Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

AWS VPC per environment, or single VPC with multiple subnets for different environments?

Tags:

amazon-web-services

amazon-vpc

Let's say I have three environments - Development, Test and Production. I believe I have two options on how to set them up in AWS:

  1. Create a VPC per environment, so three VPCs in total. Then within each VPC add subnets in different availibility zones for availibility/redundancy. Create a fourth 'shared services' VPC that contains the services that all the different environments require.
  2. Create a single VPC with multiple subnets. I would create the subnets in different availability zones and spread the different environment resoures evenly across the subnets, so that should one zone go down I don't lose an environment

Which one of these approaches is considered best practice? What are the advantages or disadvantages of each, if any? I'm new to AWS and so far have been unable to find a definitive answer for which is best

like image 449
DraegerMTN Avatar asked Aug 09 '20 21:08

DraegerMTN

People also ask

Can 1 VPC have multiple subnets?

If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap. For example, if you create a VPC with CIDR block 10.0. 0.0/24 , it supports 256 IP addresses. You can break this CIDR block into two subnets, each supporting 128 IP addresses.

How many subnets can you have per VPC?

How many subnets can I create per VPC? Currently you can create 200 subnets per VPC. If you would like to create more, please submit a case at the support center.

How many VPCs Should you have AWS?

Limit of 5 VPCs per AWS Account.

Why do I need more than one VPC?

Using a Multi-VPC architecture allows you to isolate different parts of your infrastructure. Following the principle of divide and conquer simplifies and improves security due to less error prone and more precise access control.

2 Answers

The good practice is to have production fully separated from test or development environments, which is best achieved by having separate accounts for them:

Accounts in the SDLC OU host non-production workloads and therefore should not have production dependencies from other accounts.

Since you are not using different account, the closest you can get (if you want to follow the good practice) is to have different VPCs (option 1). What's more, to further separate the environments, the VPCs could be in different regions.

Also I would encourage you to re-think why do you need any common resources (i.e. forth VPC). If you share something (e.g. RDS) between prod and devel through the forth VPC, it is a disaster waiting to happen.

like image 133
Marcin Avatar answered Nov 15 '22 07:11

Marcin

I came across a similar problem.

VPC per environment can create great separation between resources, so I would recommend having at least PROD and nonPROD (dev, test, uat) VPC.

Having one VPC per environment can cause an increase in costs:

  • NAT Gateway / NAT Instance per subnet per VPC
  • VPC Endpoints (they can be pretty expensive, around 7 USD per endpoint and you often need more than one, but you have to keep in mind you can have only one subnet per AZ attached).
  • VPN (inside every VPC)
  • CICD (if you are using self-hosted agents [e.g. using Azure DevOps] you need an agent in every VPC)
  • Management can be more difficult (more redundant resources etc.).

(Of course, you can solve some issue using VPC Peering, but I do not think this is the proper solution in this case)

On the other side having one VPC per environment can create some benefits:

  • Subnet matrix can be the same for all ENVs, so it is easier to debug
  • One VPN per environment can lower chance to be "in the wrong environment by accident"
  • Minimum the risk of mutual resource affection.
like image 20
Filip Niko Avatar answered Nov 15 '22 07:11

Filip Niko
Sign in to Comment

Related questions

Why AWS CloudWatch does not have Memory usage metric for Autoscaling group
AWS ECR CF template fails with 'Invalid repository policy provided'
CloudFormation to setup CodePipeline/CodeBuild to deploy SAM application
Hugo Error - Current theme does not support current version
command not found from Jenkins Execute Shell
Amazon S3 Bucket Policy to prevent download?
How to point a Netlify subdomain to an AWS S3 bucket via CNAME?
AWS S3 - Generate presigned URL using REST API
terraform: Add an OS user with a given public key
AWS AppSync query returns cached response even when offline is disabled
AWS Application Loadbalancer and Cognito user pools, redirect_mismatch
how to dynamically set table name in dynamodb using serverless and DynamoDBContext?
Adding tags to ECS Service - InvalidParameterException
How to properly handle unauthenticated users and requests in AWS Amplify/AppSync React apps?
Is it possible to use a newer version of the aws-sdk than provided in AWS Lambda?
AWS remove files in S3 using CodeBuild in CodePipeline
How to use Fn::If with array values in cloud formation templates
Does AWS charge polling time of a Lambda function triggered by SQS?
Limiting External Access to AWS SQL Server Instance
Cloudfront to s3 redirect to subdomain giving Access denied error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!