We started to operate servers for our customers at AWS within one (root) account. Each customer environment is inside a separate VPC for maximum separation and ease of inter-instance access. Now with the second customer requiring a VPN connection I hit the wall with AWS the first time. You can’t have multiple VPC’s with VPN’s pointing to separate IP’s.
AWS support: “Unfortunately, due to routing restrictions in our regions we only allow a CGW IP to be used once per region.”
There is quite a number of discussions and threads around this, anyway without a straightforward technical solution (and installing software VPN is not suitable solution for me), I use a different workaround. I create additional accounts for every customer and link them back to our root account for consolidated billing. As nice side-effect, billings becomes more transparent for every account linked to one of our customers.
More info: http://docs.aws.amazon.com/awsaccountbilling/latest/about/consolidatedbilling.html
AWS allows to share AMI’s with another account, so you can share images without making them public.
The only disadvantage is the requirement to to organize independent IAM access which can be redundant.