# Networking account
The Networking account serves as the central hub for network routing between AMS multi-account landing zone accounts, your on-premises network, and egress traffic out to the Internet. In addition, this account contains public DMZ bastions that are the entry point for AMS engineers to access hosts in the AMS environment. For details, see the following high-level diagram of the networking account below.
![\[Network architecture diagram showing Egress VPC, DMZ VPC, and connections to on-premises and internet.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/malzNetworkAccount.png)
# Networking account architecture
The following diagram depicts the AMS multi-account landing zone environment, showcasing network traffic flows across account, and is an example of a highly-available setup.
![\[AWS network architecture diagram showing multiple accounts, VPCs, and connectivity components.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/AMS_MALZ_NET_FLOW-2.png)
![\[Diagram showing network traffic flow between AWS accounts, VPCs, and internet gateways.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/AMS_MALZ_NET_FLOW_LEGEND.png)
AMS configures all aspects of networking for you based on our standard templates and your selected options provided during onboarding. A standard AWS network design is applied to your AWS account, and a VPC is created for you and connected to AMS by either VPN or Direct Connect. For more information about Direct Connect, see [AWS Direct Connect](https://aws.amazon.com/directconnect/). Standard VPCs include the DMZ, shared services, and an application subnet. During the onboarding process, additional VPCs might be requested and created to match your needs (for example, customer divisions, partners). After onboarding, you are provided with a network diagram: an environment document that explains how your network has been set up.
**Note**
For information about default service limits and constraints for all active services, see the [AWS Service Limits](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html) documentation.
Our network design is built around the Amazon ["Principle of Least Privilege"](https://en.wikipedia.org/wiki/Principle_of_least_privilege). In order to accomplish this, we route all traffic, ingress and egress, through a DMZ, except traffic coming from a trusted network. The only trusted network is the one configured between your on-premises environment and the VPC through the use of a VPN and/or an AWS Direct Connect (DX). Access is granted through the use of bastion instances, thereby preventing direct access to any production resources. All of your applications and resources reside inside private subnets that are reachable through public load balancers. Public egress traffic flows through the NAT Gateways in the egress VPC (in the Networking account) to the Internet Gateway and then to the Internet. Alternatively, the traffic can flow over your VPN or Direct Connect to your on-premises environment.
# Private network connectivity to AMS Multi-account landing zone environment
AWS offers private connectivity via either virtual private network (VPN) connectivity, or dedicated lines with AWS Direct Connect. Private connectivity in your multi-account environment, is set up using one of the methods described next:
+ Centralized Edge connectivity using Transit Gateway
+ Connecting Direct Connect (DX) and/or VPN to account virtual private clouds (VPCs)
# Centralized edge connectivity using transit gateway
AWS Transit Gateway is a service that enables you to connect your VPCs and your on-premises networks to a single gateway. Transit gateway (TGW) can be used to consolidate your existing edge connectivity and route it through a single ingress/egress point. Transit gateway is created in the networking account of your AMS multi-account environment. For more details about transit gateway, see [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/).
AWS Direct Connect (DX) gateway is used to connect your DX connection over a transit virtual interface to the VPCs or VPNs that are attached to your transit gateway. You associate a Direct Connect gateway with the transit gateway. Then, create a transit virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. For information on DX virtual interfaces, see [ AWS Direct Connect Virtual Interfaces](https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html).
This configuration offers the following benefits. You can:
+ Manage a single connection for multiple VPCs or VPNs that are in the same AWS Region.
+ Advertise prefixes from on-premises to AWS, and from AWS to on-premises.
**Note**
For information about using a DX with AWS services, see the Resiliency Toolkit section [Classic](https://docs.aws.amazon.com/directconnect/latest/UserGuide/getstarted.html). For more information, see [Transit Gateway associations](https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html).
![\[AWS Transit Gateway network diagram showing connections to VPCs and Direct Connect.\]](http://docs.aws.amazon.com/managedservices/latest/onboardingguide/images/malz-cent-edge.png)
To increase the resiliency of your connectivity, we recommend that you attach at least two transit virtual interfaces from different AWS Direct Connect locations to the Direct Connect gateway. For more information, see the [AWS Direct Connect resiliency recommendation](https://aws.amazon.com/directconnect/resiliency-recommendation/).
# Connecting DX or VPN to account VPCs
With this option, the VPCs in your AMS multi-account landing zone environments are directly connected to Direct Connect or VPN. The traffic directly flows from the VPCs to Direct Connect or VPN without traversing through the transit gateway.
# Resources in the networking account
As shown in the networking account diagram, the following components are created in the account and require your input.
The Networking account contains two VPCs: **Egress VPC** and **DMZ VPC** also known as the **Perimeter** VPC.
# AWS Network Manager
AWS Network Manager is a service that enables you to visualize your transit gateway (TGW) networks at no additional cost to AMS. It provides centralized network monitoring on both AWS resources and on on-premises networks, a single global view of their private network in a topology diagram and in a geographical map, and utilization metrics, such as bytes in/out, packets in/out, packets dropped, and alerts for changes in the topology, routing, and up/down connection status. For information, see [AWS Network Manager](https://aws.amazon.com/transit-gateway/network-manager/).
Use one of the following roles to access this resource:
+ AWSManagedServicesCaseRole
+ AWSManagedServicesReadOnlyRole
+ AWSManagedServicesChangeManagementRole
# Egress VPC
The Egress VPC is primarily used for egress traffic to the Internet and is composed of public/private subnets in up to three availability zones (AZs). Network address translation (NAT) gateways are provisioned in the public subnets, and transit gateway (TGW) VPC attachments are created in the private subnets. Egress, or outbound, internet traffic from all networks enter through the private subnet via TGW, where it is then routed to a NAT via VPC route tables.
For your VPCs that contain public-facing applications in a public subnet, traffic originating from the internet is contained within that VPC. Return traffic is not routed to the TGW or Egress VPC, but routed back through the internet gateway (IGW) in the VPC.
**Note**
Networking VPC CIDR range: When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.16.0/24. This is the primary CIDR block for your VPC.
The AMS multi-account landing zone team recommends the range of 24 (with more IP address) to provide some buffer in case other resources/appliances, are deployed in the future.
# Perimeter (DMZ) VPC
The Perimeter, or DMZ, VPC contains the necessary resources for AMS Operations engineers to access AMS networks. It contains public subnets across 2-3 AZs, with SSH Bastions hosts in an Auto Scaling group (ASG) for AMS Operations engineers to log into or tunnel through. The security groups attached to the DMZ bastions contain port 22 inbound rules from **Amazon Corp Networks**.
*DMZ VPC CIDR range:* When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.16.0/24. This is the primary CIDR block for your VPC.
**Note**
The AMS team recommends the range of 24 (with more IP address) to provide some buffer in case other resources, such as a firewall, are deployed in the future.
# AWS Transit Gateway
AWS Transit Gateway (TGW) is a service that enables you to connect your Amazon Virtual Private Clouds (VPCs) and your on-premises networks to a single gateway. Transit gateway is the networking backbone that handles the routing between AMS account networks and external networks. For information about Transit Gateway, see [AWS Transit Gateway](https://aws.amazon.com/transit-gateway/).
Provide the following input to create this resource:
+ *Transit Gateway ASN number*\$1: Provide the private Autonomous System Number (ASN) for your transit gateway. This should be the ASN for the AWS side of a Border Gateway Protocol (BGP) session. The range is 64512 to 65534 for 16-bit ASNs.