AWS VPC Sharing Explained: Architecture, Benefits, Limits, and Use Cases
AWS VPC sharing lets a single AWS account own a VPC and share selected subnets with other accounts in the same AWS Organization. Those other accounts (called participant accounts) launch EC2 instances, RDS databases, and load balancers directly into the shared subnets. Traffic flows between all resources natively because they are all inside the same VPC. No peering connections, no Transit Gateway attachments, no transitive routing concerns. The host account retains full control over the network; participants control only the resources they deploy.
AWS VPC sharing is not universally better than the alternatives. It trades per-account autonomy and workload isolation for operational simplicity and cost efficiency. Understanding when that trade-off makes sense, and when it does not, is what this page is for.
- What AWS VPC sharing is and how it works step by step
- What the host account controls vs what participant accounts control
- Benefits, limitations, and real-world design patterns
- How it compares with VPC Peering and Transit Gateway
- Common mistakes and operational gotchas teams hit in production
Simple explanation
Think of it like a shared office building. One company owns the building and controls everything structural: the hallways, wiring, fire exits, and security desk. Other companies rent offices inside. Each tenant furnishes their own space and controls who gets into their office, but they cannot rewire the hallways or add new exits. They all share the same building address and can walk between floors freely, because they are already in the same building.
In AWS: the host account owns the VPC (the building). Participant accounts rent subnets (offices) and launch their own resources there. They can all communicate inside the VPC without peering, because they are already in the same network.
In practice: the host account creates a VPC, designs the subnet layout, and manages route tables, NAT Gateways, and Internet Gateways. It then shares specific subnets via AWS Resource Access Manager (AWS RAM). Participant accounts see those subnets in their console, launch their own resources into them, and communicate with other resources in the VPC without any extra connectivity setup.
How AWS VPC sharing works
The setup follows a straightforward sequence:
- A dedicated networking account creates a VPC and designs the subnet layout for the environment.
- The host account uses AWS RAM to create a resource share, selects the subnets to expose, and specifies which accounts or AWS Organizations OUs should receive access.
- Participant accounts see the shared subnets appear automatically in their subnet list. OU-based shares require no acceptance; individual account shares may prompt an invitation.
- Participant accounts launch their own resources (EC2 instances, RDS clusters, load balancers) into those subnets using their own AWS account credentials and security groups.
- All resources receive IPs from the VPC’s address space and communicate directly. No peering connections, no gateway attachments, and no routing configuration is needed beyond what the host already configured.
The AWS RAM CLI commands below show what the host does to create the share and what a participant sees:
# Host account: Create a resource share for subnets
aws ram create-resource-share \
--name "networking-shared-subnets" \
--resource-arns \
arn:aws:ec2:us-east-1:111111111111:subnet/subnet-private-az1 \
arn:aws:ec2:us-east-1:111111111111:subnet/subnet-private-az2 \
--principals \
arn:aws:organizations::111111111111:ou/o-example/ou-example-appteam \
--allow-external-principals false
# Participant account: List visible shared subnets (filtered by owner)
aws ec2 describe-subnets \
--filters "Name=owner-id,Values=111111111111"
# Participant account: Launch an EC2 instance into the shared subnet
aws ec2 run-instances \
--image-id ami-0abc123def456789a \
--instance-type t3.micro \
--subnet-id subnet-private-az1 \
--security-group-ids sg-participant-appThe —allow-external-principals false flag ensures subnets cannot be shared outside the organization. The participant’s security group (sg-participant-app) lives in the participant account, not in the host account. This is intentional: participants bring their own security groups for the resources they own.
Sharing subnets with an organizational unit (OU) rather than individual account IDs means new accounts added to that OU automatically get access. You do not need to update the RAM resource share every time a new team account is created. This is the standard approach for organizations with a central networking account.
Host account vs participant accounts
Understanding the boundary between these two roles is essential before adopting this model.
