You can use a resource directory to manage multiple accounts and share a virtual private cloud (VPC) with these accounts.

Background information

As cloud computing becomes popularized, an increasing number of enterprises deploy services in the cloud and purchase more and more cloud resources. An issue arises: How can enterprises manage cloud resources in an efficient manner? Enterprises have high requirements for the division of business, business isolation, and multiple payment methods. The single-account mode can no longer support the sustainable development of enterprises. To resolve this issue, enterprises can use the multi-account mode to meet business development requirements. However, the following issues may arise during the use of the multi-account mode:

  • Management of multiple accounts

    Enterprises may not be able to manage multiple isolated Alibaba Cloud accounts in a centralized manner. Therefore, more refined management is required.

  • Communication among multiple accounts

    Enterprises can use Cloud Enterprise Network (CEN) to connect VPCs that belong to different accounts. This way, cloud resources within different accounts can communicate with each other. However, as the business complexity increases, the following issues may occur:

    • Complex network O&M due to isolated deployment of network resources

      The network of an enterprise can be large and complex because the network resources may be deployed and managed by different accounts. As a result, it is difficult for O&M personnel to manage an enterprise network in a centralized manner.

    • Increased costs due to frequent network resource configurations

      O&M and instance costs increase due to frequent VPC configurations by different accounts.

    • Increased network complexity due to an increasing number of VPCs

      To meet business requirements, more and more VPCs need to be deployed. As a result, issues such as complex network, difficult management, and resource quota limits arise. For example, the number of VPCs attached to a CEN instance may reach the upper limit.

Solution

Alibaba Cloud offers the Resource Directory service to facilitate the management of multiple accounts and offers the Resource Sharing service and VPC sharing feature to facilitate communication among multiple accounts. The following descriptions provide details:

  • Use Resource Directory to manage multiple accounts

    The Resource Directory service provided by Alibaba Cloud allows you to manage the relationships among multiple levels of resources and accounts. You can enable a resource directory and create folders in the resource directory based on the organizational structure or business form of your enterprise. Then, you can consolidate the accounts used by your enterprise into the resource directory to establish multi-level relationships for the accounts and the resources within the accounts. This way, you can manage the accounts and resources in a centralized manner based on the relationships. In addition, your requirements for finance, security, audit, and compliance can be met. For more information, see Resource Directory.

    Resource Directory
  • Use Resource Sharing to share resources with members within the same resource directory

    The Resource Sharing service provided by Alibaba Cloud allows you to share resources with one or more members within your resource directory. To use this feature, create a resource share and add the resources and members to the resource share. For more information, see Resource Sharing overview.

    Resource Sharing
    Term Description
    resource share A resource share is an instance of the Resource Sharing service. It is also a cloud resource and has a unique ID and an Alibaba Cloud Resource Name (ARN). A resource share consists of a resource owner, principals, and shared resources.
    resource owner A resource owner initiates resource sharing and owns shared resources. It is the management account or a member of a resource directory.
    principal A principal shares the resources of resource owners. It has specific operation permissions on the shared resources. A principal is a member of a resource directory. Multiple principals can share the same resource.
    Note The operation permissions of each principal on the shared resources are determined based on the Alibaba Cloud service to which the resources belong. For example, the operation permissions of principals on the shared vSwitches in a VPC are determined based on the VPC service. For more information, see Permissions related to VPC sharing.
    shared resource A shared resource is a resource of an Alibaba Cloud service.
    resource sharing Resource sharing allows you to share your resources with all members in your resource directory, all members in a specific folder in your resource directory, or a specific member in your resource directory. For more information, see Enable resource sharing.
  • Share a VPC with members within the same resource directory

    You can use the Resource Sharing service to share the vSwitches in a VPC that belongs to a member (resource owner) with other members (principals) within the same resource directory. This way, the principals can create resources, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances, in the shared VPC. By default, after a vSwitch is shared, principals can use the shared vSwitch without confirmation, and the resources created by the resource owner and principals can communicate with each other within the shared VPC. For more information, see Overview of VPC sharing.

    Architecture of a shared VPC

    The following figure and descriptions provide details about how a VPC is shared.

    • vSwitch sharing among multiple accounts

      You can share a vSwitch in a VPC with multiple accounts without the need to configure a VPC for each account. This reduces the number of VPCs.

      VPC sharing
    • Permissions of the resource owner and principals

      The following table describes the permissions of the resource owner and principals on the cloud resources that belong to the shared vSwitch.

