Skip to content

Multi region basic pattern

The multi region basic AFT pattern provides a foundational cloud architecture, covering key services and configurations to establish a secure, multi-environment landing zone in multiple AWS Region. See the high-level target state diagram below.

High-level Target State

Network

At the core of the network design is a multi-region configuration, with cross-region communication facilitated through Transit Gateway peering. The pattern also features a centralized Amazon Virtual Private Cloud (VPC) using a NAT Gateway, along with segregated environments for shared services, production, staging, and development. Ingress traffic is distributed and managed within each workload VPC on its public subnet.

Traffic between the workload environments (prod, stage, dev) is isolated and not routed, while traffic to/from the shared services environment (DNS, VPC endpoints, infrastructure services, etc.) is routed to all other environments. All VPCs make use of a local VPC Flow Logs mechanism, sending traffic logs to a CloudWatch Log Group, and optionally can send traffic logs to an S3 bucket in the Control Tower's Log Archive account.

The pattern also includes a centralized endpoints VPC to provide a cost-effective way to manage AWS endpoint services powered by AWS PrivateLink. This VPC also includes a centralized Amazon Route 53 Resolver endpoints, which combined with Amazon Route 53 Resolver rules provide a centralized DNS resolution mechanism.

The centralized DNS resolution architecture implemented by this pattern, provides a hybrid integration between Amazon Route 53 Private Hosted Zones (PHZ) and third-party DNS servers, enabling a bi-directional resolution mechanism. Moreover, this architecture also allows delegate for the delegation of "child" PHZs to each workload account, enabling individual teams to managed their DNS zones while still maintaining the DNS resolution across the entire organization.

Additionally, to enable effective IP management integrated with AWS services, the Network account is used as the delegated administrator of the AWS VPC IP Address Manager (IPAM) for the entire organization. Different IP pools are created for each environment mentioned above, making it easier to control and manage IP addresses and routing domains.

The entire network architecture is mirrored across all regions, ensuring that each region has the same services and resources implemented.

See more details in the Network Advanced and Centralized DNS architecture pages.

Backup

The pattern also includes a centralized backup architecture with local vaults and a central vault in a dedicated AWS Backup account, providing consolidated backup management and recovery across the environments.

See more details in the Centralized AWS Backup architecture page.

Identity Management

Additionally, the pattern sets up a delegated administrator account for the AWS IAM Identity Center and IAM Access Analyzer services. This includes a Terraform-based pipeline to dynamically deploy and manage Permission Sets, and an analyzer for external access analysis at organization level.

See more details in the Identity Management architecture page.

Security

All the patterns include the same configuration for basic AWS Security services, such as AWS Security Hub and Amazon GuardDuty.

See more details in the Security Services architecture page.

Global Customizations

This pattern also includes global customizations that are applied across all accounts. These encompass the definition of the password policy for IAM users, as well as account-level configurations such as S3 Block Public Access, AMI Block Public Access, EBS account-level encryption enforcement, and IMDSv2 account-level enforcement.

Account Provisioning Customizations

No account provisioning customizations other than the AFT default are available for this pattern.