Which solution will meet these requirements with the LEAST operational overhead?
Instruct each business unit to add a unique secondary CIDR range to the business unit’s VPC. Peer the VPCs and use a private NAT gateway in the secondary range to route traffic to the marketing team.
Create an Amazon EC2 instance to serve as a virtual appliance in the marketing account’s VPC. Create an AWS Site-to-Site VPN connection between the marketing team and each business unit’s VPC. Perform NAT where necessary.
Create an AWS PrivateLink endpoint service to share the marketing application. Grant permission to specific AWS accounts to connect to the service. Create interface VPC endpoints in other accounts to access the application by using private IP addresses.
Create a Network Load Balancer (NLB) in front of the marketing application in a private subnet. Create an API Gateway API. Use the Amazon API Gateway private integration to connect the API to the NLB. Activate IAM authorization for the API. Grant access to the accounts of the other business units.
Explanations:
While adding a unique secondary CIDR range and peering the VPCs could potentially resolve the overlapping CIDR issue, this approach would still require manual management and configuration across multiple accounts. It introduces complexity and operational overhead by requiring each business unit to modify their network configurations. Additionally, using a NAT gateway for routing traffic complicates the architecture.
Creating an EC2 instance as a virtual appliance and establishing a Site-to-Site VPN connection adds significant operational overhead. This approach requires maintaining the EC2 instance, managing VPN connections, and handling NAT where necessary. It does not scale well and involves complex networking setups that can lead to increased management tasks.
Using AWS PrivateLink is the most efficient and scalable solution for sharing the marketing application across different AWS accounts with overlapping CIDR ranges. It allows for secure access to the application through private IP addresses without needing to modify the existing network configurations of the business units. PrivateLink also reduces operational overhead by eliminating the need for VPN connections or additional NAT configurations.
Creating a Network Load Balancer (NLB) and connecting it to an API Gateway with private integration introduces unnecessary complexity. It requires managing both the NLB and the API Gateway, including IAM authorization. This solution also does not directly address the issue of overlapping CIDR ranges, potentially complicating access for business units. Overall, it has higher operational overhead compared to using PrivateLink.
I map out that the answer is:
Create an AWS PrivateLink endpoint service to share the marketing application. Grant permission to specific AWS accounts to connect to the service. Create interface VPC endpoints in other accounts to access the application by using private IP addresses.