AWS Control Tower offers a straightforward way to set up and govern a multi-account AWS environment, following prescriptive best practices to build a secure landing zone quickly.

You can provision tens, if not hundreds, of new AWS accounts at one time using AWS Control Tower. Once you provision accounts, you typically require the deployment of Amazon Virtual Private Cloud (Amazon VPC) for running your workloads, as well as networking between them. Automated networking deployment at a global scale can be challenging. Several factors must be considered, such as provisioning VPCs with non-overlapping CIDRs, configuring network routing, and governing the provisioned networks.

In this post, I will focus on AWS Cloud WAN to simplify the global network connectivity. Cloud WAN reduces the operational costs and complexity involved with running a global network and provides central governance for the provisioned network in the form of a centralized dashboard. I will show how to integrate Cloud WAN with AWS Control Tower to govern a landing zone. Additionally, I’ll show how you can use Amazon VPC IP Address Manager (IPAM) to provision VPCs with non-overlapping CIDRs.

To achieve this, I will leverage Customizations for AWS Control Tower and custom AWS CloudFormation templates, which will abstract the complexity and provide code for global network deployments. This lets you quickly deploy a network infrastructure across multiple AWS Regions, which is compliant with the standard practices and baseline configurations that typically form your landing zone.

Architecture

Let’s look at a simple use case of target global network architecture as shown in the figure. This is a common pattern that we see within AWS Control Tower, where customers want to align their network segmentation to their software lifecycle. The difference here is that we’re extending common single-region designs to multiple Regions.

Figure 1: A multi-account, multi-Region network infrastructure setup leveraging AWS CloudWAN and AWS Control Tower

In this example setup, we utilize a management account for deploying the AWS Control Tower landing zone. Three AWS Organizations  (Shared Services organizational unit (OU), Production OU, and Development OU) are created. Three AWS accounts are created. Production account is enrolled to Production OU, Development account is enrolled to Development OU, and finally Network Hub account is enrolled to Shared Services OU. In the Network Hub account, a Cloud WAN core network with three segments (shared services, production, and development) across two regions is created leveraging Cloud WAN. The core network is shared across the Organization leveraging AWS Resource Access Manager (AWS RAM). The CIDRs for VPCs in spoke accounts and shared services are provisioned using the IPAM service. This makes sure that there are non-overlapping CIDRs across your global network infrastructure. The VPCs are connected to the shared core network, which is managed by Cloud WAN.

Solution deployment

Prerequisites

The following prerequisites are necessary for following along with this post:

• The default accounts and the OU structure provisioned through AWS Control Tower are present. In other words, the following accounts are present and enrolled in the AWS Control Tower landing zone:
  • Management Account
  • Log Archive and Audit Accounts (in Security OU)
• Create Shared Services OU and a Network Hub Account. Enroll the Network Hub Account to the Shared Services OU. Then create Production OU and a Production Account. Enroll the Production Account to the Production OU. Lastly, create Development OU and a Development Account. Enroll the Development Account to the Development OU.
• Deploy the initial-setup.yml ( ManagementPrep.yml) CloudFormation template in the home Region of the management account. This template creates the AWS Systems Manager parameters and AWS RAM shares to interact with Organizations.

Note : The code provided to provision the infrastructure assumes two AWS Regions (us-east-1 and eu-west-1) for Cloud WAN Core Network and IPAM as an example. Make the appropriate changes to suit your requirements.

Deployment steps

The deployment of the solution consists of three sections:

• Section-1: Deploy and set up AWS Control Tower in the Management account.
• Section-2: Add the packaged code for AWS Control Tower customizations that sets up IPAM, Cloud WAN core network, and segments in the Network Hub account.
• Section-3: Add the spoke automations required to provision the VPCs leveraging CIDRs assigned from IPAM and connected globally using the Cloud WAN core network.

The customizations required to build an example network architecture mentioned in this post can be obtained from the GitHub repository.

