Multi Account Strategy in Alibaba Cloud

Posted on 5 March 2021 by Alberto Roura.
alibaba cloudmulti-accountgovernancesecurityorganization

Implementing a multi-account strategy in Alibaba Cloud enables organizations to achieve better isolation, security, cost management, and operational efficiency. This approach separates workloads, environments, and teams into distinct accounts while maintaining centralized governance and management.

Why Multi-Account Strategy?

Benefits

  • Security Isolation: Isolate production, development, and testing environments
  • Cost Allocation: Track and allocate costs by team, project, or environment
  • Access Control: Implement fine-grained access controls per account
  • Compliance: Meet regulatory requirements with isolated accounts
  • Risk Mitigation: Limit blast radius of security incidents
  • Service Limits: Avoid hitting service quotas by distributing across accounts

Common Multi-Account Patterns

1. Environment-Based Separation

Separate accounts by environment:

  • Production Account: Production workloads
  • Staging Account: Pre-production testing
  • Development Account: Development and testing
  • Sandbox Account: Experimental workloads

2. Business Unit Separation

Separate accounts by business unit or department:

  • Engineering Account: Engineering team resources
  • Marketing Account: Marketing team resources
  • Finance Account: Finance team resources

3. Project-Based Separation

Separate accounts by project or application:

  • Application A Account: Resources for Application A
  • Application B Account: Resources for Application B
  • Shared Services Account: Common services and resources

4. Hybrid Approach

Combine multiple patterns:

  • Environment separation within business units
  • Project separation within environments
  • Shared services account for common resources

Account Structure Design

Master Account

The primary account that:

  • Manages other accounts
  • Houses billing and organization management
  • Contains shared services
  • Implements centralized governance

Member Accounts

Individual accounts for:

  • Specific environments
  • Business units
  • Projects or applications
  • Isolated workloads

Setting Up Multi-Account Structure

Create Resource Directory

# Create resource directory (if using Resource Directory)
aliyun resourcemanager CreateResourceDirectory

Create Member Accounts

# Create member account via Resource Directory
aliyun resourcemanager CreateAccount \
  --DisplayName "Production" \
  --AccountName "prod-account"

Alternative: Manual Account Creation

  • Create separate Alibaba Cloud accounts
  • Link accounts via Resource Directory or manual management
  • Configure cross-account access as needed

Cross-Account Access

RAM Role-Based Access

Create roles for cross-account access:

In Trusted Account (Account A):

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "RAM": [
          "acs:ram::<Account-B-ID>:root"
        ]
      },
      "Action": "sts:AssumeRole",
      "Resource": "acs:ram::<Account-A-ID>:role/CrossAccountRole"
    }
  ]
}

In Trusting Account (Account B):

# Assume role from Account B
aliyun sts AssumeRole \
  --RoleArn "acs:ram::<Account-A-ID>:role/CrossAccountRole" \
  --RoleSessionName "cross-account-session"

Resource Sharing

Share resources across accounts:

  • OSS Bucket Sharing: Cross-account OSS access
  • Image Sharing: Share custom images
  • Snapshot Sharing: Share snapshots
  • VPC Peering: Connect VPCs across accounts

Centralized Management

Resource Directory

Use Resource Directory for:

  • Centralized account management
  • Unified billing
  • Policy management
  • Resource organization

Cloud Enterprise Network (CEN)

Connect accounts via CEN:

# Create CEN instance
aliyun cen CreateCenInstance \
  --Name "multi-account-network" \
  --Description "Connect all accounts"

# Attach VPCs from different accounts
aliyun cen AttachCenChildInstance \
  --CenId cen-xxxxx \
  --ChildInstanceId vpc-xxxxx \
  --ChildInstanceType VPC \
  --ChildInstanceRegionId cn-hangzhou

Centralized Logging

  • ActionTrail: Centralized audit logging
  • Log Service: Aggregate logs from all accounts
  • CloudMonitor: Unified monitoring dashboard

Governance and Compliance

Policy Management

Implement consistent policies:

  • SCP (Service Control Policies): Account-level restrictions
  • RAM Policies: Consistent access policies
  • Tag Policies: Enforce tagging standards
  • Compliance Policies: Regulatory compliance

Cost Management

  • Cost Allocation Tags: Track costs by account
  • Budget Alerts: Set budgets per account
  • Cost Reports: Generate account-level reports
  • Chargeback: Allocate costs to teams

Security Best Practices

  1. Separate Production: Isolate production workloads
  2. MFA Enforcement: Require MFA for all accounts
  3. Audit Logging: Enable ActionTrail in all accounts
  4. Least Privilege: Implement least privilege access
  5. Regular Audits: Conduct security audits regularly

Billing and Cost Management

Consolidated Billing

  • Resource Directory: Unified billing for member accounts
  • Cost Allocation: Track costs by account
  • Budget Management: Set budgets per account
  • Cost Reports: Generate detailed cost reports

Cost Optimization

  • Reserved Instances: Share RI benefits across accounts
  • Spot Instances: Use spot instances in non-production
  • Resource Right-Sizing: Optimize resources per account
  • Cost Alerts: Set up cost anomaly alerts

Migration Strategy

Phases

  1. Planning: Design account structure
  2. Account Creation: Create new accounts
  3. Resource Migration: Migrate resources gradually
  4. Access Configuration: Set up cross-account access
  5. Governance Implementation: Deploy policies
  6. Validation: Test and validate setup

Migration Tools

  • Terraform: Infrastructure as code for migration
  • Alibaba Cloud CLI: Scripted resource migration
  • Data Migration Service: Database migration
  • OSS Migration: Object storage migration

Best Practices

Account Naming Convention

Use consistent naming:

  • {org}-{env}-{purpose}: acme-prod-app1
  • {team}-{project}-{env}: eng-api-prod
  • Include purpose and environment clearly

Tagging Strategy

Implement consistent tags:

  • Environment: production, staging, development
  • Team: team or department name
  • Project: project or application name
  • CostCenter: cost allocation code

Access Management

  • Centralized IAM: Use Resource Directory for IAM
  • Role-Based Access: Use RAM roles for access
  • Regular Reviews: Review access regularly
  • Automated Provisioning: Automate account provisioning

Monitoring and Operations

Centralized Monitoring

  • CloudMonitor: Unified monitoring dashboard
  • Log Service: Centralized log aggregation
  • ActionTrail: Centralized audit logging
  • Alerts: Unified alerting across accounts

Operational Procedures

  • Runbooks: Document procedures per account
  • Change Management: Implement change controls
  • Incident Response: Define incident procedures
  • Disaster Recovery: Plan DR per account

Conclusion

A well-designed multi-account strategy in Alibaba Cloud provides organizations with improved security, better cost management, enhanced compliance, and operational efficiency. By separating workloads into distinct accounts while maintaining centralized governance, organizations can scale their cloud operations while maintaining control and visibility.

Successful multi-account implementations require careful planning, consistent governance policies, and ongoing management to ensure the structure continues to meet organizational needs as requirements evolve.

✉️ Contact

Ready to take the next step? Don't wait any longer! If you're interested in learning more about Guztia products and services, or if you have any questions or concerns, book a meeting today.

Book a Meeting

Our team of experts is standing by, ready to assist you with anything you need. Book a Meeting, and Guztia will take care of the rest.