Skip to content

Multi region advanced pattern

The multi region advanced AFT pattern provides a foundational cloud architecture, covering key services and configurations to establish a secure, multi-environment landing zone in multiple AWS Region and connecting the cloud with the on-premises environment. See the high-level target state diagram below.

High-level Target State

Network

At the core of the network design is a multi-region configuration, with cross-region communication facilitated through Transit Gateway peering. The pattern also features a centralized inspection Amazon Virtual Private Cloud (VPC) using AWS Network Firewall a NAT Gateway, for East-West and North-South traffic inspection. It's designed to support a full mesh routing across all spoke VPCs, for all environments, such as shared services, production, staging, and development. Ingress traffic is distributed and managed within each workload VPC on its public subnet.

Traffic between workload environments (prod, stage, dev) is sent to the inspection VPC and the control is carried out via firewall rules, while traffic to/from the shared services environment (DNS, VPC endpoints, infrastructure services, etc.) is routed directly to all other environments. All VPCs make use of a local VPC Flow Logs mechanism, sending traffic logs to a CloudWatch Log Group, and optionally can send traffic logs to an S3 bucket in the Control Tower's Log Archive account. In this pattern, centralized VPC Flow Logs are enabled for "production" environments.

The pattern also includes a centralized endpoints VPC to provide a cost-effective way to manage AWS endpoint services powered by AWS PrivateLink. This VPC also includes a centralized Amazon Route 53 Resolver endpoints, which combined with Amazon Route 53 Resolver rules provide a centralized DNS resolution mechanism.

The centralized DNS resolution architecture implemented by this pattern, provides a hybrid integration between Amazon Route 53 Private Hosted Zones (PHZ) and third-party DNS servers, enabling a bi-directional resolution mechanism. Moreover, this architecture also allows delegate for the delegation of "child" PHZs to each workload account, enabling individual teams to managed their DNS zones while still maintaining the DNS resolution across the entire organization.

Additionally, to enable effective IP management integrated with AWS services, the Network account is used as the delegated administrator of the AWS VPC IP Address Manager (IPAM) for the entire organization. Different IP pools are created for each environment mentioned above, making it easier to control and manage IP addresses and routing domains.

This pattern extends the network architecture to provide a path to establish a connection with an on-premises environment through either AWS Direct Connect or Amazon VPC Transit Gateway Site-to-Site VPN, ensuring seamless and secure integration between the cloud and on-premises resources.

The entire network architecture is mirrored across all regions, ensuring that each region has the same services and resources implemented.

See more details in the Network Advanced and Centralized DNS architecture pages.

Backup

The pattern also includes a centralized backup architecture with local vaults and a central vault in a dedicated AWS Backup account, providing consolidated backup management and recovery across the environments.

See more details in the Centralized AWS Backup architecture page.

Identity Management

Additionally, the pattern sets up a delegated administrator account for the AWS IAM Identity Center and IAM Access Analyzer services. This includes a Terraform-based pipeline to dynamically deploy and manage Permission Sets, and an analyzer for external access analysis at organization level.

See more details in the Identity Management architecture page.

Security

All the patterns include the same configuration for basic AWS Security services, such as AWS Security Hub and Amazon GuardDuty.

See more details in the Security Services architecture page.

Global Customizations

This pattern also includes global customizations that are applied across all accounts. These encompass the definition of the password policy for IAM users, as well as account-level configurations such as S3 Block Public Access, AMI Block Public Access, EBS account-level encryption enforcement, and IMDSv2 account-level enforcement.

Account Provisioning Customizations

No account provisioning customizations other than the AFT default are available for this pattern.