Browse the Repo

file-type-icon.circleci
file-type-iconexamples
file-type-iconmodules
file-type-icon_docs
file-type-iconnetwork-acl-inbound
file-type-iconnetwork-acl-outbound
file-type-iconvpc-app-network-acls
file-type-iconvpc-app
file-type-iconvpc-dns-forwarder-rules
file-type-iconvpc-dns-forwarder
file-type-iconvpc-flow-logs
file-type-iconvpc-interface-endpoint
file-type-iconvpc-mgmt-network-acls
file-type-iconvpc-mgmt
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
file-type-iconvpc-peering-cross-accounts-accepter
file-type-iconvpc-peering-cross-accounts-requester
file-type-iconvpc-peering-external
file-type-iconvpc-peering
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.md
file-type-iconterraform-cloud-enterprise-private-module-...

Browse the Repo

file-type-icon.circleci
file-type-iconexamples
file-type-iconmodules
file-type-icon_docs
file-type-iconnetwork-acl-inbound
file-type-iconnetwork-acl-outbound
file-type-iconvpc-app-network-acls
file-type-iconvpc-app
file-type-iconvpc-dns-forwarder-rules
file-type-iconvpc-dns-forwarder
file-type-iconvpc-flow-logs
file-type-iconvpc-interface-endpoint
file-type-iconvpc-mgmt-network-acls
file-type-iconvpc-mgmt
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
file-type-iconvpc-peering-cross-accounts-accepter
file-type-iconvpc-peering-cross-accounts-requester
file-type-iconvpc-peering-external
file-type-iconvpc-peering
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconLICENSE.txt
file-type-iconREADME.md
file-type-iconterraform-cloud-enterprise-private-module-...
Virtual Private Cloud (VPC)

Virtual Private Cloud (VPC)

Create a Virtual Private Cloud (VPC). Includes multiple subnet tiers, NACLs, NAT gateways, Internet Gateways, and VPC peering.

Code Preview

Preview the Code

mobile file icon

README.md

down

[DEPRECATED] VPC-Mgmt Terraform Module

The vpc-mgmt module is now deprecated. The main difference between vpc-mgmt and vpc-app was that vpc-app had three tiers of subnets (public, private-app, private-persistence) and vpc-mgmt had two (public, private). As of v0.12.1, vpc-app allows you to disable any of the subnet tiers using the create_public_subnets, create_private_app_subnets, and create_private_persistence_subnets input variables, respectively, so it can now support 1, 2, or 3 tiers of subnets, as needed. Therefore, we recommend using vpc-app for all your VPCs in the future. If you're already using vpc-mgmt, we will continue to maintain it for a little while longer, but please be aware that, in a future release, once we feel the new functionality in vpc-app is fully baked, we will remove vpc-mgmt entirely.

This Terraform Module launches a single VPC meant to house DevOps and other management services. By contrast, the apps that power your business should run in an "app" VPC. (See the vpc-app module.)

How do you use this module?

Check out the examples folder.

What's a VPC?

A VPC or Virtual Private Cloud is a logically isolated section of your AWS cloud. Each VPC defines a virtual network within which you run your AWS resources, as well as rules for what can go in and out of that network. This includes subnets, route tables that tell those subnets how to route inbound and outbound traffic, security groups, firewalls for the subnet (known as "Network ACLs"), and any other network components such as VPN connections.

Two Subnet Tiers

This VPC defines two "tiers" of subnets:

  • Public Subnets: Resources in these subnets are directly addressable from the Internet. Only public-facing resources (typically just load balancers and the bastion host) should be put here.
  • Private/App Subnets: Resources in these subnets are NOT directly addressable from the Internet but they can make outbound connections to the Internet through a NAT Gateway. You can connect to the resources in this subnet only from resources within the VPC, so you should put your app servers here and allow the load balancers in the Public Subnet to route traffic to them.

VPC Architecture

The use of a Management VPC is inspired by the VPC Architecture described by Ben Whaley in his blog post A Reference VPC Architecture. That blog post proposed the following VPC structure:

VPC Diagram

To summarize:

  • The only way operators can access our private network is through a mgmt VPC.
  • The mgmt VPC uses VPC Peering so that, once in the mgmt VPC, you can access any other environment, but once in any other environment, you can only access the mgmt VPC (e.g. you cannot access prod from stage).
  • We put "environment-agnostic" or management-level resources in the mgmt VPC such as Jenkins, a metrics store, an LDAP server, etc.

VPC Peering

Learn more about VPC Peering in the vpc-peering module.

SSH Access via the Bastion Host

To SSH into any of your EC2 Instances in a private subnet, we recommend launching a single "Bastion Host" to use as an SSH jump host. For more info, see the Bastion Host examples.

Gotchas

Gotchas

  • If the num_availability_zones variable in the mgmt VPC and the num_availability_zones variable in the app VPC don't match, there are problems with the routes that are created between the two VPCs as part of setting up VPC Peering. If your use case requires different numbers of Availability Zones for each of these VPCs, please let us know and we'll investigate further!

Other VPC Core Concepts

Learn about Other VPC Core Concepts like subnets, NAT Gateways, and VPC Endpoints.

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?