Use consistent Availability Zones in VPCs across different AWS accounts

Created by Adam Spicer (AWS)

Code repository: Multi-account Availability Zone mapping	Environment: Production	Technologies: Infrastructure
AWS services: AWS CloudFormation; Amazon VPC; AWS Lambda

Summary

On the Amazon Web Services (AWS) Cloud, an Availability Zone has a name that can vary between your AWS accounts and an Availability Zone ID (AZ ID) that identifies its location. If you use AWS CloudFormation to create virtual private clouds (VPCs), you must specify the Availability Zone's name or ID when creating the subnets. If you create VPCs in multiple accounts, the Availability Zone name is randomized, which means that subnets use different Availability Zones in each account. 

To use the same Availability Zone across your accounts, you must map the Availability Zone name in each account to the same AZ ID. For example, the following diagram shows that the use1-az6 AZ ID is named us-east-1a in AWS account A and us-east-1c in AWS account Z.

This pattern helps ensure zonal consistency by providing a cross-account, scalable solution for using the same Availability Zones in your subnets. Zonal consistency ensures that your cross-account network traffic avoids cross-Availability Zone network paths, which helps reduce data transfer costs and lower network latency between your workloads.

This pattern is an alternative approach to the AWS CloudFormation AvailabilityZoneId property.

Prerequisites and limitations

Prerequisites

• At least two active AWS accounts in the same AWS Region.

• Evaluate how many Availability Zones are needed to support your VPC requirements in the Region.

• Identify and record the AZ ID for each Availability Zone that you need to support. For more information about this, see Availability Zone IDs for your AWS resources in the AWS Resource Access Manager documentation.  

• An ordered, comma-separated list of your AZ IDs. For example, the first Availability Zone on your list is mapped as az1, the second Availbility Zone is mapped as az2, and this mapping structure continues until your comma-separated list is fully mapped. There is no maximum number of AZ IDs that can be mapped. 

• The az-mapping.yaml file from the GitHub Multi-account Availability Zone mapping repository, copied to your local machine

Architecture

The following diagram shows the architecture that is deployed in an account and that creates AWS Systems Manager Parameter Store values. These Parameter Store values are consumed when you create a VPC in the account.

The diagram shows the following workflow:

1. This pattern’s solution is deployed to all accounts that require zonal consistency for a VPC. 

2. The solution creates Parameter Store values for each AZ ID and stores the new Availability Zone name. 

3. The AWS CloudFormation template uses the Availability Zone name stored in each Parameter Store value and this ensures zonal consistency.

The following diagram shows the workflow for creating a VPC with this pattern's solution.

The diagram shows the following workflow:

1. Submit a template for creating a VPC to AWS CloudFormation.

2. AWS CloudFormation resolves the Parameter Store values for each Availability Zone and returns the Availability Zone name for each AZ ID.

3. A VPC is created with the correct AZ IDs required for zonal consistency.

After you deploy this pattern’s solution, you can create subnets that reference the Parameter Store values. If you use AWS CloudFormation, you can reference the Availability Zone mapping parameter values from the following YAML-formatted sample code:

Resources:
    PrivateSubnet1AZ1: 
        Type: AWS::EC2::Subnet 
        Properties: 
            VpcId: !Ref VPC
            CidrBlock: !Ref PrivateSubnetAZ1CIDR
            AvailabilityZone: 
                !Join 
                    - ''
                    - - '{{resolve:ssm:/az-mapping/az1:1}}'

This sample code is contained in the vpc-example.yaml file from the GitHub Multi-account Availability Zone mapping repository. It shows you how to create a VPC and subnets that align to the Parameter Store values for zonal consistency.

Technology stack  

• AWS CloudFormation

• AWS Lambda

• AWS Systems Manager Parameter Store

Automation and scale

You can deploy this pattern to all your AWS accounts by using AWS CloudFormation StackSets or the Customizations for AWS Control Tower solution. For more information, see Working with AWS CloudFormation StackSets in the AWS Cloudformation documentation and Customizations for AWS Control Tower in the AWS Solutions Library. 

After you deploy the AWS CloudFormation template, you can update it to use the Parameter Store values and deploy your VPCs in pipelines or according to your requirements. 

Tools

AWS services

• AWS CloudFormation helps you model and set up your AWS resources, provision them quickly and consistently, and manage them throughout their lifecycle. You can use a template to describe your resources and their dependencies, and launch and configure them together as a stack, instead of managing resources individually. You can manage and provision stacks across multiple AWS accounts and AWS Regions.

• AWS Lambda is a compute service that supports running code without provisioning or managing servers. Lambda runs your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time that you consume—there is no charge when your code is not running.

• AWS Systems Manager Parameter Store is a capability of AWS Systems Manager. It provides secure, hierarchical storage for configuration data management and secrets management.

Code

The code for this pattern is provided in the GitHub Multi-account Availability Zone mapping repository.

Epics

Deploy the az-mapping.yaml file

Task	Description	Skills required
Determine the required Availability Zones for the Region.	Determine the AZ IDs that must be consistently used in your Region.  Record these AZ IDs in a comma-separated list and in the order that you want them applied in. For example, the first Availability Zone on your list is mapped as az1 and the second is mapped as az2. There is no maximum number of AZ IDs that can be mapped.	Cloud architect
Deploy the az-mapping.yaml file.	Use the az-mapping.yaml file to create an AWS CloudFormation stack in all required AWS accounts. In the AZIds parameter, use the comma-separated list that you created earlier.  We recommend that you use AWS CloudFormation StackSets or the Customizations for AWS Control Tower Solution.	Cloud architect

Deploy the VPCs in your accounts

Task	Description	Skills required
Customize the AWS CloudFormation templates.	When you create the subnets using AWS CloudFormation, customize the templates to use the Parameter Store values that you created earlier. For a sample template, see the vpc-example.yaml file in the GitHub Multi-account Availability Zone mapping repository.	Cloud architect
Deploy the VPCs.	Deploy the customized AWS CloudFormation templates into your accounts. Each VPC in the Region then has zonal consistency in the Availability Zones used for the subnets	Cloud architect

Related resources

• Availability Zone IDs for your AWS resources (AWS Resource Access Manager documentation)

• AWS::EC2::Subnet (AWS CloudFormation documentation)