...your ever-present help in time of need

Solution Architecture for ISV Partner SaaS Application Hosting in AWS​

Problem Statement

Client wants to connect securely to an AWS Partner Organization to host a SaaS application.

Solution Option

  • To create a separate AWS root account (with Control Tower Landing Zone config) owned jointly by both parties or by Partner Company.
  • Establish network connectivity using VPC Peering between ISV and Client AWS VPCs (Intra-region) to enable traffic routing between both site privately.

Process Workflow Summary

  • AWS Control Tower will be used to setup Partner AWS Account, one for log archiving and other for audit purposes. It will automatically setup the landing zone and uses pre-defined blueprints based on best practices.
  • Service Catalog (Account Factory) –To standardize sub-account configurations from one place for easy provision of new accounts with pre-defined configurations, also allows network config standards and restriction of regions that the account can use.
  • Setup IAM Identity Center with Trusted Access with AWS Organizations to manage user/group accounts and roles.
  • Organization Units (OUs) are created as a result of the landing zone like Security OU, Sandbox OU etc in which other Client App Account would be provisioned.
  • AWS CloudFormation StackSets will be used to create, update, or delete stacks across multiple accounts and AWS Regions with a single operation using an Admin Account.
  • Setup full bidirectional VPC Peering connection between the VPCs for traffic routing across accounts.
  • Service(s) such as Terraform Server may be provisioned in public subnet, configure NAT gateway & attach Internet Gateway to the VPC for internet access whilst maintaining a secure network. Other services/apps will reside within the Private Subnet with appropriate route table attached.