      Role Supported operation Unsupported operation
      Resource owner
      • Create, view, modify, and delete resources that belong to the resource owner in the shared vSwitch.
      • View the following attributes of resources created by the participant in the shared vSwitch:
        • Instance IDs.
        • Private IP addresses.
        • The owner account of resources.
      Modify or delete resources created by the participant in the shared vSwitch.
      Participant If the vSwitch is shared, the participant can create, modify, and delete cloud resources in the shared vSwitch. If the vSwitch is shared, the participant cannot view, modify, or delete the resources created by other Alibaba Cloud accounts (resource owners and participants) in the shared vSwitch.
      If the vSwitch is no longer shared, the participant can view, use, modify, and delete the resources that are created by the participant in the vSwitch. If the vSwitch is no longer shared, the participant cannot view the resources associated with the vSwitch, such as VPCs, route tables, and network access control lists (ACLs). In addition, the participant cannot create resources in the vSwitch.

      The following table describes the permissions of the resource owner and principals on other network resources.

      Network resource Resource owner Participant operation
      VPC All permissions. View the VPC to which the shared vSwitch belongs.
      vSwitches All permissions.
      Note If the resource owner wants to delete the vSwitch, the vSwitch must not be shared with the participant. In addition, the resources created by the resource owner and participant in the vSwitch must be deleted.
      • View the shared vSwitch.
      • Create, modify, and delete cloud resources in the shared vSwitch.
      Route tables All permissions. View route tables and route entries that are associated with the shared vSwitch.
      Network ACLs All permissions. View network ACLs that are associated with the shared vSwitch.
      Private CIDR blocks View private CIDR blocks of the VPC and all vSwitches that belong to the VPC. View the private CIDR block of the shared vSwitch.
      Flow log
      • Create flow logs for a specified VPC or vSwitch. The system records traffic information about elastic network interfaces (ENIs) of the vSwitch that belongs to the participant.
      • Create flow logs for a specified ENI. The system records traffic information about ENIs that belong to the resource owner.
      No permission.
      NAT gateways All permissions on Internet NAT gateways and VPC NAT gateways.
      Note
      • The resources created by the resource owner and participant in the vSwitch can communicate with the Internet through Internet NAT gateways.
      • Internet NAT gateways can be associated with only the elastic IP addresses (EIPs) that belong to the resource owner.
      No permission.
      VPN gateways All permissions.
      Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPN gateways.
      No permission.
      Cloud Enterprise Network (CEN) instances All permissions.
      Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through CEN instances.
      No permission.
      VPC peering connections All permissions.
      Note The resources created by the resource owner and participant in the vSwitch can communicate with external networks through VPC peering connections.
      No permission.
      Tags Resource sharing does not affect the tags added to resources by the resource owner.

      When the vSwitch is shared, the resource owner and resource user can add tags to their own resources. The resource user cannot view the tags added by the resource owner and the resource owner cannot view the tags added by the resource user. The tags added by the resource owner and resource user do not affect each other. When the vSwitch is not shared, the system deletes the tags added by the participant in the vSwitch.

    • Isolation

      If you share vSwitches in the same VPC with different accounts, the vSwitches can communicate with each other by default. If you want to isolate the vSwitches in some scenarios, use one of the following methods:

      • Configure a network access control list (ACL) to isolate the vSwitches.
      • Configure a security group to isolate the instances that belong to the vSwitches. You can use security groups that belong to other accounts.
      Isolate VPCs
      Note You can configure ACL rules to isolate instances that belong to different vSwitches. However, if you want to isolate instances that belong to the same vSwitch, you can configure security group rules for the instances. You can use security groups that belong to other accounts. To isolate networks between different vSwitches and different accounts, configure source and destination IP addresses in security groups.

Benefits

The solution has the following benefits:

  • The O&M department can plan, configure, and manage VPCs in a centralized manner. In addition, the O&M department can share the vSwitches in the VPCs with the business department. Benefits - O&M
  • The business department can view and manage only the resources that belong to the shared vSwitches. In addition, the business department can create resources in the shared vSwitches or delete resources from the shared vSwitches, such as cloud instances and databases, based on business requirements. Manage VPCs in a centralized manner
  • In this solution, your enterprise uses a unified network architecture and security policy. This allows the business department to focus on business requirements.
  • You can use the network and security capabilities as a service for the business department, and standardize the O&M system. This improves the IT efficiency throughout your enterprise.