How do you build APIs that consume cross account resources (and do it securely)?

Operating multiple accounts is an AWS best practice — it helps shard your work, distribute limits, and better segment your environments. It can be challenging to build APIs that consume resources in different accounts, but you have a few options:

1. VPC peer or use Transit Gateway to enable communication between two private VPC.
2. Expose your services publicly and allow resources from accounts and VPCs to consume the services. Add security to prevent unauthorized use.
3. Use a combination of VPC Endpoint Services and AWS PrivateLink to connect resources privately.

Option 1 is a good choice when you control all VPCs and have the ability to plan out CIDR blocks ahead of time. This solution is difficult to scale since you cannot have CIDR blocks that overlap. It also allows two way communication between VPCs and requires you to lock down NACLs and Security Groups to prevent undesired network access.

Option 2 is a viable choice if your security requirements allow for publicly accessible Load Balancers and APIs, however this is rarely the case.

Option 3 is generally the most scalable and secure, since traffic can only originate from the client account (via an Endpoint or PrivateLink → Endpoint) and does not require you to plan VPC CIDR blocks ahead of time. We’ll take a look at how to deploy this configuration.