Self-service VPCs in AWS Control Tower using AWS Service Catalog
One of the first tasks my customers do when creating a new AWS account is to create the right network integration for their enterprise. Typically, this means implementing an Amazon Virtual Private Cloud (VPC) across a multi-account framework that was provisioned with AWS Control Tower. When these are provisioned in a self-service model, we see two significant advantages:
- VPCs are created in a programmatic, repeatable manner.
- The network administration team can ensure the consistent application of guardrails for governance.
In this post, we show how you can use AWS Control Tower to provision a new account using Account Factory. We will use AWS Service Catalog to create a portfolio that contains an Amazon Virtual Private Cloud (Amazon VPC) product. We then share this portfolio with an organization created in AWS Organizations. Thereafter we enable end users to provision these Amazon VPCs in a self-service manner.
When you use Account Factory, customers often want to build a customized VPC that is configured for centralizing traffic using AWS Transit Gateway. They also want to enable their end users to provision these approved custom VPCs on demand.
In this solution, you use AWS CloudFormation templates to create an AWS Service Catalog portfolio and VPC product in your AWS Service Catalog delegated administrator account. By using the AWS Service Catalog portfolio sharing feature with AWS Organizations, you can make the VPC product available across both existing and future accounts in your organization. End users who are given access to AWS Service Catalog can also choose to provision VPCs in a self-service or a programmatic manner.
The following diagram shows the solution architecture:
Figure 1: Solution architecture
In order for this solution to work, you must have the following steps completed:
- A network account with a transit gateway provisioned which has auto-accept attachment requests enabled. Make a note of your transit gateway ID. This will be used in the solution.
- Resource sharing with AWS Organizations should be enabled.
- AWS Resource Access Manager configured to share the transit gateway with your organization in AWS Organizations.
- Trusted access with AWS CloudFormation stack sets should be enabled.
- AWS Service Catalog delegated administrator should be set up.
Configure Account Factory with custom Amazon VPC settings
Account Factory enables you to configure VPC options when you provision new AWS accounts. In this solution however, we will elect not to use the default settings. We will disable the provisioning of a VPC and use a self-service VPC in AWS Service Catalog instead.
Follow these steps to disable the provisioning of a VPC on account creation.
- In the AWS Control Tower console, choose Account Factory.
- Under Network configuration, choose Edit.
Figure 2: Account Factory
- On Edit account factory network configuration, clear all check boxes under Regions for VPC Creation, and then choose Save.
Figure 3: Edit account factory network configuration.
Create a launch constraint role across the organization.
You must first have the appropriate role in the new account for AWS Service Catalog to share and instantiate your AWS CloudFormation stack set. Once this IAM role is in the account, we can use it as a launch constraint within AWS Service Catalog. This will allow your end users to provision these VPCs without each user having VPC console access. This follows the least privilege rule, and will help with automation of this capability in the future as well.
- Use the following button to launch the AWS CloudFormation stack set in the management account.
- On the Choose a template page, in Specify template, enter the Amazon S3 URL
- Choose Next.
- On the Specify StackSet details page, enter a stack set name (for example,
- In Parameters, for pRoleName, enter a name for the role (for example,
service-catalog-vpc-launch). Make a note of this name because you will use it when you deploy the AWS Service Catalog portfolio.
- Choose Next.
- On the Configure StackSet options page, choose Service Managed Permissions, and then choose Next.
- In Deployment targets, choose Deploy to organization. In Automatic deployment, choose Enabled. In Account removal behavior, choose Delete stacks.
Figure 4: Set deployment options page
- In Specify Regions, choose your AWS Control Tower home Region. Add only one Region to the list, as IAM roles are global resources. If you choose more than one Region, the stack deployment will fail.
- In Deployment options, accept the defaults provided.
Figure 5: Deployment options
- Review your selections, and then choose Submit.
- Verify that the stack set has been created successfully before you move to the next step.
