Solution Architecture for ISV Partner SaaS Application Hosting in AWS
Client wants to connect securely to an AWS Partner Organization to host a SaaS application.
To create a separate AWS root account (with Control Tower Landing Zone config) owned jointly by both parties or by Partner Company.
Establish network connectivity using VPC Peering between ISV and Client AWS VPCs (Intra-region) to enable traffic routing between both site privately.
Process Workflow Summary
AWS Control Tower will be used to setup Partner AWS Account, one for log archiving and other for audit purposes. It will automatically setup the landing zone and uses pre-defined blueprints based on best practices.
Service Catalog (Account Factory) –To standardize sub-account configurations from one place for easy provision of new accounts with pre-defined configurations, also allows network config standards and restriction of regions that the account can use.
Setup IAM Identity Center with Trusted Access with AWS Organizations to manage user/group accounts and roles.
Organization Units (OUs) are created as a result of the landing zone like Security OU, Sandbox OU etc in which other Client App Account would be provisioned.
AWS CloudFormation StackSets will be used to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation using an Admin Account.
Setup full bidirectional VPC Peering connection between the VPCs for traffic routing across accounts.
Service(s) such as Terraform Server may be provisioned in public subnet, configure NAT gateway & attach Internet Gateway to the VPC for internet access whilst maintaining a secure network. Other services/apps will reside within the Private Subnet with appropriate route table attached.
Company of Specialists and Experts
To test knowledge, confirm their qualifications and professional skills, our experts receive the following certificates in their various fields of expertise.
Copyright 2022 Gurugeeks Royalty Limited. All Right Reserved
Manage Cookie Consent
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.