Prerequisites Centralized network account

Robust network design with AWS Control Tower

Amazon Web Services (contributors)

September 2024 (document history)

Security plays a crucial role for any organization. One of the key factors of application security is networking. A loophole in networking can open various options for cybercriminals to compromise applications and take control over systems. This guide defines some of the best practices when using AWS Control Tower to design a network at the AWS Organizations level. The goal of the network design is to provide easier management, improved security, and protection for the applications hosted on the AWS Cloud. To help meet this goal, the network design includes inspecting, filtering, and logging the traffic that comes in and goes out to internet from a single centralized network account in AWS.

The approach covered uses a centralized network account with three virtual private clouds (VPCs). Inbound and outbound traffic from spoke VPCs and the internet is filtered by AWS WAF and AWS Network Firewall. AWS Transit Gateway and VPC endpoints help route the traffic.

Prerequisites

An active AWS account
AWS Control Tower set up
Knowledge of Transit Gateway
Knowledge of networking and network security

Centralized network account

When managing an organization's entire network, we recommend having a separate account that is dedicated for managing networking components or services. First, the networking team requests the creation of an account (network) for managing networking services. After you create the new account, note the account number. Next, change Amazon Virtual Private Cloud (Amazon VPC) IP Address Manager (IPAM) control from the AWS Control Tower management account to the network account by providing the account details in IPAM.

The newly created account will be your centralized network account, which will manage the following network services:

IPAM
VPC configuration
Network access control list (ACL)
Centralized network firewall
AWS Transit Gateway
VPC endpoint configuration
Centralized DNS management
Centralized inbound traffic
AWS WAF

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Robust network configuration