Operations Management

Cross-Account Resource Sharing with AWS RAM - Sharing VPC Subnets and Transit Gateways

Learn how to share VPC subnets and Transit Gateways across accounts to centralize IP address space management and reduce VPC peering connections.

約 3 分で読めます

Overview of RAM

RAM is a service that securely shares over 30 types of AWS resources across multiple accounts. In multi-account environments, each account owns its own resources, but network resources (VPC subnets, Transit Gateways) and DNS resources (Route 53 Resolver rules) are more efficient when shared. Sharing through RAM eliminates resource duplication and reduces costs.

VPC Subnet Sharing

VPC subnet sharing is a pattern where a network account owns the VPC and subnets, and workload accounts create resources (EC2, RDS, Lambda) within the shared subnets. This eliminates the need for each account to have its own VPC, preventing IP address space fragmentation. Security groups remain independent per account, so network isolation between accounts is maintained even within shared subnets. With Transit Gateway sharing, a network account owns the Transit Gateway and each account attaches its VPC.

Shareable Resources and Design Patterns

Resources shareable through RAM include over 30 types such as VPC subnets, Transit Gateways, Route 53 Resolver rules, License Manager configurations, Aurora DB clusters, and CodeBuild projects. In VPC subnet sharing, a network account owns the VPC while workload accounts create resources within shared subnets. The main benefits are centralized IP address space management and reduced VPC peering. Sharing within an Organization is automatically approved, while sharing with accounts outside the Organization requires invitation-based approval. Resource share permissions control the operations allowed for recipient accounts (read-only, create-enabled). To learn RAM management techniques comprehensively, refer to technical books on Amazon.

RAM Pricing

RAM itself incurs no additional charges. Costs depend on the usage of shared resources (consumption by recipient accounts). With VPC subnet sharing, resources created by recipient accounts (EC2, RDS) are billed to the recipient account. With Transit Gateway sharing, attachment fees and data processing fees are billed to the recipient account. Conduct regular audits of resource shares and remove unnecessary shares to reduce security risks.

Summary

RAM is a service for efficiently sharing resources in multi-account environments. VPC subnet sharing centralizes IP address space management and reduces the number of VPC peering connections. Transit Gateway sharing consolidates network connectivity, supporting over 30 resource types. Sharing within an Organization is automatically approved, and resource share permissions provide fine-grained control over operations.

Related Services

AWS Resource Access ManagerSecurely share AWS resources with other accounts within your organizationAWS OrganizationsA service for centrally managing multiple AWS accountsAmazon VPCBuild a logically isolated virtual network on AWS

Related Articles

Multi-Account Management with AWS Organizations - OU Design and Governance with SCPsEstablish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.Building a Hub-and-Spoke Network with AWS Transit Gateway - Multi-VPC Connectivity DesignConsolidate multiple VPCs and on-premises networks in a hub-and-spoke topology, establish security boundaries with route table isolation, and enable multi-region connectivity through peering.Multi-Account Management - Organization-Wide Governance with AWS Organizations and RAMLearn how to deploy CloudTrail, Config, GuardDuty, and Security Hub across all accounts using the Organizations delegated administrator model, achieving unified security and compliance management.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

Resource Sharing Management - Efficient Resource Utilization in Multi-Account Environments with AWS RAMLearn about resource sharing in multi-account environments with AWS RAM (Resource Access Manager) and organization-wide resource management through AWS Organizations integration. Explore practical patterns for VPC subnet sharing and Transit Gateway sharing.Multi-Account Management - Organization-Wide Governance with AWS Organizations and RAMLearn how to deploy CloudTrail, Config, GuardDuty, and Security Hub across all accounts using the Organizations delegated administrator model, achieving unified security and compliance management.Multi-Account Design for Amazon VPC Lattice - RAM Sharing and Service Network Configuration PatternsLearn how to design VPC Lattice for multi-account environments, including RAM sharing strategies, service network partitioning, and hierarchical Auth Policy design.