Innovative solutions for secure multi-account network communication in the AWS cloud

Introduction:

In the ever-evolving world of cloud computing, organizations continually strive for innovative solutions to improve security, optimize operations and maximize resource utilization. One of the most pressing challenges for our customer was establishing secure network communication between different AWS accounts within AWS organizations and to external interfaces.

Challenge:

The challenges our customer faced included the need for secure communication between different AWS accounts, isolation of test and development environments, centralized access to Internet resources via Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), and robust protection against Distributed Denial of Service (DDoS) attacks. Addressing these challenges is critical to the integrity and security of an organization's cloud infrastructure.

Solution and architecture:

In close collaboration with our customer, we developed a comprehensive solution for a multi-account network architecture:

• Central network AWS account integration: This serves as a preferred point for all network communications.
• Implementation of AWS Transit Gateway: This is shared via AWS Organizations with the necessary AWS member accounts to enable secure communication.
• Automated AWS Member Account Setup: For this purpose, AWS Service Catalog and AWS CloudFormation were used to set up defined VPC environments within the member accounts and connect them to the Transit Gateway.
• Setting up dedicated internet access and firewall VPC: The connection to the Transit Gateway created centralized control over Internet access.
• Setting up AWS Network Firewall: This was done in the Internet Access VPC to provide additional threat protection.
• Integration von AWS Firewall Manager: To centrally manage AWS Web Application Firewall rules and AWS Network Firewall rules.