- 新しい順
- 投票が多い順
- コメントが多い順
Hi,
As soon as I hear the words "isolated" and "hosted customer", I immediately turn to the use of multiple VPCs. There is no explicit cost for creating separate VPCs and they provide the perfect tooling for customer segmentation. As for providing services, such as firewalls, inbound load balancing and so forth, consider using shared services as part of your hosting offer for your customers. Using tools like Transit Gateway, you can connect all of your VPCs, along with your shared networking services, described above. Using custom routing tables VPCs can still be isolated (with up to 5000 VPC attached to a single TGW) but benefit from using the shared ingress or even in-line firewall inspection.
Here is a link to a number of configurations possible using Transit GW, with one covering your exact situation, isolated VPCs using shared services -
https://docs.aws.amazon.com/vpc/latest/tgw/TGW_Scenarios.html
This article covers many AWS Network Firewall design configurations, but pay attention to the section "Centralized deployment model" :
Here is another awesome PDF walking through numerous reference designs using Transit Gateway:
Hi,
Well, answer is it depends :)
I suggest a good read to this https://aws.amazon.com/blogs/security/security-practices-in-aws-multi-tenant-saas-environments/ which discusses different deployment models.
On top of that, have a look at best practices for tenant isolation with pros and cons: https://d1.awsstatic.com/whitepapers/saas-tenant-isolation-strategies.pdf
Hope it helps ;)
関連するコンテンツ
- 質問済み 6年前
AWS公式更新しました 2年前- AWS公式更新しました 1年前
- AWS公式更新しました 7ヶ月前