Deploy the portfolio in the AWS Service Catalog delegated administrator account
AWS Service Catalog portfolios enable you to centrally manage commonly deployed IT services while achieving consistent governance. The portfolio groups a set of products (CloudFormation templates). After the portfolio is shared, end users can quickly deploy the products they need. This is done using the constraints you set for that portfolio. To begin, you’ll deploy a CloudFormation stack that creates a portfolio to be shared across your organization.
- Use the following button to launch the AWS CloudFormation stack in the delegated administrator account.
- Choose Next.
- On the Specify stack details page, enter a stack name (for example,
- On the Specify stack details page, enter the following parameters:
- pVpcLaunchRoleName: Enter the role name that you used earlier. AWS Service Catalog uses this role to launch the VPC product.
- pPortfolioName: Enter a name for the portfolio (for example,
Self-Service Network Portfolio).
- pVpcProductKey: Accept the default Amazon S3 location for the VPC product template.
- Choose Next.
- On the Configure Stack Options page, enter any tags you want to assign to the stack, and then choose Next.
- Select the IAM acknowledgement check box, and then choose Create Stack.
- Verify that the stack has been created successfully before you move to the next step.
Share the newly created portfolio with your organization
When you share a portfolio, using AWS Service Catalog, you are sharing a reference of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio from the original portfolio. This feature allows you to share a portfolio in a child account, and have it in sync with the version in your delegated administrator account. When using organization sharing for your portfolio, each account provisioned into that same organization will now have the portfolio available.
Follow these steps to share your portfolio with your organization.
- Open the AWS Service Catalog console, and from the left navigation pane, choose Portfolios.
- Choose the radio button next to Self-Service Network Portfolio, and from Actions, choose Share.
Figure 6: Portfolios page
- On Create share: Self-Service Network Portfolio, under Select how to share, choose Organization.
- Under Select an organizational entity to share with, choose Organization.
- Under Organization, enter your organization ID, and then choose Share.
Figure 7: Create share: Self-Service Network Portfolio
Set up user access and provision a custom VPC using AWS Service Catalog
The spoke account cannot change the products or constraints, but the AWS Service Catalog administrator can add IAM access for end users. End users will then be able to vend products from the portfolio using a self-service model.
The following steps will walk you through setting up end user access.
- Navigate to AWS Single Sign-On, and sign-in to the spoke account you want to use to deploy a VPC.
- Open the AWS Service Catalog console, and choose Portfolios.
- On the Imported tab, choose your portfolio.
Figure 8: Portfolios page
- Choose the Groups, roles, and users pane, and add an IAM role, user, or group that you want to use to launch the product.
- In the left navigation pane, choose Products.
- On the Products page, choose VPC, and then choose Launch product.
Figure 9: Products page
- On the Launch product page, enter a name for your provisioned product, and then choose NEXT.
- On the Launch product page, enter the product parameters:
- pEnvironmentName: Enter an environment name no longer than three letters.
- pVpcCidr: Enter your VPC CIDR (for example,
- pTransitGatewayId: Enter the transit gateway ID you made note of in the pre-requisites (for example,
- Choose Launch product.
Verify that the custom VPC has been created in the member account
To view your newly provisioned VPC from AWS Service Catalog, open the Amazon VPC console, and from the left navigation pane, choose Your VPCs.
Figure 10: VPC dashboard
In the VPC console, you see a provisioned VPC with the name you provided as the environment parameter for the CloudFormation stack.
Figure 11: ct-blog-VPC
In the left navigation pane, choose Transit Gateway Attachments. In the console, you see a transit gateway attachment for the VPC that you provisioned.
Figure 12: Transit gateway attachment page
In this blog post, we showed you how you can use AWS Control Tower to provision a new account using Account Factory; how to create a portfolio using AWS Service Catalog containing a custom VPC product; and how to share this portfolio with your AWS Organization. When using this solution, your end users can provision custom VPCs in a programmatic, repeatable manner. Whereas your network administrators can ensure the consistent application of guardrails.
Sharing your resources in the AWS Resource Manager User Guide
Getting started with transit gateways in the Transit Gateway Guide
Sharing and importing portfolios in the AWS Service Catalog Administrator Guide
Implementing Serverless Transit Network Orchestrator (STNO) in AWS Control Tower blog post