Currently I have a VPC under the management organisation, and wireguard vpn is used to access the VPC (via jump/bastion server). We are starting a new project with new devs. I’ve created a separate AWS org under the root, and this org has a separate VPC. I want some devs to be able to access VPCs of both orgs, and other devs to only be able to access one of the VPCs. How can this be achieved?
The best way is to create a transitGW and attach the VPN (and any additional VPCs to it),
You can then create a HUB architecture , including a Network FW to better segregate accesses .
But be careful with the amount of traffic you send through the firewall or it can be expensive.
VPC Transit Gateway
I’m curious about this, too. We have a similar requirment.
Network level access, and resource level permissions, are two different components here. You can’t restrict network access of, for example, a bastion host, dependent on the user request. You need to combine the two, limit the network access as much as possible, and then constraint user permissions as tightly as possible. Transit Gateway is probably the best way to manage the inter-VPC connectivity requirement. Peering is not transitive.
Let me know if you find out hahaha 