Is it fine to run multiple applications within single VPC? I might separate them by subnets of course. The reason I'm thinking this way is that the number of VPCs per pegion is limited to 5 (can me risen up to 100) and traffic is not free between VPCs. From the other point of view, it brings complexity and it will be easy to make a mistake if a bunch of independent resources reside in a one VPC. Maybe it's better to use AWS Organizations to create standalone accounts and split everything having one to one relationship between an App and VPC?
Asked
Active
Viewed 753 times
2 Answers
2
You can always increase your VPC limit through a service request so this is not a hard limit. However, the easiest way I think about VPCs coming from an on-prem world is to look at it through then lens of a network boundary. So for example, if you have PROD and TEST network, you could do the same with your VPCs. You can still route between your VPCs but you need to explicitly set this up.
In terms of a administrative boundary, AWS Accounts are typically what I see as a best practice for larger organizations. So you would create two AWS accounts, one for PROD and one for TEST under the same ORG. That way administratively they would be separate, and each would have it's own VPCs - so really limiting the blast radius.
You can connect these accounts on the networking level using peering or the transit gateway but there is a bit more overhead in terms of work and costs (as you mentioned). AWS Control tower is a fairly new service that helps you manage all this and I would recommending watching some of the videos on how it helps you set everything up using best practices: https://aws.amazon.com/controltower/
Juraj Lišiak
- 76
- 7
-
So your idea is to have separate VPC for each environment, right? Say I have a project A and B and I need TEST and PROD for them, therefore I create 4 VPC - each project has two networks. Am I right? I would not mix multiple projects in a one environment – Roman Newaza Nov 28 '19 at 09:43
-
That would be the simplest way to get network isolation, yes. However, if you're going to have different teams or want total administrative separation (not just network isolation) I would put the projects in separate AWS accounts, or all PROD in one account and all TEST in another account. It really depends on your size and how much you plan to grow. Typically I recommend separate AWS accounts for PROD and TEST rolling up to a master ORG. – Juraj Lišiak Nov 28 '19 at 15:18
-
For larger customers, I've seen them create an AWS account for each project - so they may have 50 plus accounts. However, this creates a management overhead so be aware of that. Find out what your network boundaries need to be - that's your VPC and then find out what your admin boundaries are and that's your AWS account is a good heuristic to start with. – Juraj Lišiak Nov 28 '19 at 15:27
-
For now, it's more than enough to stay in single account – Roman Newaza Nov 29 '19 at 14:08
1
Things to be considered before going to VPC
1. Network Isolation
2. Avoid risks level being private.
3. Seperated space from Dev Environment
4. Easy Audit
In your case..
If you consider the traffic,
- Even inside Single VPC you can manage the traffic by routing them via seperate Route table.
- If you want your applications to be communicated among themseleves, It is better to have them inside a single VPC.
Manikandan Ram
- 389
- 1
- 14