The Resource Directory service helps you manage resources in different Alibaba Cloud accounts and allows you to share virtual private clouds (VPCs) with other Alibaba Cloud accounts. This establishes network communication among multiple Alibaba Cloud accounts and improves the IT management efficiency of your organization because each department can focus on its own business.
Background information
As cloud computing becomes popularized, an increasing number of enterprises deploy services in the cloud and purchase more and more cloud resources. An issue arises: How can enterprises manage cloud resources in an efficient manner? Enterprises have high requirements for the division of business, business isolation, and multiple payment methods. The single-account mode can no longer support the sustainable development of enterprises. To resolve this issue, enterprises can use the multi-account mode to meet business development requirements. However, the following issues may arise during the use of the multi-account mode:
- Management of multiple accounts
Enterprises may not be able to manage multiple isolated Alibaba Cloud accounts in a centralized manner. Therefore, more refined management is required.
- Communication among multiple accounts
Enterprises can use Cloud Enterprise Network (CEN) to connect VPCs that belong to different accounts. This way, cloud resources within different accounts can communicate with each other. However, as the business complexity increases, the following issues may occur:
- Complex network O&M due to isolated deployment of network resources
The network of an enterprise can be large and complex because the network resources may be deployed and managed by different accounts. As a result, it is difficult for O&M personnel to manage an enterprise network in a centralized manner.
- Increased costs due to frequent network resource configurations
O&M and instance costs increase due to frequent VPC configurations by different accounts.
- Increased network complexity due to an increasing number of VPCs
To meet business requirements, more and more VPCs need to be deployed. As a result, issues such as complex network, difficult management, and resource quota limits arise. For example, the number of VPCs attached to a CEN instance may reach the upper limit.
- Complex network O&M due to isolated deployment of network resources
To address the preceding issues, you can use the Resource Directory service to manage resources in different Alibaba Cloud accounts. For example, you can share resources and VPCs to establish network communication among Alibaba Cloud accounts.
Scenarios
During workload production, an enterprise may use multiple accounts to divide and isolate workloads. To better manage these accounts, the enterprise uses resource directories to deploy, configure, and manage VPCs based on the organization structure or workload status. For example, the enterprise can share VPCs to share the vSwitches, excluding the default vSwitches, among different departments. This helps the enterprise control the network O&M cost and network topology when workload complexity increases.
The business department can view and manage only the resources deployed in the shared vSwitches. In addition, the business department can create or delete resources in the shared vSwitches, such as cloud instances and databases, based on business requirements.
Solutions
Use a resource directory to manage multiple Alibaba Cloud accounts
The Resource Directory service provided by Alibaba Cloud allows you to manage the relationships among multiple levels of resources and accounts. You can construct a resource directory by creating subdirectories based on your business requirements. Then, you can deploy Alibaba Cloud accounts of your enterprise on the subdirectories as required. This way, you can manage the accounts and resources in a centralized manner based on their relationship in the organization. In addition, your requirements for finance, security, audit, and compliance can be met. For more information, see Resource Directory overview.
Use Resource Sharing to share resources with members within the same resource directory
Within a resource directory, an enterprise can use the Resource Sharing service to share specified resources within an account (resource owner) with one or more accounts (principals) by creating resource shares. For more information, see Resource Sharing overview.
Share a VPC with members within the same resource directory
An enterprise can use the Resource Sharing service to share the VPC vSwitches, excluding the default vSwitches, with other members (principals) in the resource directory. Resource directory members can deploy resources, such as Elastic Compute Service (ECS) instances, Server Load Balancer (SLB) instances, and ApsaraDB RDS instances, in the same VPC. This facilitates resource management. The resources created by the resource owner and principals can communicate with each other within the shared VPC.
NoteIf you want to isolate the vSwitches in some scenarios, use the following methods:
Configure a network access control list (ACL) to isolate the vSwitches.
Configure a security group to isolate the instances in the vSwitches. You can also use security groups that belong to other accounts.
Custom VPC vSwitches can be shared among multiple accounts. You do not need to create a separate VPC for each account. You can use fewer VPCs to control your expenses on network resources and reduce network complexity.
For more information about the permissions on shared vSwitches and resources, see Overview of VPC sharing.
Procedure
Step 1: Share vSwitches within a resource directory
The administrator or a member of a resource directory can share resources with all members in the resource directory, all members in a specific folder of the resource directory, or a specific member in the resource directory.
For more information, see Enable VPC sharing.
Use a resource directory to manage multiple accounts
Enable resource sharing
Create a resource share as a resource owner
Step 2: View and use shared vSwitches as a resource owner
By default, after the resource owner shares a vSwitch, a principal can use the shared vSwitch without further authorization. Principals can view the vSwitches that other accounts share with them. They can also create cloud resources, such as ECS instances, SLB instances, and ApsaraDB RDS instances, in the shared vSwitches.
For more information, see Create cloud resources in a shared vSwitch as a principal.