What the host account controls
- VPC creation, CIDR block, and address planning
- Subnet creation, sizing, and availability zone placement
- Route tables and routing rules
- Network ACLs
- Internet Gateways, NAT Gateways, and VPC endpoints
- Which subnets are shared and with which accounts or OUs
- VPC Flow Logs configuration for the shared VPC
What participant accounts control
- EC2 instances, RDS databases, load balancers, and other resources launched into shared subnets
- Security groups created in the participant account and attached to their own resources
- IAM roles and instance profiles for their resources
- Tags on their own resources
Participants cannot modify route tables, NACLs, subnets, or any VPC-level resource. They also cannot configure VPC Flow Logs on shared subnets; only the host account can do that.
Who pays for what
The host account pays for VPC infrastructure: NAT Gateways, Internet Gateways, VPC endpoints, and any hybrid connectivity attachments. Participant accounts pay for the resources they launch and the data transfer costs those resources generate. This split is predictable and consistent.
Benefits of AWS VPC sharing
- No CIDR overlap problems. All resources share the same VPC and address space. There is no possibility of conflicting CIDR ranges between accounts, which is one of the most common pain points in large peering meshes.
- No peering sprawl. Instead of dozens of VPC peering connections to maintain, audit, and troubleshoot, you have one VPC per environment. Ten accounts become ten tenants in one network, not 45 peering connections.
- Centralized network control. The platform team manages routing, security boundaries, and connectivity once. Application teams do not need networking expertise to operate within the shared VPC.
- Easier IP planning. One address space, one team planning it. You avoid the coordination overhead of assigning non-overlapping CIDRs to dozens of separate VPCs.
- Cost-efficient shared infrastructure. NAT Gateways, VPN connections, and Direct Connect attachments are paid for once and shared across all participant accounts. In a multi-VPC model, each VPC might maintain its own NAT Gateway, duplicating costs per account. For network egress context, see network egress costs explained.
Limitations and trade-offs
Shared VPC is a deliberate trade-off, not a strict upgrade. These limitations are real and matter in practice.
All resources in a shared VPC share the same network layer. There are no hard network boundaries between participant accounts. Isolation depends entirely on security groups and NACLs, not on physically separate VPCs. If strict regulatory or contractual isolation is required between accounts, shared VPC is not the right model.
- Reduced participant autonomy. If an application team needs a new subnet, a different route, or a subnet-level NACL change, they must request it from the host account team. In organizations without a mature platform team and a clear service model, this becomes a bottleneck. Teams that value networking independence will find this model frustrating.
- Cross-account security group complexity. Security groups are account-scoped. Allowing traffic from a resource in account A into a resource in account B requires cross-account security group rules, which work but require coordination and add configuration surface area. See security groups explained for how these rules work.
- Centralized flow log visibility. VPC Flow Logs for the shared VPC are controlled by the host account. Individual participant accounts cannot independently enable or configure flow logging on shared subnets. Debugging network issues requires access to host-account logs or coordination with the platform team.
- Single point of operational dependency. If the host account’s network team makes a change (resizing a subnet, modifying a route table, or changing a NAT Gateway), it affects every participant simultaneously. Changes require careful testing and change management.
When to use AWS VPC sharing
Shared VPC is a strong fit in these situations:
- Central platform team supporting many app teams. A platform engineering team owns the network and provides subnets to product teams as a service. App teams ship features; the platform team handles connectivity. Clear ownership makes the operational model work.
- Multi-account microservices inside one trust boundary. You have 10 to 30 accounts, all belonging to the same organizational unit, running services that communicate frequently. Rather than peering every pair, one VPC serves all of them cleanly.
- Cost-conscious shared networking foundations. You want shared NAT Gateways, shared VPC endpoints, and shared Site-to-Site VPN or Direct Connect capacity across all accounts rather than paying for duplicates per VPC.
- Environments where teams do not need network autonomy. Regulated environments, internal developer platforms, and shared staging environments where the platform team sets network policy for everyone.
When not to use this
If two business units must be network-isolated from each other by security policy, compliance requirement, or contractual obligation, separate VPCs with Transit Gateway or no direct connectivity is the correct model. A shared VPC cannot enforce hard network boundaries between tenants. Do not use it to satisfy isolation requirements.
- Teams that need independent network control. If each team must manage their own route tables, subnets, or NACLs independently, shared VPC will generate constant friction. Give those teams separate VPCs.
