AWS Cloud Operations & Migrations Blog

Self-service VPCs in AWS Control Tower using AWS Service Catalog

One of the first tasks my customers do when creating a new AWS account is to create the right network integration for their enterprise. Typically, this means implementing an Amazon Virtual Private Cloud (VPC) across a multi-account framework that was provisioned with AWS Control Tower. When these are provisioned in a self-service model, we see two significant advantages:

  • VPCs are created in a programmatic, repeatable manner.
  • The network administration team can ensure the consistent application of guardrails for governance.

In this post, we show how you can use AWS Control Tower to provision a new account using Account Factory. We will use AWS Service Catalog to create a portfolio that contains an Amazon Virtual Private Cloud (Amazon VPC) product. We then share this portfolio with an organization created in AWS Organizations. Thereafter we enable end users to provision these Amazon VPCs in a self-service manner.

Solution overview

 When you use Account Factory, customers often want to build a customized VPC that is configured for centralizing traffic using AWS Transit Gateway. They also want to enable their end users to provision these approved custom VPCs on demand.

In this solution, you use AWS CloudFormation templates to create an AWS Service Catalog portfolio and VPC product in your AWS Service Catalog delegated administrator account. By using the AWS Service Catalog portfolio sharing feature with AWS Organizations, you can make the VPC product available across both existing and future accounts in your organization. End users who are given access to AWS Service Catalog can also choose to provision VPCs in a self-service or a programmatic manner.

The following diagram shows the solution architecture:

End user provisions Amazon VPC. This shows the interaction between AWS Service Catalog portfolio that is shared to spoke accounts 1 and 2. It also shows where the end user provisions the Amazon VPC CloudFormation stack. AWS Control Tower management account has a delegated admin for AWS Service Catalog in the hub. Network account shares AWS Transit Gateway with spoke accounts 1 and 2 using AWS Resource Access Manager. It also shows the transit gateway VPC attachments from the transit gateway and the spoke account VPCs.

Figure 1: Solution architecture


In order for this solution to work, you must have the following steps completed:

  • A network account with a transit gateway provisioned which has auto-accept attachment requests enabled. Make a note of your transit gateway ID. This will be used in the solution.
  • Resource sharing with AWS Organizations should be enabled.
  • AWS Resource Access Manager configured to share the transit gateway with your organization in AWS Organizations.
  • Trusted access with AWS CloudFormation stack sets should be enabled.
  • AWS Service Catalog delegated administrator should be set up.


Configure Account Factory with custom Amazon VPC settings

Account Factory enables you to configure VPC options when you provision new AWS accounts. In this solution however, we will elect not to use the default settings. We will disable the provisioning of a VPC and use a self-service VPC in AWS Service Catalog instead.

Follow these steps to disable the provisioning of a VPC on account creation.

  1. In the AWS Control Tower console, choose Account Factory.
  2. Under Network configuration, choose Edit.

The network configuration section of Account Factory displays the following fields: Internet-accessible subnet; maximum number of private subnets; Availability Zone count; address range (CIDR) for account VPCs; and Regions for VPC creation.

Figure 2: Account Factory

  1. On Edit account factory network configuration, clear all check boxes under Regions for VPC Creation, and then choose Save.
The Account Factory configuration page displays the following fields: Maximum number of private subnets; address range (CIDR) restriction for account VPCs; an internet accessible subnet option; check boxes for VPC Region creation; and the number of Availability Zones to configure subnets in each VPC.

Figure 3: Edit account factory network configuration. 

Create a launch constraint role across the organization.

You must first have the appropriate role in the new account for AWS Service Catalog to share and instantiate your AWS CloudFormation stack set. Once this IAM role is in the account, we can use it as a launch constraint within AWS Service Catalog. This will allow your end users to provision these VPCs without each user having VPC console access. This follows the least privilege rule, and will help with automation of this capability in the future as well.

  1. Use the following button to launch the AWS CloudFormation stack set in the management account. Launch Stack
  2. On the Choose a template page, in Specify template, enter the Amazon S3 URL
  3. Choose Next.
  4. On the Specify StackSet details page, enter a stack set name (for example, vpc-portfolio-launch-role).
  5. In Parameters, for pRoleName, enter a name for the role (for example, service-catalog-vpc-launch). Make a note of this name because you will use it when you deploy the AWS Service Catalog portfolio.
  6. Choose Next.
  7. On the Configure StackSet options page, choose Service Managed Permissions, and then choose Next.
  8. In Deployment targets, choose Deploy to organization. In Automatic deployment, choose Enabled. In Account removal behavior, choose Delete stacks.

Under Deployment targets, Deploy to organization is enabled. Under Automatic deployment, Enabled is selected. Under Account removal behavior, Delete stacks is selected.

Figure 4: Set deployment options page

  1. In Specify Regions, choose your AWS Control Tower home Region. Add only one Region to the list, as IAM roles are global resources. If you choose more than one Region, the stack deployment will fail.
  2. In Deployment options, accept the defaults provided.

Under Maximum concurrent accounts, Number is selected and set to 1. Under Failure tolerance, Number is selected and set to 0.

Figure 5: Deployment options

  1. Review your selections, and then choose Submit.
  2. Verify that the stack set has been created successfully before you move to the next step.

Deploy the portfolio in the AWS Service Catalog delegated administrator account

AWS Service Catalog portfolios enable you to centrally manage commonly deployed IT services while achieving consistent governance. The portfolio groups a set of products (CloudFormation templates). After the portfolio is shared, end users can quickly deploy the products they need. This is done using the constraints you set for that portfolio. To begin, you’ll deploy a CloudFormation stack that creates a portfolio to be shared across your organization.

