A demo for deploying Amazon VPC structure using Terraform best pracitces.
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
This module creates:
- VPC and subnets with public and private subnets
- Internet Gateway: To connect the VPC to the internet
- NAT Gateway: [Optional] To allow instances in private subnets to connect to the internet
- Elastic IP: [Optional] To assign to NAT Gateway
- Route Tables: To route traffic between the VPC and the internet
- VPC Endpoints for S3: [Optional] To connect to S3 within private subnets without going through the internet
This module creates a VPC with one public subnet and multiple private subnet layers associated to multiple tiers. For example, in a typical web application, you might have a public subnet for the load balancer and private subnets for the application servers, database servers, and cache servers, which has its own service tier.
The public subnets are associated with a single shared route table that routes traffic to the internet gateway.
For each service specified by the user, private subnets are deployed to different availability zones. Each private subnet is associated with a dedicated route table that routes traffic to the NAT Gateway if the service is public facing and to the S3 VPC endpoint if the service need to route traffic to S3 privately.
You can optionally enable a multi-AZ NAT Gateway to provide high availability for instances in private subnets. This is useful for scenarios where you want to ensure that instances in private subnets can connect to the internet even if one of the NAT Gateways fails.
If you disable the multi-AZ NAT Gateway, the module will deploy a single NAT Gateway in the first availability zone in of the public subnet.
You can optionally enable an S3 VPC endpoint to allow instances in private subnets to connect to S3 without going through the internet. This is useful for scenarios where you want to restrict access to S3 to only instances within the VPC.
module "vpc" {
source = "../terraform-components/aws-vpc"
vpc_name = "testvpc"
vpc_cidr_block = "10.1.0.0/16"
public_subnet_cidr_blocks = ["10.1.0.0/20", "10.1.16.0/20"]
private_subnet_info = [
{
tier_name = "application"
cidr_blocks = ["10.1.128.0/20", "10.1.144.0/20"]
availability_zones = ["us-east-1a", "us-east-1b"]
public_facing = true
connect_s3_vpc_endpoint = true
},
{
tier_name = "database"
cidr_blocks = ["10.1.160.0/20", "10.1.176.0/20"]
availability_zones = ["us-east-1a", "us-east-1b"]
public_facing = false
connect_s3_vpc_endpoint = false
}
]
enable_s3_endpoint = true
enable_nat_gateway = true
enable_multiaz_nat_gateway = true
tags = local.tags
}| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | = 5.45.0 |
| Name | Version |
|---|---|
| aws | = 5.45.0 |
No modules.
| Name | Type |
|---|---|
| aws_eip.nat | resource |
| aws_internet_gateway.main | resource |
| aws_nat_gateway.main | resource |
| aws_route.nat_gateway | resource |
| aws_route_table.private | resource |
| aws_route_table.public | resource |
| aws_route_table_association.private | resource |
| aws_route_table_association.public | resource |
| aws_subnet.private | resource |
| aws_subnet.public | resource |
| aws_vpc.main | resource |
| aws_vpc_endpoint.s3 | resource |
| aws_vpc_endpoint_route_table_association.s3 | resource |
| aws_availability_zones.available | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| enable_multiaz_nat_gateway | Enable Multi-AZ NAT Gateway | bool |
false |
no |
| enable_nat_gateway | Enable NAT Gateway | bool |
false |
no |
| enable_s3_endpoint | Enable S3 VPC endpoint | bool |
true |
no |
| public_subnet_cidr_blocks | The CIDR blocks for the public subnets | list(string) |
[ |
no |
| tags | Custom tags which can be passed on to the AWS resources. They should be key value pairs having distinct keys. | map(any) |
{} |
no |
| tier_info | The info blocks for the private subnet structure for the tiers to deploy. Each block respresents a tier should have tier_name, cidr_blocks, availability_zones, public_facing, connect_s3_vpc_endpoint. |
list(object({ |
[ |
no |
| vpc_cidr_block | The CIDR block for the VPC | string |
"10.0.0.0/16" |
no |
| vpc_name | The name of the vpc | string |
n/a | yes |
| Name | Description |
|---|---|
| private_subnets_ids | The IDs of the deployed private subnets, identified by the tier name. |
| public_subnets_ids | The IDs of the deployed public subnets |
| vpc_id | The ID of the deployed VPC |
We use Terraform to deploy the solution architecture. The Terraform blueprints are located in the live-sandbox folder. The Terraform blueprints are Terraform use-case specific files that references Terraform components. For our use case, we are defining Terraform blueprints to deploy a AWS VPC.
Terraform components are located in the terraform-components folder. The Terraform components are reusable Terraform code that can be used to deploy a specific AWS resource. Terraform components not only deploys its specific AWS resource, but deploys them considering best practices regarding reusability, security, and scalability.
For more info on Terraform, please refer to the Terraform documentation.
Please follow the below tutorials to deploy the solution architecture in the previous section:
- Set up Terraform with AWS Cloud account
- Deploy VPC module using Terraform
To set up Terraform with AWS Cloud account,
Step 1. Create an AWS account. You need to have AWS access key and secret key to use Terraform to deploy resources on AWS of the following format:
export AWS_ACCESS_KEY_ID="xxx"
export AWS_SECRET_ACCESS_KEY="xxx"
export AWS_SESSION_TOKEN="xxx"Step 2. Install Terraform on your local machine. Please follow the official documentation to install Terraform on your local machine.
Step 3. Configure Terraform to use your AWS access key and secret key by copy-pasting your AWS access and secret key in a Terminal.
Step 4. Change directory to live-sandbox that contains Terraform blueprints. Setup up and validate the Terraform blueprints by running the below commands:
cd live-sandbox
terraform init
terraform validateStep 1. Change directory to live-sandbox that contains Terraform blueprints to deploy the solution architecture by running the below commands:
cd live-sandbox
terraform applyStep 2. Once you are happy with the resources that Terraform is going to deploy in your AWS account, confirm by typing yes in the Terminal.