Introduction
Designing a multi-account strategy is a crucial aspect of building a scalable environment on Amazon Web Services (AWS). When done correctly, it enables the management of multiple workloads, tracks costs, reduces the impact of account limits, and reduces the complexity of managing multiple virtual private clouds (VPCs) and identities.
Organizational Units and Account Design
To maintain a scalable and organized environment, AWS Organizations recommends creating a hierarchical structure of organizational units (OUs) and accounts. In the context of an ML and data platform, the recommended OUs include Security, Infrastructure, Workloads, Deployments, and Sandbox.
Recommended OUs
The Security OU stores various accounts related to securing your AWS environment. The Infrastructure OU houses shared infrastructure services across your AWS environment, which includes transit gateways, Elastic Load Balancers, and Route53. The Workloads OU accommodates the accounts used by different teams in your platform, such as ML engineers, data scientists, and data analysts.
Account Structure
The recommended account structure includes a transit gateway account, which acts as a central gateway for your VPCs, an ML team dev/test/prod account for ML engineering activities, a data lake account for storing and managing data, and a data governance account for managing access to data.
Network Architecture
Network architecture is crucial for a scalable and secure AWS environment. To achieve this, organizations can create a transit gateway within a centralized network account for production workloads. This allows for inter-VPC communication, inspection of traffic, provision of connectivity to on-premises data stores, and creation of a centralized VPC endpoints architecture.
Conclusion
In conclusion, designing a multi-account strategy for your ML and data platform involves creating a hierarchical structure of OUs, separating workloads into different accounts, creating a centralized transit gateway for network traffic, and deploying security tools at scale.
Frequently Asked Questions
Question 1: What is the recommended organizational structure for an ML and data platform?
The recommended organizational structure includes a hierarchical structure of OUs, consisting of Security, Infrastructure, Workloads, Deployments, and Sandbox.
Question 2: What is the purpose of creating a transit gateway account?
The purpose of creating a transit gateway account is to provide a central gateway for your VPCs, allowing for inter-VPC communication, inspection of traffic, and creation of a centralized VPC endpoints architecture.
Question 3: What is the primary purpose of the Workloads OU?
The primary purpose of the Workloads OU is to accommodate the accounts used by different teams in your platform, such as ML engineers, data scientists, and data analysts, for their respective activities.
Question 4: What is the responsibility of the Security OU?
The responsibility of the Security OU is to store various accounts related to securing your AWS environment.
Question 5: Can accounts be shared between OUs?
Yes, accounts can be shared between OUs by using AWS Control Tower and blueprints to deploy multiple accounts with shared resources and infrastructure, resulting in increased scalability and reduced overhead.
