I created a ingress/egress VPC in the Network account, and have a separate workload account. I need an ALB publicly accessible so put it in the ingress/egress VPC. My workload EC2 instances are in the private subnets in the workload accounts. Those accounts are connected via Transit Gateway. Two questions:

  1. Seems like we cannot create the ALB target group in different account, is it correct?
  2. What are the best practices in this case?


1 Answer
Accepted Answer

That it’s correct. There are many ways to achieve this.

Question 1. You are correct.

  1. Use IP target groups. Add the EC2’s in it.
  2. Use private link to the other account.
  3. Create ALB in workload account and add its IPs to the target group.
answered 2 months ago
reviewed 2 months ago