  1. Use the following button to launch the AWS CloudFormation stack in the delegated administrator account. Launch Stack
  2. Choose Next.
  3. On the Specify stack details page, enter a stack name (for example, custom-network-portfolio).
  4. On the Specify stack details page, enter the following parameters:
    • pVpcLaunchRoleName: Enter the role name that you used earlier. AWS Service Catalog uses this role to launch the VPC product.
    • pPortfolioName: Enter a name for the portfolio (for example, Self-Service Network Portfolio).
    • pVpcProductKey: Accept the default Amazon S3 location for the VPC product template.
  5. Choose Next.
  6. On the Configure Stack Options page, enter any tags you want to assign to the stack, and then choose Next.
  7. Select the IAM acknowledgement check box, and then choose Create Stack.
  8. Verify that the stack has been created successfully before you move to the next step.

Share the newly created portfolio with your organization

When you share a portfolio, using AWS Service Catalog, you are sharing a reference of that portfolio. The products and constraints in the imported portfolio stay in sync with changes that you make to the shared portfolio from the original portfolio. This feature allows you to share a portfolio in a child account, and have it in sync with the version in your delegated administrator account. When using organization sharing for your portfolio, each account provisioned into that same organization will now have the portfolio available.

Follow these steps to share your portfolio with your organization.

  1. Open the AWS Service Catalog console, and from the left navigation pane, choose Portfolios.
  2. Choose the radio button next to Self-Service Network Portfolio, and from Actions, choose Share.

Under Local portfolios, Self-Service Network Portfolio is selected. From the Actions menu, Share is selected.

Figure 6: Portfolios page

  1. On Create share: Self-Service Network Portfolio, under Select how to share, choose Organization.
  2. Under Select an organizational entity to share with, choose Organization.
  3. Under Organization, enter your organization ID, and then choose Share.

Under Account info, the Organization radio button is selected. Under Select an organizational entity to share with, Organization is selected. Under Organization, there is a field where you can enter your organization ID.

Figure 7: Create share: Self-Service Network Portfolio

Set up user access and provision a custom VPC using AWS Service Catalog

The spoke account cannot change the products or constraints, but the AWS Service Catalog administrator can add IAM access for end users. End users will then be able to vend products from the portfolio using a self-service model.

The following steps will walk you through setting up end user access.

    1. Navigate to AWS Single Sign-On, and sign-in to the spoke account you want to use to deploy a VPC.
    2. Open the AWS Service Catalog console, and choose Portfolios.
    3. On the Imported tab, choose your portfolio.

Under Imported portfolios, the Self-Service Network Portfolio is selected.

Figure 8: Portfolios page

    1. Choose the Groups, roles, and users pane, and add an IAM role, user, or group that you want to use to launch the product.
    2. In the left navigation pane, choose Products.
    3. On the Products page, choose VPC, and then choose Launch product.

Under Products, VPC is selected. The product description says, “This product builds a standardized VPC.”

Figure 9: Products page

  1. On the Launch product page, enter a name for your provisioned product, and then choose NEXT.
  2. On the Launch product page, enter the product parameters:
    • pEnvironmentName: Enter an environment name no longer than three letters.
    • pVpcCidr: Enter your VPC CIDR (for example,
    • pTransitGatewayId: Enter the transit gateway ID you made note of in the pre-requisites (for example, tgw-111222333).
  1. Choose Launch product.


Verify that the custom VPC has been created in the member account

To view your newly provisioned VPC from AWS Service Catalog, open the Amazon VPC console, and from the left navigation pane, choose Your VPCs.

On Resources by Region, there are Launch VPC Wizard and Launch EC2 Instances buttons. There are also fields that display the VPCs and subnets you are using, including the Regions in which they are being used.

Figure 10: VPC dashboard

In the VPC console, you see a provisioned VPC with the name you provided as the environment parameter for the CloudFormation stack.

The AWS Service Catalog provisioned VPC named ct-blog-VPC is displayed with a status of available.

Figure 11: ct-blog-VPC

In the left navigation pane, choose Transit Gateway Attachments. In the console, you see a transit gateway attachment for the VPC that you provisioned.

The transit gateway attachment for the AWS Service Catalog provisioned VPC is displayed with a state of available.

Figure 12: Transit gateway attachment page


In this blog post, we showed you how you can use AWS Control Tower to provision a new account using Account Factory; how to create a portfolio using AWS Service Catalog containing a custom VPC product; and how to share this portfolio with your AWS Organization. When using this solution, your end users can provision custom VPCs in a programmatic, repeatable manner. Whereas your network administrators can ensure the consistent application of guardrails.

Further reading

Sharing your resources in the AWS Resource Manager User Guide
Getting started with transit gateways in the Transit Gateway Guide
Sharing and importing portfolios in the AWS Service Catalog Administrator Guide
Implementing Serverless Transit Network Orchestrator (STNO) in AWS Control Tower blog post


About the Authors

Nick Sack

Nick Sack is a DevOps Consultant for AWS Professional Services. He is passionate about working with customers and building automated solutions to help customers on their cloud journeys. When he’s not working, Nick enjoys hiking, playing soccer, reading, and learning about technology.

Alan Fiaccone

Alan Fiaccone is a Sr. Customer Solutions Manager for AWS. He works with clients to help realize the art of the possible and innovate at the speed and efficiencies of cloud. Alan enjoys golfing, mountain biking, woodworking, and anything to do with technology.