The Shared Services model, or Hub and Spoke, is a network topology which allows for the centralisation of shared services for use across multiple workloads, which is particularly beneficial for large scale cloud estates.

It's one of the more simple, tried and tested, architectures for cloud, and allows for separation of concerns within a network designed for virtual machines and containerised workloads - due to network configuration being the customers responsibility, whereas with serverless architecture it becomes "of the cloud".

Hub and Spoke example diagram

With hub and spoke we can control the flow of network traffic through a centralised VPC, by using VPC peering and Direct Connect/VPN for on premise communication with our cloud environment.

This control of traffic allows us to centralise logging, adhere to strict compliance requirements, and reduce the cognitive load on teams having to manage certain security concerns as they're baked into the network design.

Spokes have no direct communication with other spokes in the network, and traffic must traverse through the Hub VPC.

A more modern approach, which achieves a similar result is to use a Shared VPC across your AWS accounts, and have the NAT Gateway, Internet Gateway, Direct Connect, and VPN connections managed in a centralised account. This reduces some of the overhead and complexities of managing a Hub and Spoke VPC peering model.

This topology is not only beneficial for controlling network traffic, certain security services can be centralised as shared services to make them available across your cloud estate and beyond.

We might have a requirement for anti-virus scanning of files uploaded to Amazon S3. For a large business this capability can be utilised by multiple subsidiaries, projects, and services. To save on infrastructure costs, maintenance costs, and to help reduce cognitive load on engineering teams, this capability can be abstracted into a centralised shared service.

There are also examples of security shared services provided by AWS, such as AWS Firewall Manager, Control Tower, and Security Hub, which focus on centralising WAF rules, compliance, and risk management respectively.