Versions Compared

Old Version 11

changes.mady.by.user Paul Allen

Saved on

compared with

New Version 12

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

Cornell AWS customers have the option to opt-in to use an AWS VPC that is shared with other Cornell AWS customers. The subnets in this shared Shared VPC have CIDR blocks in the private Cornell network.

...

The resources deployed to the the shared Shared VPC have network access to other Cornell network resources, specifically:

...

  • Less VPC management – The CIT Cloud Team manages manages the subnets, network ACLs, and Route Tables in the shared Shared VPC. Customers manage the Security Groups applied to their EC2 instances and other resources deployed in the shared Shared VPC.
  • Cheaper
    • Each Cornell Standard VPC contains at least one NAT Gateway, which typically costs about $1/day to run. In contrast, NAT Gateways deployed in the shared Shared VPC are managed and paid for by CIT.
    • VPC Flow Logs in the shared Shared VPC are paid for by CIT.
  • Increased resiliency
    • Customers using the shared Shared VPC have access to subnets in all of the Availability Zones in the us-east-1 AWS Region. In contrast, the Cornell Standard VPC is typically deployed only to two Availability Zones.
    • Each private subnet in the shared Shared VPC utilizes a NAT Gateway local to the Availability Zone where the subnet is deployed. In contrast, private subnets in the Cornell Standard VPC typically utilize a single NAT Gateway in a single Availability Zone.
  • Availability Zone matching
    • Since the Shared VPC offers access to all Availability Zones in us-east-1, customers have the option to deploy resources in specific AZs if they are trying to deploy resources in the same AZs as deployed by partners or vendors.

...

  • Customers using the Shared VPC still require their own Cornell AWS account. The Shared VPC is accessible from that AWS account, once opted-in to use it.
  • The Network ACLs used by the Shared VPC may be a bit more permissive than ones a Cornell AWS customer might design for a VPC of their own. Since the Shared VPC supports a plethora of use cases and resource deployment architectures, it cannot be customized (i.e., "locked down") for a single customer. Note that customers do manage the Security Groups applied to their EC2 instances and other resources deployed in the shared Shared VPC so they still decide the ultimate connectivity and access to their resources.
  • To be continued...

...