Shared VPC Use Cases & Shared VPC vs Transit Gateway

This document provides additional Shared VPC use cases for AWS Network Firewall and explains how Shared VPCs differ technically and operationally from AWS Transit Gateways (TGWs).

Network Firewall Policies — Shared VPC Support

When AWS Network Firewall is deployed through Firewall Manager in a Shared VPC environment, it provides consistent network-layer inspection across workloads owned by multiple AWS accounts but hosted in a single VPC owned by the networking (host) account.

Shared VPC Use Cases for Network Firewall

• Centralized inspection for multi-account applications: Multiple business units (each with separate AWS accounts) can deploy workloads into shared subnets of a central VPC. A single Network Firewall instance inspects north–south and east–west traffic.
• Segregation between trust zones: Shared VPCs allow separate subnets for different security tiers such as Application, Database, and Management tiers—all inspected through centralized firewall endpoints.
• Central egress control: Outbound traffic from all member accounts can be routed through shared egress inspection subnets where Firewall Manager enforces domain filtering, data-loss prevention (DLP) signatures, or threat-intelligence blocking.
• Hub-and-spoke simplification: Instead of deploying firewalls in each spoke account, Shared VPCs enable a single firewall deployment protecting workloads across accounts.
• Consistent DNS and Security Policy Integration: Shared VPCs simplify DNS Firewall and Security Group policy application because all traffic passes through common resolver endpoints and SG baselines.
• Shared services protection: Protect central shared services such as CI/CD pipelines, Active Directory, and artifact repositories within the same VPC using a unified inspection layer.
• East–West microsegmentation: Enforce inter-subnet communication controls between workloads of different accounts without additional firewalls per account.
• Tenant isolation: Maintain logical separation between workloads from different participant accounts using route tables and firewall rules within a single address space.
• Standardized SaaS egress policies: Permit access to approved SaaS domains while blocking all unapproved external destinations through DNS and firewall rule sets.
• Gradual onboarding: Simplify onboarding of new participant accounts to a pre-secured network environment with inherited inspection and logging capabilities.

How Shared VPCs Differ from Transit Gateways

While both Shared VPCs and Transit Gateways enable multi-account connectivity, they operate at different scopes and layers of the network.

Aspect	Shared VPC	Transit Gateway (TGW)
Scope	Single VPC shared across accounts in one AWS Region and Organization.	Regional routing hub connecting multiple VPCs and on-prem networks.
Ownership Model	One host account owns the VPC; participant accounts share designated subnets.	Each account owns its own VPC; Transit Gateway connects them through attachments.
Network Plane	Operates within one VPC’s address space, eliminating inter-VPC routing overhead.	Creates an overlay routing fabric between multiple VPCs with explicit route propagation.
Security Controls	Centralized via Security Groups, NACLs, and Network/DNS Firewall managed by Firewall Manager.	Enforced per VPC or via centralized inspection VPCs using TGW route table redirection.
Traffic Visibility	Unified visibility through a single VPC’s Flow Logs and logging infrastructure.	Requires TGW Flow Logs or central inspection for consistent observability.
Use Case Fit	Best for closely coupled workloads, shared services, or microservice clusters within one Region.	Ideal for distributed architectures, hybrid connectivity, and multi-region or multi-BU environments.
Performance	Low latency—no additional routing hops.	Additional hop through TGW introduces slight latency overhead.
Cost	No per-GB data processing charge.	Charged per GB of data processed and per attachment.

Design Implications

• Shared VPCs simplify policy enforcement because all traffic remains within a single VPC boundary—making it easier for Firewall Manager, Network Firewall, and DNS Firewall to apply consistent controls.
• Transit Gateways are better suited for large, multi-region, or hybrid environments where many VPCs or on-prem networks must interconnect.
• Combined Approach: Many enterprises deploy Shared VPCs for intra-business-unit workloads and Transit Gateways for cross-business-unit or cross-region routing.

Tip: Pair Firewall Manager policies (Network Firewall, Security Group, WAF, DNS Firewall) with centralized logging to S3 or CloudWatch and integrate with AWS Security Hub or GuardDuty for organization-wide visibility and automated compliance.