Cross-Account Resource Sharing with AWS RAM - Sharing VPC Subnets and Transit Gateways
Learn how to share VPC subnets and Transit Gateways across accounts to centralize IP address space management and reduce VPC peering connections.
Overview of RAM
RAM (Resource Access Manager) is a service that securely shares over 30 types of AWS resources across multiple accounts. In multi-account environments, each account owns its own resources, but network resources (VPC subnets, Transit Gateways), DNS resources (Route 53 Resolver rules), and security resources (Network Firewall policies) are more efficient when shared. Sharing through RAM eliminates resource duplication and reduces costs. Shared resources are directly referenced and used from consumer accounts without cross-account IAM role switching or API call relay, providing a native operational experience. Resource ownership remains with the sharing account while consumer accounts receive only usage permissions, maintaining governance while enabling efficient resource utilization.
VPC Subnet Sharing
VPC subnet sharing is a pattern where a network account owns the VPC and subnets, and workload accounts create resources (EC2, RDS, Lambda, ECS tasks) within the shared subnets. This eliminates the need for each account to have its own VPC, preventing IP address space fragmentation. Since the network account centrally manages CIDR blocks, combining with IPAM (IP Address Manager) enables efficient address allocation without overlaps. Security groups remain independent per account, so network isolation between accounts is maintained even within shared subnets. However, NACLs (Network ACLs) operate at the subnet level and are managed only by the owner account. Resources in shared subnets can communicate directly via private IP with other resources in the same VPC without requiring VPC peering or Transit Gateway.
Shareable Resources and Design Patterns
Resources shareable through RAM include over 30 types such as VPC subnets, Transit Gateways, Route 53 Resolver rules, License Manager configurations, Aurora DB clusters, CodeBuild projects, AWS Network Firewall policies, Verified Access groups, IPAM pools, Capacity Reservations, and Outposts. Sharing within an Organization is automatically approved, while sharing with accounts outside the Organization requires invitation-based approval. RAM Managed Permissions provide fine-grained control over operations allowed for recipient accounts (read-only, create-enabled, associate-enabled). Creating custom managed permissions allows defining more restricted access levels than defaults. To learn RAM management techniques comprehensively, refer to technical books on Amazon.
Organizations Integration and Automation
RAM integrates with AWS Organizations to automate resource sharing at the OU (Organizational Unit) level. When sharing within Organizations is enabled, consumer accounts automatically gain access to resources without invitation approval. When a new account is added to an OU, it automatically receives access to resources shared with that OU. Combined with CloudFormation StackSets, this enables full automation of new account creation, OU placement, resource share configuration, and initial resource deployment. Combining Service Control Policies (SCP) with RAM sharing policies provides organization-level control over which resources are shared with which OUs. Usage of RAM shared resources can be audited via CloudTrail, tracking who accessed which resources.
Design Best Practices and Pitfalls
When designing VPC subnet sharing, it is critical to allocate subnet CIDR sizes with sufficient headroom. Since multiple accounts create resources in the same subnet, IP address exhaustion affects all accounts. A /24 (256 addresses) is often insufficient, and /20 to /22 ranges are recommended depending on workload scale. A common pitfall is that removing a resource share is blocked if consumer accounts still have resources (such as ENIs) in the shared subnet. Resource inventory before share removal is mandatory. For Transit Gateway sharing, route table design is important. Whether to allow or block communication between workload accounts is controlled through route table associations, so segmentation requirements must be planned in advance. Additionally, RAM shares are configured per region, so multi-region deployments often overlook the need to create separate Resource Shares in each region.
Comparison with VPC Peering
VPC subnet sharing and VPC peering both enable cross-account network connectivity, but differ in architectural philosophy. VPC peering has each account owning its own VPC with peering connections for mutual routing. Full-mesh connectivity across 10 accounts requires 45 peering connections, and route table management overhead grows rapidly. VPC subnet sharing consolidates the VPC itself into one, eliminating the need for peering for cross-account communication. However, with VPC subnet sharing, subnet-level NACLs are shared across all accounts, so VPC peering or Transit Gateway is needed when different NACLs per account are required. Comparing with Transit Gateway, a RAM-shared Transit Gateway provides hub-and-spoke connectivity at low cost, but Transit Gateway data processing charges (per-GB billing) accrue based on cross-account traffic volume, so VPC subnet sharing is more cost-efficient for high-volume communication scenarios.
RAM Pricing
RAM itself incurs no additional charges. Costs depend on the usage of shared resources by recipient accounts. With VPC subnet sharing, resources created by recipient accounts (EC2, RDS) are billed to the recipient account. With Transit Gateway sharing, attachment fees (per-attachment hourly billing) and data processing fees (per-GB billing) are charged to the recipient account. For Route 53 Resolver rule sharing, sharing the rules is free, but the Resolver endpoint ENI charges are billed to the owner account. Conduct regular audits of resource shares and remove unnecessary shares to reduce security risks.
Summary
RAM is a service for efficiently sharing resources in multi-account environments. VPC subnet sharing centralizes IP address space management and reduces VPC peering connections. Transit Gateway sharing consolidates network connectivity, supporting over 30 resource types. Organizations integration enables OU-level automatic sharing and full automation with CloudFormation StackSets, while CloudTrail audits shared resource access. Establishing subnet CIDR sizing plans and resource inventory operational rules in advance is key to stable operations, avoiding blocks during share removal.