쿠키 기본 설정 선택

당사는 사이트와 서비스를 제공하는 데 필요한 필수 쿠키 및 유사한 도구를 사용합니다. 고객이 사이트를 어떻게 사용하는지 파악하고 개선할 수 있도록 성능 쿠키를 사용해 익명의 통계를 수집합니다. 필수 쿠키는 비활성화할 수 없지만 '사용자 지정' 또는 ‘거부’를 클릭하여 성능 쿠키를 거부할 수 있습니다.

사용자가 동의하는 경우 AWS와 승인된 제3자도 쿠키를 사용하여 유용한 사이트 기능을 제공하고, 사용자의 기본 설정을 기억하고, 관련 광고를 비롯한 관련 콘텐츠를 표시합니다. 필수가 아닌 모든 쿠키를 수락하거나 거부하려면 ‘수락’ 또는 ‘거부’를 클릭하세요. 더 자세한 내용을 선택하려면 ‘사용자 정의’를 클릭하세요.

설정
문의하기
피드백
AWS Documentation
AWS 계정 생성
Network connectivity - Management and Governance Cloud Environment Guide
이 페이지는 귀하의 언어로 번역되지 않았습니다. 번역 요청

Network connectivity

PDFRSS

Workloads often exist in multiple locations or environments, both publicly accessible and private. Managing networks in AWS might require connecting many AWS-hosted VPCs from many accounts to specific enterprise networks, and to the internet. Your network strategy must allow for the interoperability of workloads while also aligning to your security architecture. The careful planning and management of your network design forms the foundation of how you provide isolation and resource boundaries within your workload. We think of network connectivity in three different groupings: connectivity between your on-premises network and your AWS environment, connectivity to and from the internet, and connectivity across your AWS environments—primarily between VPCs.

Where connectivity between VPCs is required, the M&G Guide recommends a hub and spoke model for your network design to connect to your existing environment. Intra-application connectivity requires multiple account network patterns that can be reusable for scale. Account types can include sandbox accounts that might require a separate network than the network used for your workload accounts. Regulatory requirements might require you to separate production data into distinct accounts and keep it separate from research and development activities in your sandbox accounts. To reinforce your data governance, you might restrict access using distinct network boundaries, along with specific controls. These boundaries could include controlling traffic with security groups and NACLs, implementation of firewalls, and implementing limited route configurations. Beyond data governance, your workload accounts might need further network refinement for regulated and non-regulated workloads.

Have a mechanism to enforce the use of non-overlapping private subnets when provisioning new accounts and VPCs in your multi-account framework. This automation should also encompass the definition of which network controls and patterns are implemented as you provision (and update) your AWS accounts and workloads. This automation would include definitions of which Regions are included and excluded from your network, as well as which mechanisms of access are allowed in your environments. Using AWS Control Tower, you can select a guardrail to detect if SSH or RDP is enabled for internet connections within your network, while specifically defining which Regions are allowed for the account and related VPC to operate. SSH and RDP traffic can also be restricted through security groups and NACLs.

Define and catalog your VPC in an infrastructure as code template such as AWS CloudFormation. Doing so will allow you to automate its provisioning as well as help with the necessary distributions of future version updates. AWS Control Tower provides a default VPC, or you can use the Scalable VPC Architecture from AWS Quick Starts as a building block for your own deployments. This template is also available within your console in the Service Catalog Getting Started Library.

도움이 필요하십니까?

프라이버시사이트 이용 약관쿠키 기본 설정
© 2025, Amazon Web Services, Inc. 또는 계열사. All rights reserved.