Introduction - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure


AWS customers begin by building resources in a single AWS account that represents a management boundary which segments permissions, costs, and services. However, as the customer’s organization grows, greater segmentation of services becomes necessary to monitor costs, control access, and provide easier environmental management. A multi-account solution solves these issues by providing specific accounts for IT services and users within an organization. AWS provides several tools to manage and configure this infrastructure, including AWS Landing Zone and AWS Control Tower

      A diagram depicting Landing Zone account structure

Landing Zone account structure

AWS Landing Zone and AWS Control Tower automate the setup and integration of multiple AWS services to provide a baseline, highly controlled, multi-account environment with identity and access management (IAM), governance, data security, network design, and logging.

The AWS Landing Zone solution in the preceding figure includes four accounts:

  • The AWS Organizations account (used to manage configuration and access to AWS Landing Zone managed accounts) 

  • The Shared Services account (used for creating infrastructure shared services such as directory services) 

  • The Log Archive account (centralized logging into Amazon Simple Storage Service (Amazon S3) buckets)

  • The Security account (to be used by a company's security and compliance team to audit or perform emergency security operations in case of an incident in the spoke accounts).


In this whitepaper, “Landing Zone” is a broad term for the scalable, secure, and performant multi-account/multi-VPC setup where you deploy your workloads. This setup can be built using any tool.

Most customers begin with a few VPCs to deploy their infrastructure. The number of VPCs a customer owns is usually related to their number of accounts, users, and staged environments (production, development, test, and so on). As cloud usage grows, the number of users, business units, applications, and Regions that a customer interacts with also grow, leading to the creation of new VPCs.

As the number of VPCs grows, cross-VPC management becomes essential for the operation of the customer’s cloud network. This whitepaper covers best practices for three specific areas in cross-VPC and hybrid connectivity: