This Terraform Module adds a default set of Network
ACLs to a VPC created using the
vpc-app module. The ACLs enforce the following security settings (based on A Reference VPC
Architecture):
Public subnet: Allow all requests.
Private app subnet: Allow all requests to/from the public subnets, private persistence subnets, and the Mgmt VPC.
Allow all outbound TCP requests plus return traffic from any IP for those TCP requests on ephemeral
ports.
Private persistence subnet: Allow all requests to/from the private app subnets and the Mgmt VPC.
Check out variables.tf for all the configuration options available.
What's a VPC?
A VPC or Virtual Private Cloud is a logically isolated section of your AWS cloud. Each
VPC defines a virtual network within which you run your AWS resources, as well as rules for what can go in and out of
that network. This includes subnets, route tables that tell those subnets how to route inbound and outbound traffic,
security groups, firewalls for the subnet (known as "Network ACLs"), and any other network components such as VPN connections.
What's a Network ACL?
Network ACLs provide an extra layer of network
security, similar to a security group.
Whereas a security group controls what inbound and outbound traffic is allowed for a specific resource (e.g. a single
EC2 instance), a network ACL controls what inbound and outbound traffic is allowed for an entire subnet.
How do I configure the Network ACLs for public ELB access?
The recommended configuration for public Elastic Load Balancers is to deploy the public facing ELB (Application Load
Balancer/ALB or Network Load Balancer/NLB) in the public subnet tier, and the applications in the private app subnet
tier. For the most part, the Network ACLs configured in this module should be sufficient for exposing access to the
private services through the public ELB.
However, for NLBs, the default network ACLs in the module would restrict access to the private services routed from the
NLB if the application is listening on a privileged port (port numbers less than 1024, e.g. HTTP port 80). This is
because unlike ALBs, NLBs do not do address translation, and thus the VPC firewalls end up seeing the client IP address
instead of the NLB IP address. This triggers the firewall rules in the network ACLs that will block access to the
private service in the private app subnet, as the traffic will not appear to come from the public subnet tier.
To ensure the NLB traffic can make it to the private service, you must expose access to the privileged port from the
client IP address in the network ACL rules. To do this, you can use the private_app_allow_inbound_ports_from_cidr
input variable. For example, to allow access to a service listening on port 443 (HTTPS):
module"network_acls" {
# other arguments omitted for brevity
private_app_allow_inbound_ports_from_cidr = {
AllowAnyPublicHTTP = {
client_cidr_block = "0.0.0.0/0"
protocol = "tcp"
from_port = 443
to_port = 443# We pick rule number 99 to ensure it has the highest priority.
rule_number = 99
}
}
}
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"9c54c9a0461a49cb0166e577fa4e68bf7d22c70e"}]},{"name":".gitignore","path":".gitignore","sha":"b4d646276b2bd09ca0637874dedb1e03dc831406"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"4ea66ff80f04d5013f666c752310424c22919251"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"8c24c86ef8447a19436b38826f458c71b4da4f45"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.md","path":"README.md","sha":"8a7aee892ef4a96ed61dd236f1306ebd630a3f06"},{"name":"examples","children":[{"name":"vpc-app-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-app-no-nat-gateway/README.md","sha":"ea0486fef279cbb8aced2c65a39a350a65be725f"},{"name":"main.tf","path":"examples/vpc-app-no-nat-gateway/main.tf","sha":"41622b9ed95a4eef916654976075aa52392597c3"},{"name":"outputs.tf","path":"examples/vpc-app-no-nat-gateway/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-app-no-nat-gateway/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-app-subnets-disabled","children":[{"name":"README.md","path":"examples/vpc-app-subnets-disabled/README.md","sha":"67df57551702a809167ca70b61c95b62e08991f0"},{"name":"main.tf","path":"examples/vpc-app-subnets-disabled/main.tf","sha":"6bd73323b34102015d0c0d2391e5eb764b7b64b2"},{"name":"outputs.tf","path":"examples/vpc-app-subnets-disabled/outputs.tf","sha":"6630dcfe2cf399866778a70b9f5530d99d5fc886"},{"name":"variables.tf","path":"examples/vpc-app-subnets-disabled/variables.tf","sha":"d29c3a45b54bb5e7e549d9a46d228ce7e427ad6d"}]},{"name":"vpc-app-with-endpoint","children":[{"name":"README.md","path":"examples/vpc-app-with-endpoint/README.md","sha":"d156678fe7d97d89370b1f95cf0558bf3d2a6430"},{"name":"main.tf","path":"examples/vpc-app-with-endpoint/main.tf","sha":"1a8dcb678fe9d8e81c024e615ce608d807bce0d1"},{"name":"outputs.tf","path":"examples/vpc-app-with-endpoint/outputs.tf","sha":"36e21a8b972bd561cbc3bdaea7b21b8982d6a662"},{"name":"variables.tf","path":"examples/vpc-app-with-endpoint/variables.tf","sha":"be23cd1bfd3a29beb63724612f6bb9a7e5bd3d25"}]},{"name":"vpc-app-with-inbound-network","children":[{"name":"README.md","path":"examples/vpc-app-with-inbound-network/README.md","sha":"25dde99ed73bd19243e09131bc94cfd05fa0214d"},{"name":"main.tf","path":"examples/vpc-app-with-inbound-network/main.tf","sha":"5834e51ae903bf23b3db0e724386fbfe1deb73cc"},{"name":"outputs.tf","path":"examples/vpc-app-with-inbound-network/outputs.tf","sha":"729e7cb3afd8cfee49d4dde4ca3ba20f88ad930f"},{"name":"variables.tf","path":"examples/vpc-app-with-inbound-network/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-app","children":[{"name":"README.md","path":"examples/vpc-app/README.md","sha":"ea0486fef279cbb8aced2c65a39a350a65be725f"},{"name":"main.tf","path":"examples/vpc-app/main.tf","sha":"8b9ee923caf612d802305e83ac65075216a9e2e3"},{"name":"outputs.tf","path":"examples/vpc-app/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-app/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-custom-cidr-blocks","children":[{"name":"README.md","path":"examples/vpc-custom-cidr-blocks/README.md","sha":"aef7de470f10d0d215966842b737bd41a33c98a5"},{"name":"main.tf","path":"examples/vpc-custom-cidr-blocks/main.tf","sha":"c6b67893a5785b84ad9233bd44b4c4d034beff5d"},{"name":"outputs.tf","path":"examples/vpc-custom-cidr-blocks/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-custom-cidr-blocks/variables.tf","sha":"56d3e0ca50ded5ea2535c71f3568f3728106a42b"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"examples/vpc-flow-logs/README.md","sha":"75f78906088bbfb2be1e016e11958776b9a5f474"},{"name":"main.tf","path":"examples/vpc-flow-logs/main.tf","sha":"d04415f5490abfe5cffb19b7bff1bc22a39dc896"},{"name":"outputs.tf","path":"examples/vpc-flow-logs/outputs.tf","sha":"1832dd649235eb4f917497c2772299c761d39dad"},{"name":"variables.tf","path":"examples/vpc-flow-logs/variables.tf","sha":"3ac7ead850b612a5973fd4c58192dc6b856330df"}]},{"name":"vpc-mgmt-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-mgmt-no-nat-gateway/README.md","sha":"31e1e6c333d42951a9929d3c1d2c4bf391a47794"},{"name":"main.tf","path":"examples/vpc-mgmt-no-nat-gateway/main.tf","sha":"64ee074d92e33413b5fe1d8bd5ebc051ad3750e3"},{"name":"outputs.tf","path":"examples/vpc-mgmt-no-nat-gateway/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"variables.tf","path":"examples/vpc-mgmt-no-nat-gateway/variables.tf","sha":"bf7cddc01e2b42855c9c435e5c2751e010e6a435"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"examples/vpc-mgmt/README.md","sha":"31e1e6c333d42951a9929d3c1d2c4bf391a47794"},{"name":"main.tf","path":"examples/vpc-mgmt/main.tf","sha":"9e5438a030c2b91dc3eb4fd53dd8ae9082662a07"},{"name":"outputs.tf","path":"examples/vpc-mgmt/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"variables.tf","path":"examples/vpc-mgmt/variables.tf","sha":"59225eb0320c7af08fa4cade7bbeaf10bdeac295"}]},{"name":"vpc-network-acls","children":[{"name":"README.md","path":"examples/vpc-network-acls/README.md","sha":"dba18c12b6ba20ddecbc23aa2d89c7ade17c5680"},{"name":"main.tf","path":"examples/vpc-network-acls/main.tf","sha":"8fa639aadf004b6c4e76b7d460d2c9b2bb3f809c"},{"name":"outputs.tf","path":"examples/vpc-network-acls/outputs.tf","sha":"5f59a828f7128b7bd7e52599fa794abd0f760293"},{"name":"variables.tf","path":"examples/vpc-network-acls/variables.tf","sha":"a19ecd5a9d56e8127d6dbd39ea9594b0ef49a696"}]},{"name":"vpc-peering-cross-accounts","children":[{"name":"README.md","path":"examples/vpc-peering-cross-accounts/README.md","sha":"5bdbe3edf6abf89c0e3fc5098047ffdd4eefc0f9"},{"name":"accepter.tf","path":"examples/vpc-peering-cross-accounts/accepter.tf","sha":"052c6a9bd2d349dbde283afd472b6a7753526718"},{"name":"dependencies.tf","path":"examples/vpc-peering-cross-accounts/dependencies.tf","sha":"dfba9143d3037101cfb72dfd42351651765104bb"},{"name":"outputs.tf","path":"examples/vpc-peering-cross-accounts/outputs.tf","sha":"5257d0521e3fa33b514cb90f55a811416141c9a2"},{"name":"providers.tf","path":"examples/vpc-peering-cross-accounts/providers.tf","sha":"e1e3cb4875ae9d9484ef965ad5ced9fa05bce6be"},{"name":"requester.tf","path":"examples/vpc-peering-cross-accounts/requester.tf","sha":"376903e14eb2eee2dbc3aef37f6054c3b15028f2"},{"name":"variables.tf","path":"examples/vpc-peering-cross-accounts/variables.tf","sha":"a3af170a52ebe3617c5cbdbc751924c2ef77560a"},{"name":"versions.tf","path":"examples/vpc-peering-cross-accounts/versions.tf","sha":"28640ec1da695ee287382ef7afdcf85ac433bc89"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"examples/vpc-peering-external/README.md","sha":"2ab2674e3ec16b14c9b79ef96ca808078549ff5d"},{"name":"main.tf","path":"examples/vpc-peering-external/main.tf","sha":"4dd1f332fdecbc2cddbd5772d7c231899ef4ee5c"},{"name":"outputs.tf","path":"examples/vpc-peering-external/outputs.tf","sha":"5239df47a80d13f33ea58412eb73a83f4ff431ed"},{"name":"variables.tf","path":"examples/vpc-peering-external/variables.tf","sha":"891f648219c644354f932af309fa3dffb0de3bd5"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"examples/vpc-peering/README.md","sha":"72acac0226368d798bc1f29623e61749d84af87a"},{"name":"main.tf","path":"examples/vpc-peering/main.tf","sha":"9b7c2efac60ac2cc78a38242e9f2fcf9c35d88d5"},{"name":"outputs.tf","path":"examples/vpc-peering/outputs.tf","sha":"85acf3fc320ca7969f57133d94515e80150f7c79"},{"name":"variables.tf","path":"examples/vpc-peering/variables.tf","sha":"6a8eb9ed4db5427a9eddb3205cfca9fc7386c085"}]}]},{"name":"modules","children":[{"name":"_docs","children":[{"name":"vpc-core-concepts.md","path":"modules/_docs/vpc-core-concepts.md","sha":"6c5780d57f69364b702bbaa5337aa3a1d693370d"},{"name":"vpc_app_architecture.png","path":"modules/_docs/vpc_app_architecture.png","sha":"1cb6d726e1a35614b27be9f3d45b9752589b9683"}]},{"name":"network-acl-inbound","children":[{"name":"README.md","path":"modules/network-acl-inbound/README.md","sha":"3784f45a817ccb73f2e8254c22c674eb77f29a8d"},{"name":"main.tf","path":"modules/network-acl-inbound/main.tf","sha":"add97f3a0746f3f47f4bda81d728feb6c81cee7b"},{"name":"variables.tf","path":"modules/network-acl-inbound/variables.tf","sha":"5bb3140cec48ca71ebc09ac664fca09c115ad77b"}]},{"name":"network-acl-outbound","children":[{"name":"README.md","path":"modules/network-acl-outbound/README.md","sha":"b0a204c8f1e30c99da43158c231436b018e53db6"},{"name":"main.tf","path":"modules/network-acl-outbound/main.tf","sha":"6b8c95a68fa8a4c0c409b6aa810d14ce0ff930ab"},{"name":"variables.tf","path":"modules/network-acl-outbound/variables.tf","sha":"a36ad2e23d0bab06dc5f2333203c2e9092f5e741"}]},{"name":"vpc-app-network-acls","children":[{"name":"README.md","path":"modules/vpc-app-network-acls/README.md","sha":"911b1a1bd141f1754267782937d091579884b286","toggled":true},{"name":"main.tf","path":"modules/vpc-app-network-acls/main.tf","sha":"e9e3c96388baceb65ad9b6102f7d733580803373"},{"name":"outputs.tf","path":"modules/vpc-app-network-acls/outputs.tf","sha":"1e48debceed70b0444a7f7c8fc4c6f90d7cd49d3"},{"name":"variables.tf","path":"modules/vpc-app-network-acls/variables.tf","sha":"0b7fbc4e788afeb21a70041485d8d7fef7f2476b"}],"toggled":true},{"name":"vpc-app","children":[{"name":"README.md","path":"modules/vpc-app/README.md","sha":"0c1a23fc7cf7df8045b5dc45def50662d21cac0a"},{"name":"main.tf","path":"modules/vpc-app/main.tf","sha":"a4b108a7a53c61ae099431ea70365521248e7a90"},{"name":"outputs.tf","path":"modules/vpc-app/outputs.tf","sha":"943edfaa07fe82477bc739f7fd10017452e0565d"},{"name":"variables.tf","path":"modules/vpc-app/variables.tf","sha":"8a97cb5f7c7f685f68210c0ac3692473b61c9133"}]},{"name":"vpc-dns-forwarder-rules","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder-rules/README.md","sha":"e61361e740adf9b6c95de03ee3ee4044162f57b8"},{"name":"main.tf","path":"modules/vpc-dns-forwarder-rules/main.tf","sha":"9beaa511796c5f83828a846e9ef0a5f74507a45d"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder-rules/variables.tf","sha":"b5baaad0819ce7c23d47d1292fe0798dee12cdf5"}]},{"name":"vpc-dns-forwarder","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder/README.md","sha":"0d0b4fffb15431758fd436c7cdc474bace686b7e"},{"name":"main.tf","path":"modules/vpc-dns-forwarder/main.tf","sha":"21141be19f6d9ed429140065e2dd3a0ec231f27b"},{"name":"outputs.tf","path":"modules/vpc-dns-forwarder/outputs.tf","sha":"382b7f3ae80e99cfd8325c9b4de404110e4d85ef"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder/variables.tf","sha":"3c27308d90da5517d686c5bfb901801ba65637c0"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"modules/vpc-flow-logs/README.md","sha":"09fa1ba0a3b308bb305f2652e11b6160edf9bce0"},{"name":"main.tf","path":"modules/vpc-flow-logs/main.tf","sha":"e8d83cbfd8889cad9721d86a353121007fcec084"},{"name":"outputs.tf","path":"modules/vpc-flow-logs/outputs.tf","sha":"029e23b76b63c324e836a69891a7cb452da99a06"},{"name":"variables.tf","path":"modules/vpc-flow-logs/variables.tf","sha":"bd6957b840f84f331a8011fe0cb669ba41bbaeb3"}]},{"name":"vpc-interface-endpoint","children":[{"name":"README.md","path":"modules/vpc-interface-endpoint/README.md","sha":"5c65f1eec3964b3cc00637270f252406f9247a8a"},{"name":"main.tf","path":"modules/vpc-interface-endpoint/main.tf","sha":"93cc550e284bf5fdc553f2385a0bf22676598c71"},{"name":"outputs.tf","path":"modules/vpc-interface-endpoint/outputs.tf","sha":"79d037d3f3ea31cb6981c07f036e9a1704da8945"},{"name":"variables.tf","path":"modules/vpc-interface-endpoint/variables.tf","sha":"e092b663fd6d87615bbb95d42452fa72878d6436"}]},{"name":"vpc-mgmt-network-acls","children":[{"name":"README.md","path":"modules/vpc-mgmt-network-acls/README.md","sha":"670d2e66c743a02d9f8132752b3a84e447307da7"},{"name":"main.tf","path":"modules/vpc-mgmt-network-acls/main.tf","sha":"3cd745f8b39991020bfcece06f608c81636ec549"},{"name":"outputs.tf","path":"modules/vpc-mgmt-network-acls/outputs.tf","sha":"a5e4effa3263fe4789957fb3058477f0419f65ab"},{"name":"variables.tf","path":"modules/vpc-mgmt-network-acls/variables.tf","sha":"6181036ea5629d4effc3ac95c149709ad8a15b0e"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"modules/vpc-mgmt/README.md","sha":"9dd4c2d8639e4e8833257cdb5407c3de0b3c1c00"},{"name":"main.tf","path":"modules/vpc-mgmt/main.tf","sha":"352667a5d003e864f4a62b0cc6c2c7b03b82a97c"},{"name":"outputs.tf","path":"modules/vpc-mgmt/outputs.tf","sha":"5c5ff7409ce2687c4c041279cb41717102d4d0a0"},{"name":"variables.tf","path":"modules/vpc-mgmt/variables.tf","sha":"682342efa6eed7bf896181063983ca4b6d6e1ebc"}]},{"name":"vpc-peering-cross-accounts-accepter","children":[{"name":"README.md","path":"modules/vpc-peering-cross-accounts-accepter/README.md","sha":"d404e5ac5e400defe8aba3d7f79d0f66870b4d3f"},{"name":"main.tf","path":"modules/vpc-peering-cross-accounts-accepter/main.tf","sha":"501f1631fbe22fa19591194cbbe39f660df3e050"},{"name":"outputs.tf","path":"modules/vpc-peering-cross-accounts-accepter/outputs.tf","sha":"905c5efb879537848fd4df0d0f47465a4cf6c87c"},{"name":"variables.tf","path":"modules/vpc-peering-cross-accounts-accepter/variables.tf","sha":"3f174a39f50ae6485daf74dbf29233a9c9047483"},{"name":"versions.tf","path":"modules/vpc-peering-cross-accounts-accepter/versions.tf","sha":"28640ec1da695ee287382ef7afdcf85ac433bc89"}]},{"name":"vpc-peering-cross-accounts-requester","children":[{"name":"README.md","path":"modules/vpc-peering-cross-accounts-requester/README.md","sha":"bca1ccf011064f52f80c6cafca8a1eb8aed17c29"},{"name":"main.tf","path":"modules/vpc-peering-cross-accounts-requester/main.tf","sha":"47ebaefe6f780a5eea708bd2c53c0101292dfd2c"},{"name":"outputs.tf","path":"modules/vpc-peering-cross-accounts-requester/outputs.tf","sha":"dc15d00e21644f86600bedb6359954e3bbc20f54"},{"name":"variables.tf","path":"modules/vpc-peering-cross-accounts-requester/variables.tf","sha":"16ad583c4ff493c2a831bbe6f46c0a3f7de35bde"},{"name":"versions.tf","path":"modules/vpc-peering-cross-accounts-requester/versions.tf","sha":"28640ec1da695ee287382ef7afdcf85ac433bc89"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"modules/vpc-peering-external/README.md","sha":"975a0436cd016a0d49429d8166a1f97ab5d203bf"},{"name":"main.tf","path":"modules/vpc-peering-external/main.tf","sha":"41087a1dbed515ce705285b209f3c3301830af85"},{"name":"variables.tf","path":"modules/vpc-peering-external/variables.tf","sha":"b7a9760c9a22524b8452e83d68495b31e3af18dc"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"modules/vpc-peering/README.md","sha":"56b1e169cef2f4201c8204611ea0364c5f04bf2c"},{"name":"main.tf","path":"modules/vpc-peering/main.tf","sha":"103aa53bd83e50f01e22147d3684fa2dc1fb1f24"},{"name":"variables.tf","path":"modules/vpc-peering/variables.tf","sha":"60502cffac1867fa48a5f68ef6ef0aa566cef21e"}]}],"toggled":true},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"ef26d3851db2fff0b36dfa61379724c0db9ff281"},{"name":"go.mod","path":"test/go.mod","sha":"7d7692f4b06a39de2aaedafd6028d114ed56aa1e"},{"name":"go.sum","path":"test/go.sum","sha":"cdbfc6dff8e67058738f21e3afd77cffa4a84ac3"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"0558952282f8e5fc1e7c890d811ceb7a2fc2a7d1"},{"name":"vpc_app_no_nat_gateway_test.go","path":"test/vpc_app_no_nat_gateway_test.go","sha":"c23d6186a6ebb7de534c9dcc73f74a8e278cf4c2"},{"name":"vpc_app_subnets_disabled_test.go","path":"test/vpc_app_subnets_disabled_test.go","sha":"cbdbd132ce71f6e56da2dac48fd62cddc2b65b9b"},{"name":"vpc_app_test.go","path":"test/vpc_app_test.go","sha":"d564a91c16fef917f1454f6409ac55f32f1199bb"},{"name":"vpc_app_with_endpoint_test.go","path":"test/vpc_app_with_endpoint_test.go","sha":"7d0308586c09b36ff78fce285c765cb340a78e02"},{"name":"vpc_app_with_inbound_network_test.go","path":"test/vpc_app_with_inbound_network_test.go","sha":"13b78ced82ed45618e5b74399f19e3a79a2d9322"},{"name":"vpc_custom_cidr_blocks_test.go","path":"test/vpc_custom_cidr_blocks_test.go","sha":"056710e3d1fc6d6affc28f23caef27cac9042519"},{"name":"vpc_flow_logs_test.go","path":"test/vpc_flow_logs_test.go","sha":"7aa4a9e4fcfa99d60b054a8d33ae1c2a52991ab6"},{"name":"vpc_mgmt_no_nat_gateway_test.go","path":"test/vpc_mgmt_no_nat_gateway_test.go","sha":"98a5b6189e3651267f7038f906deaa0304fcc699"},{"name":"vpc_mgmt_test.go","path":"test/vpc_mgmt_test.go","sha":"4df8061bd0de902e3ef3d1ff56e4e32758fb8ad8"},{"name":"vpc_network_acls_test.go","path":"test/vpc_network_acls_test.go","sha":"5ed930679340c81ea7549b0a26e94566e18ce660"},{"name":"vpc_peering_cross_accounts_test.go","path":"test/vpc_peering_cross_accounts_test.go","sha":"8b1b13de36acd9dc77fa28c2a2daeacb383ee7c5"},{"name":"vpc_peering_external_test.go","path":"test/vpc_peering_external_test.go","sha":"2ce81263d16d2b5f7387993404bea2849ca60698"},{"name":"vpc_peering_test.go","path":"test/vpc_peering_test.go","sha":"5a806d75862d8de21f52d4682d3d32ef7ea66aed"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"vpc-app-network-ac-ls-terraform-module\">VPC-App Network ACLs Terraform Module</h1><div class=\"preview__body--border\"></div><p>This Terraform Module adds a default set of <a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html\" class=\"preview__body--description--blue\" target=\"_blank\">Network\nACLs</a> to a VPC created using the\n<a href=\"/repos/v0.15.6/terraform-aws-vpc/modules/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a> module. The ACLs enforce the following security settings (based on <a href=\"https://www.whaletech.co/2014/10/02/reference-vpc-architecture.html\" class=\"preview__body--description--blue\" target=\"_blank\">A Reference VPC\nArchitecture</a>):</p>\n<ul>\n<li><strong>Public subnet</strong>: Allow all requests.</li>\n<li><strong>Private app subnet</strong>: Allow all requests to/from the public subnets, private persistence subnets, and the Mgmt VPC.\nAllow all outbound TCP requests plus return traffic from any IP for those TCP requests on <a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#VPC_ACLs_Ephemeral_Ports\" class=\"preview__body--description--blue\" target=\"_blank\">ephemeral\nports</a>.</li>\n<li><strong>Private persistence subnet</strong>: Allow all requests to/from the private app subnets and the Mgmt VPC.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<p>Check out the <a href=\"/repos/v0.15.6/terraform-aws-vpc/examples/vpc-network-acls\" class=\"preview__body--description--blue\">vpc-network-acls example</a>.</p>\n<p>Check out <a href=\"/repos/v0.15.6/terraform-aws-vpc/modules/vpc-app-network-acls/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a> for all the configuration options available.</p>\n<h2 class=\"preview__body--subtitle\" id=\"whats-a-vpc\">What's a VPC?</h2>\n<p>A <a href=\"https://aws.amazon.com/vpc/\" class=\"preview__body--description--blue\" target=\"_blank\">VPC</a> or Virtual Private Cloud is a logically isolated section of your AWS cloud. Each\nVPC defines a virtual network within which you run your AWS resources, as well as rules for what can go in and out of\nthat network. This includes subnets, route tables that tell those subnets how to route inbound and outbound traffic,\nsecurity groups, firewalls for the subnet (known as "Network ACLs"), and any other network components such as VPN connections.</p>\n<h2 class=\"preview__body--subtitle\" id=\"whats-a-network-acl\">What's a Network ACL?</h2>\n<p><a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html\" class=\"preview__body--description--blue\" target=\"_blank\">Network ACLs</a> provide an extra layer of network\nsecurity, similar to a <a href=\"http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\" class=\"preview__body--description--blue\" target=\"_blank\">security group</a>.\nWhereas a security group controls what inbound and outbound traffic is allowed for a specific resource (e.g. a single\nEC2 instance), a network ACL controls what inbound and outbound traffic is allowed for an entire subnet.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-configure-the-network-ac-ls-for-public-elb-access\">How do I configure the Network ACLs for public ELB access?</h2>\n<p>The recommended configuration for public Elastic Load Balancers is to deploy the public facing ELB (Application Load\nBalancer/ALB or Network Load Balancer/NLB) in the public subnet tier, and the applications in the private app subnet\ntier. For the most part, the Network ACLs configured in this module should be sufficient for exposing access to the\nprivate services through the public ELB.</p>\n<p>However, for NLBs, the default network ACLs in the module would restrict access to the private services routed from the\nNLB if the application is listening on a privileged port (port numbers less than 1024, e.g. HTTP port 80). This is\nbecause unlike ALBs, NLBs do not do address translation, and thus the VPC firewalls end up seeing the client IP address\ninstead of the NLB IP address. This triggers the firewall rules in the network ACLs that will block access to the\nprivate service in the private app subnet, as the traffic will not appear to come from the public subnet tier.</p>\n<p>To ensure the NLB traffic can make it to the private service, you must expose access to the privileged port from the\nclient IP address in the network ACL rules. To do this, you can use the <code>private_app_allow_inbound_ports_from_cidr</code>\ninput variable. For example, to allow access to a service listening on port 443 (HTTPS):</p>\n<pre><span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"network_acls\"</span> {\n <span class=\"hljs-comment\"># other arguments omitted for brevity</span>\n\n private_app_allow_inbound_ports_from_cidr = {\n AllowAnyPublicHTTP = {\n client_cidr_block = <span class=\"hljs-string\">\"0.0.0.0/0\"</span>\n protocol = <span class=\"hljs-string\">\"tcp\"</span>\n from_port = <span class=\"hljs-number\">443</span>\n to_port = <span class=\"hljs-number\">443</span>\n\n <span class=\"hljs-comment\"># We pick rule number 99 to ensure it has the highest priority.</span>\n rule_number = <span class=\"hljs-number\">99</span>\n }\n }\n}\n</pre>\n","repoName":"terraform-aws-vpc","repoRef":"v0.15.3","serviceDescriptor":{"serviceName":"Virtual Private Cloud (VPC)","serviceRepoName":"terraform-aws-vpc","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Create a Virtual Private Cloud (VPC). Includes multiple subnet tiers, NACLs, NAT gateways, Internet Gateways, and VPC peering.","imageUrl":"vpc.png","licenseType":"subscriber","technologies":["Terraform"],"compliance":[],"tags":[""]},"serviceCategoryName":"Networking","fileName":"README.md","filePath":"/modules/vpc-app-network-acls","title":"Repo Browser: Virtual Private Cloud (VPC)","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
.circleci
main.tf