- Separate VPCs per business unit required. Some organizational models, especially those with external customers or partner integrations, require each unit to have its own VPC for audit, billing, or governance reasons. Shared VPC does not satisfy that requirement.
- Transitive routing across many separate VPCs. If you already have many existing VPCs that need to communicate (including on-premises networks, partner VPCs, and multiple regions), Transit Gateway is designed for that problem. Shared VPC solves a different problem: it replaces many VPCs with one, rather than routing between them.
Shared VPC vs VPC Peering vs Transit Gateway
| Factor | Shared VPC | VPC Peering | Transit Gateway |
|---|---|---|---|
| Best fit | Centralized platform, many tenants, one trust boundary | Simple point-to-point connectivity between two VPCs | Large-scale, multi-VPC routing including on-premises |
| Number of VPCs | One (shared by all accounts) | One per account | One per account, connected via hub |
| Scaling | Scales well: no extra connections as accounts grow | Poor: connections multiply (N×(N−1)/2) | Scales well: hub-and-spoke model |
| Isolation | Weak: shared network layer, enforced by security groups | Strong: separate VPCs per account | Strong: separate VPCs, route table controlled |
| Operational ownership | Centralized in host account | Distributed: each account manages its own VPC | Centralized at Transit Gateway level |
| Routing model | No extra routing: all in one VPC | Direct, non-transitive | Transitive routing supported |
| CIDR planning | Simple: one address space | Complex: non-overlapping CIDRs required per VPC | Complex: non-overlapping CIDRs required per VPC |
| Cost shape | Lowest: shared infrastructure, no gateway charges | Low: no gateway fees, but duplicated NAT/endpoints | Higher: hourly attachment fee per VPC plus data processing |
Which one should you choose?
If you are starting a multi-account environment with a strong central platform team and workloads that need to communicate freely, shared VPC is usually the most cost-effective and operationally simple choice. If each team needs their own isolated network or you are connecting many existing VPCs across regions or to on-premises, Transit Gateway is the better fit. VPC peering works well for simple one-to-one connections but does not scale to many accounts.
Practical design patterns
The shared VPC model supports several subnet allocation strategies. Choosing the right one affects IP planning, blast radius, and operational clarity.
One shared subnet for all participants
The simplest setup: the host shares one private subnet and one public subnet, and all participant accounts launch into those subnets. This is easiest to manage but provides no separation between tenants. A participant that exhausts IPs in the shared subnet affects everyone. Suitable only for small teams with few resources.
Dedicated subnets per participant or team
The host creates separate subnets for each participant account or team and shares only that team’s subnets with their account. Each team has its own IP range within the VPC. This is the most common production pattern because it:
- Limits IP exhaustion blast radius: one team filling their subnet does not affect others
- Makes IP attribution and audit straightforward: you know which CIDR block belongs to which team
- Allows subnet-level NACL policies to be applied per team if needed
- Simplifies cost and traffic analysis per team in VPC Flow Logs
Shared public subnets, isolated private subnets
A third pattern shares one or two public subnets (for load balancers and NAT traffic) while giving each team their own private subnet for workloads. This reduces the number of subnets the host manages while still giving each team IP isolation for their back-end resources. It works well when the public tier is lightweight and controlled by the platform team.
For most production environments: start with dedicated private subnets per team and a single shared public subnet tier. This gives you clean IP attribution and isolates IP exhaustion risk, without requiring the host to create and maintain dozens of public subnets.
Common mistakes
- Sharing the wrong subnets. RAM shares subnets, not the entire VPC. Share only the subnets participant accounts actually need. Do not expose management subnets, subnets running sensitive platform infrastructure, or subnets attached to internal VPC endpoints that should not be accessible to all participants.
- Forgetting that security groups are account-scoped. A security group in the participant account is a different object from any security group in the host account. Cross-account security group references are possible in inbound rules but require explicit configuration. Teams that assume they can reference each other’s security groups freely will hit permission errors. Plan your network security model across accounts before deployment.
