to VPC sharing.
    shared resource A shared resource is a resource of an Alibaba Cloud service, such as a vSwitch in a VPC.
  • Share a VPC with member accounts within the same resource directory

    You can use the resource sharing feature to share vSwitches of a VPC that belongs to a member account (resource owner) with other member accounts (resource users) within the same resource directory. This way, the resource users can create resources, such as Elastic Compute Service (ECS), Server Load Balancer (SLB), and ApsaraDB RDS instances, in the shared VPC. By default, after a vSwitch is shared, resource users can use the shared vSwitch without confirmation. By default, the resources created by the resource owner and resource users can communicate with each other within the VPC. For more information, see Overview.

    Architecture of a shared VPC

    Details about how a VPC is shared:

    • Multiple Alibaba Cloud accounts share the same vSwitch

      You can share a vSwitch of a VPC with multiple Alibaba Cloud accounts without the need to configure a VPC for each Alibaba Cloud account. This reduces the number of VPCs.

      Shared VPCs
    • Permissions of the resource owner and resource users

      The following table lists the permissions of the resource owner and resource users on the cloud resources of the shared vSwitch.

      Role Supported operation Unsupported operation
      Resource owner
      • Create, view, modify, and delete resources that belong to the resource owner in the shared vSwitch.
      • View the following attributes of resources created by the resource user in the shared vSwitch:
        • Instance ID.
        • Private IP address.
        • Resource owner account.
      Modify or delete resources created by the resource user in the shared vSwitch.
      Resource user If the vSwitch is shared, the resource user can create, modify, or delete cloud resources, such as ECS, SLB, and ApsaraDB RDS instances, in the shared vSwitch. If the vSwitch is shared, the resource user cannot view, modify, or delete the resources created by other Alibaba Cloud accounts in the shared vSwitch.
      If the vSwitch is no longer shared, the resource user can use, modify, and delete the resources that are created by the resource user in the vSwitch. If the vSwitch is no longer shared, the resource user cannot view the resources associated with the vSwitch, such as VPCs, route tables, and network ACLs. In addition, the resource user cannot create resources in the vSwitch.

      The following table lists the permissions of the resource owner and resource users on other network resources.

      Network resource Resource owner operation Resource user operation
      VPC All operation permissions. View the VPC to which the shared vSwitch belongs.
      vSwitches All operation permissions.
      Note If the resource owner wants to delete the vSwitch, the vSwitch must not be shared with the resource user. In addition, the resources created by the resource owner and resource user in the vSwitch must be deleted.
      • View the shared vSwitch.
      • Create, modify, and delete cloud resources, such as ECS, ApsaraDB RDS, and SLB instances, in the shared vSwitch.
      Route tables All operation permissions. View route tables and route entries that are associated with the shared vSwitch.
      Network ACLs All operation permissions. View network ACLs that are associated with the shared vSwitch.
      CIDR blocks View CIDR blocks of the VPC and all vSwitches that belong to the VPC. View the CIDR block of the shared vSwitch.
      Flow logs
      • Create flow logs for a specified VPC or vSwitch. The system records traffic information about elastic network interfaces (ENIs) of the vSwitch that belongs to the resource user.
      • Create flow logs for a specified ENI. The system records traffic information about ENIs that belong to the resource owner.
      No operation permission.
      NAT gateways All operation permissions.
      Note
      • The resources created by the resource owner and resource user in the vSwitch can communicate with the Internet through NAT gateways.
      • NAT gateways can be associated with only the elastic IP addresses (EIPs) that belong to the resource owner.
      No operation permission.
      VPN gateways All operation permissions.
      Note The resources created by the resource owner and resource user in the vSwitch can communicate with external networks through VPN gateways.
      No operation permission.
      Cloud Enterprise Network (CEN) instances All operation permissions.
      Note The resources created by the resource owner and resource user in the vSwitch can communicate with external networks through CEN instances.
      No operation permission.
      VPC peering connections All operation permissions.
      Note The resources created by the resource owner and resource user in the vSwitch can communicate with external networks through VPC peering connections.
      No operation permission.
      Tags Resource sharing does not affect the tags added to resources by the resource owner. When the vSwitch is shared, the resource owner and resource user can add tags to their own resources. The resource user cannot view the tags added by the resource owner and the resource owner cannot view the tags added by the resource user. The tags added by the resource owner and resource user do not affect each other. When the vSwitch is not shared, the system deletes the tags added by the resource user in the vSwitch.
    • Isolation

      If you share different vSwitches of the same VPC with different Alibaba Cloud accounts, the vSwitches can communicate with each other by default. If you want to isolate the vSwitches in some scenarios, use one of the following methods:

      • Configure a network access control list (ACL) to isolate the vSwitches.
      • Configure the security group to isolate the instances that belong to the vSwitches. You can use security groups that belong to other Alibaba Cloud accounts.
      Isolate VPCs
      Note You cannot isolate the vSwitches by configuring ACL rules for the instances that belong to the vSwitches. However, you can isolate the vSwitches by configuring the security group for the instances that belong to the vSwitches. You can use security groups that belong to other Alibaba Cloud accounts. To isolate networks between different vSwitches and different Alibaba Cloud accounts, configure source and destination IP addresses in security groups.

Benefits

The solution has the following benefits:

  • The O&M department can plan, configure, and manage VPCs in a centralized manner. In addition, the O&M department can share vSwitches of the VPCs to the business department.Benefits - O&M
  • The business department can view and manage only the resources deployed in the shared vSwitches. In addition, the business department can create or delete resources in the shared vSwitches, such as cloud instances and databases based on business requirements.Manage VPCs in a centralized manner
  • Based on the solution, your enterprise uses a unified network architecture and security policy. This allows the business department to focus on the business requirements.
  • You can use the network and security capabilities as a service for the business department, and standardize the O&M system. This improves the IT efficiency throughout your enterprise.