Solution 2: Creating VPC endpoints in a central networking account for multiple Regions

Use case

You want to migrate your applications or servers to different AWS target accounts in multiple AWS Regions, to keep them close to your users or to enable business continuity in disaster recovery scenarios. This is an extension of the first use case.

Challenges

To achieve this over a private network, you would have to create multiple VPC interface endpoints in every target account. This gets even more complex in a multi-Region scenario and adds to administrative overhead and costs for maintaining multiple endpoints. (See AWS PrivateLink pricing.)

Solution

Create VPC endpoints for each Region in a central networking account and enable cross-account access by using a peered transit gateway and Route 53.

Architecture

The following diagram illustrates the architecture for this solution.

The traffic flow is the same as in solution 1, except that the accounts in the two Regions are connected by transit gateway peering.

Implementation steps

1. In the central networking account, create a VPC interface endpoint for each target AWS Region.

2. In the central networking account, create a private hosted zone for each endpoint in each Region, and associate the zone with the target application VPCs in the same Region.

3. In the central networking account, create a transit gateway for each target Region, and share the gateway with target accounts in same Region by using AWS RAM.

4. Connect transit gateways across Regions by using transit gateway peering, and update the transit gateway route tables as required.

5. In the central networking account, create resolver rules for each target Region, and share these rules with target accounts in the same Region by using AWS RAM.