Section-1: Deploy AWS Control Tower in the Management account

1. Log in to the Management account for AWS Control Tower.
2. Navigate to the CloudFormation service in the home region of your AWS Control Tower landing zone setup. Launch the Customizations for CfCT stack using the GitHub template. Provide appropriate values for OUs and Accounts for your environment.
3. Next, launch a stack using the management setup template and provide appropriate values for OUs and Accounts for your environment. This will setup SSM parameters that will be later leveraged in other sections.
4. Next, navigate to AWS Key Management Service (AWS KMS). Select “CustomControlTowerKMSKey. Edit the key policy. Add the ARN of the role for SSO user used to log in to the management account in the principal section of the AWS KMS policy. An example key policy is provided in the following figure. This will allow AWS Control Tower read permissions to access the Amazon Simple Storage Service (Amazon S3) bucket across the organizations used for storing the customizations code package.

Figure 2: An example KMS key policy with ARN of SSO user

Step-2: Deploy the package code for AWS Control Tower customizations that sets up IPAM, Cloud WAN core network, and segments in the Network Hub account

1. Clone the GitHub repository to your local machine using git or an equivalent tool.
2. On your local machine, update the manifest.yml file. Modify the Accounts in the “deployment targets” section of “vpc-automation-in-networking-hub”, “vpc-automation-in-spoke”, “vpc-remote-cidr”, “ipam-delegate”, “ipam-networking-hub” resource. Then, update the “Regions” section with the appropriate Region. An example manifest file with the changes is shown in the following figure.

Figure 3: A manifest file showing the deployment targets, accounts, and regions of deployment

3. Modify the parameter values in ipam-networking-hub.json with CIDRs that meet your requirements. Furthermore, update the Regions of operation for your landing zone where VPCs will be provisioned. This is shown in the following figure. Save the changes to all of the files.

Figure 4: An IPAM networking-hub.json file that shows various parameters used for deployment

4. Next, Modify the remote_cidr.json file.Update them with remote regional IP CIDRs that will be used for your Development, Production and Shared Services OUs.

Step-3: Add changes to the spoke automations required to provision the VPCs leveraging CIDRs assigned from IPAM and connected globally using the Cloud WAN core network

1. Again, on your local machine, navigate to the parameters folder. Modify the parameter values in vpc-automation-in-spoke.json file with size of VPC, and home region for CfCT (or IPAM). An example is shown in the following figure.
2. Save the file changes. Compress the folder into a .zip file called “custom-control-tower-configuration”. Upload the zipped file to the S3 bucket in the home region of AWS Control Tower (the custom-control-tower-configuration-<accountId>-<cfct-region> bucket). This will trigger the pipeline that was provisioned by the customizations.

Figure 5: An example of changes in parameters for the vpc-automation-in-spoke.json file

Validate connectivity

To validate connectivity, we will utilize the shared services account which has VPCs provisioned across the two Regions. Follow these steps:

1. Log in to the Shared Services account.
2. Launch an Amazon Elastic Compute Cloud (Amazon EC2) instance in each of two AWS regions ( us-east-1 and eu-west-1 ) via the AWS Console following the instructions.
3. Open your security groups associated with the EC2 instances to allow ICMP traffic between them. You can create an example security group to allow ping traffic as per the Rules for ping/ICMP example in the documentation.
4. Verify that the ping succeeds.

Clean up

To avoid unnecessary charges, delete the resources created during the testing. To perform a cleanup of the resources, perform the following steps in the sequential order defined here:

1. Delete the StackSets that were created in the management account for AWS Control Tower. To delete a stack set, you must first delete all stack instances in the stack set.
2. Remove the permissions added to the CustomControlTowerKMSKey in the management account of the Main Organization.
3. Delete the CfCT stack and the initiation stacks created in the management account of AWS Control Tower.

Conclusion

AWS Cloud WAN is a managed wide-area networking (WAN) service that you can use to build, manage, and monitor a unified global network connecting resources running across your cloud and on-premises environments. Previous posts covered common architecture patterns and terminologies associated to the service, which is required to build a global network infrastructure.

In this post, we used AWS Cloud WAN to build a global network for accounts that are provisioned through AWS Control Tower landing zone. We provisioned VPCs in these accounts with CIDRs allocated via Amazon VPC IP Address Manager (IPAM) and connected them globally with Cloud WAN.

Finally, we also provided you with code to build this AWS global network across multiple regions and accounts in just a few clicks. To learn more about Cloud WAN, visit our documentation and FAQ page.

About the Author