- Assuming participant accounts have full VPC access. Teams new to the model sometimes try to modify route tables or NACLs from their participant account and hit permission denied errors. Set clear expectations before onboarding: participants create resources, not network infrastructure.
- Undersized subnets. If you allocate a /28 (14 usable IPs) for a team that plans to run 20 EC2 instances and 5 RDS instances, you will run out of addresses. AWS also reserves 5 IPs per subnet. Size subnets generously (a /24 gives 251 usable IPs) and plan for growth. The resource hierarchy documentation covers how IP planning fits into multi-account design.
- Not testing cross-account security group rules before go-live. Cross-account security group references work, but the syntax and trust relationships are non-obvious. Validate that participant accounts can actually reach each other’s resources under your intended rules before declaring the environment ready.
Operational gotchas
Participant accounts cannot use the shared VPC’s default security group. It belongs to the host account. If a participant launches a resource without explicitly assigning a security group, the result is unpredictable: the resource may be unreachable or may inherit no rules at all. Enforce explicit security group assignment in every deployment pipeline that targets shared subnets.
- Subnet IP exhaustion is a shared problem. If a participant account fills a shared subnet with resources, other participants in that subnet cannot launch new resources. Monitor IP utilization at the VPC level, not just per account. Dedicated per-team subnets isolate this risk.
- Security group ownership confusion. When a participant account’s resource has a security group rule issue, the participant must fix it, not the host team. But when the issue is at the NACL or route table level, only the host can fix it. This boundary is invisible to users who do not understand the model. Document it clearly for every team that onboards.
- Flow log ownership and access. The host account controls VPC Flow Logs. If a participant account team is troubleshooting network issues, they may need to request log access from the host account. Build a process for this before the first incident, not after it.
- RAM share propagation delay. When you add accounts to an OU covered by a RAM share, the shared subnets do not always appear instantaneously. There can be a short propagation delay before new accounts see them. Factor this into account provisioning workflows and do not assume subnets are immediately available.
Summary
- AWS VPC sharing uses AWS RAM to share subnets from a host account with participant accounts in the same AWS Organization.
- Participant accounts launch resources into shared subnets and communicate natively, with no peering or Transit Gateway required.
- The host account retains full control over VPC infrastructure (route tables, NACLs, gateways); participants control only the resources they create.
- Participants cannot use the shared VPC’s default security group; they must use security groups from their own account.
- Benefits include no CIDR overlap risk, no peering sprawl, centralized network management, and cost-efficient shared infrastructure.
- Limitations include reduced participant autonomy, weaker workload isolation, centralized flow log control, and cross-account security group complexity.
- For strict account isolation or transitive routing across many VPCs, Transit Gateway is typically the better fit.
- Dedicated subnets per participant team is the recommended production pattern: it limits IP exhaustion blast radius and improves IP attribution.
Frequently asked questions
Do I need AWS Organizations to use VPC sharing?
Yes. AWS RAM subnet sharing requires all accounts to be in the same AWS Organization. You cannot share subnets with arbitrary external accounts. When you share with an organizational unit (OU), all current and future accounts in that OU receive access automatically.
Who pays for shared infrastructure and workload resources?
The host account pays for VPC-level infrastructure: NAT Gateways, Internet Gateways, VPC endpoints, and VPN or Direct Connect attachments. Participant accounts pay for the resources they launch (EC2 instances, RDS databases, load balancers) and for the data transfer costs generated by those resources.
Can participant accounts create their own security groups?
Yes. Participant accounts can create security groups in their own account and attach them to resources launched into shared subnets. They cannot modify the host account's security groups. Cross-account security group references are supported but require explicit configuration on both sides.
Can participant accounts use the default security group of the shared VPC?
No. The default security group belongs to the host account. Participant accounts cannot use it and must create security groups in their own account to attach to their resources. This is a common point of confusion for teams new to the shared VPC model.
When should I choose Transit Gateway instead of shared VPC?
Choose Transit Gateway when accounts need strong network isolation (each keeps its own VPC), when you need transitive routing across many VPCs, or when connecting on-premises networks that must reach multiple VPCs. Shared VPC is the better fit when cost efficiency and centralized control matter more than per-account isolation.