6

I am trying to set up a multi-account organisation on AWS, where the root account acts as a landing zone, and the other accounts are split between our deployment environments (staging/production).

One of my challenges is that we have our SSL registered in the root account, and for simplicity, I would like to keep it there. So I have an ALB in the root account which has a registered ACM certificate. From here, my aim is to forward all traffic via a shared VPC into one of the two child accounts, where there is another ALB with ECS clusters in its target group.

Here is a diagram of the architecture. The problem I'm facing is that there is no obvious way to connect the root account ALB to the staged account ALBs, given that they expose an internal DNS entry, rather than a private IPv4 to which I could target from the root ALB.

Is there another way to achieve this, am I perhaps overcomplicating things?

AWS arch. diagram

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Omair Vaiyani
  • 398
  • 3
  • 12
  • Sometimes ppl put NLB infront of ALB to get static IP, or use NLB only. Maybe can consider that? – Marcin May 02 '20 at 10:17
  • Would you recommend the NLB in the staged accounts? My requirements are the need to perform SSL termination in the root account (given that my SSL certificate lives there), but performing path based routing in the staged accounts, given that those concerns are better closer to the ECS cluster. – Omair Vaiyani May 02 '20 at 10:25
  • 1
    A use of NLB to front ALB is shown in this AWS blog [post](https://aws.amazon.com/blogs/networking-and-content-delivery/using-static-ip-addresses-for-application-load-balancers/). Yes, you can terminate on the root ALB. If you want to look more into a use of NLB for the staged accounts, you don't even need shared vpc. With NLB you can create your own VPC endpoint services with [PrivateLink](https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html) technology. So you can decide which way would suit your needs better. – Marcin May 02 '20 at 10:46
  • 4
    My two cents. There is no hard line about how one should use root account, but in my experience in a multi-account setup root account should be used for overall management stuff - like whitelisting of services in sub-account, billing consolidation, identity creation, etc. Rest application related things should be in sub-accounts. Another anti-pattern I could see in this architecture is that there exists a common link between your staging and production account. In most organizations, it is a NO-NO. I think this architecture itself needs a revisit, IMHO. – Siddharth May 02 '20 at 11:54
  • 1
    Now coming to the technical details. I am very much in the favor of the Private Link approach that @Marcin has mentioned. In that way, you will not have a shared VPC and still communication across your two different accounts would be possible securely. Having a shared VPC is a clear violation of the principle of least privilege. – Siddharth May 02 '20 at 11:56
  • I'm still experimenting with a few setups. I agree now, shared VPC isn't a great idea. Is there perhaps a way to use the root to issue a public SSL certificate, but access it from the sub-account? That way I can keep all the load balancer/ECS logic away from the root. – Omair Vaiyani May 02 '20 at 22:08
  • Based on this [post](https://stackoverflow.com/questions/39190650/can-i-share-acm-ssl-certificates-between-aws-acounts) it seems you can't share SSL certificates across accounts. – Marcin May 03 '20 at 05:28
  • Is it possible perhaps to register the domain on multiple accounts and issue the SSL certificate within each account? – Omair Vaiyani May 03 '20 at 10:17
  • Late to the party, but you can create the ACM Cert in any account, and then when it tells you what DNS validation records to create you can create those back in the root account. If that is where all your DNS is It is also possible for your root account route53 hosted zone to delegate certain subdomains to another route53 hosted zone in another account – David Ferretti Mar 03 '21 at 18:39

0 Answers0