This example creates an App VPC and a Mgmt VPC and shows how to use the
vpc-app-network-acls and vpc-mgmt-network-acls
modules to add Network ACLs that control what inbound and outbound network traffic is allowed in each subnet
of those VPCs. We also launch a number of EC2 instances in each VPC to test the ACLs.
Quick start
To try these templates out you must have Terraform installed (minimum version: 0.12):
Open variables.tf, set the environment variables specified at the top of the file, and fill in any other variables that
don't have a default.
Run terraform init.
Run terraform plan.
If the plan looks good, run terraform apply.
What's a Network ACL?
Network ACLs provide an extra layer of network
security, similar to a security group.
Whereas a security group controls what inbound and outbound traffic is allowed for a specific resource (e.g. a single
EC2 instance), a network ACL controls what inbound and outbound traffic is allowed for an entire subnet.
Our VPC Structure
To keep this example simple, we create just two VPCs. For a real-world use-case, we recommend following theReference
VPC Architecture and creating three VPCs:
Prod VPC: For production workloads. You can create this type of VPC using the vpc-app module,
as shown in the vpc-app example.
Stage VPC: For non-production workloads. You can create this type of VPC using the vpc-app
module, as shown in the vpc-app example.
Mgmt VPC: Where operators run DevOps tooling and login. You can create this type of VPC using the
vpc-mgmt module, as shown in the templates in the vpc-mgmt example.
VPC Isolation
Each VPC is completely isolated from the other, so if you connect to one VPC, there is no way to access another VPC.
This is part of the "defense-in-depth" philosophy: even if attackers breaches one level of our security, they still
have other problems to deal with at the next level. It's also useful to ensure that changes you make in one VPC don't
accidentally cause problems in another. However, it can be useful to permit limited, controlled access between VPCs,
such as allowing a DevOps tool in the Mgmt VPC to deploy code in the Stage and Prod VPCs. See the
vpc-peering example to learn how this can be done.
Note that to make testing easier in this example, we create all three VPCs in the same Terraform template, but in
real-world usage you should create each VPC in a separate set of templates so that it gets a separate state file. That
way, you get more isolation, and if you somehow corrupt the state file while testing a change in one VPC, it does
not affect the state file for another VPC.
Subnets and Network ACLs
Each VPC defines different "tiers" of subnets, or logical subdivisions of the VPC. The vpc-app
module creates public, private app, and private persistence subnets. The vpc-mgmt module
creates public and private subnets. By default, the only limitations on those subnets are that public subnets are
accessible from the public Internet, while private subnets are not.
The templates in this example show how we can improve security in these subnets by adding Network ACLs. In particular,
the ACLs ensure that each subnet can only receive and send traffic to "adjacent" subnets (e.g. the private persistence
subnet receive requests from the private app subnet, but not the public subnet) as well as the Mgmt VPC. See the
vpc-app-network-acls and vpc-mgmt-network-acls
modules for details.
EC2 instances in this example
This example launches the following resources for demonstration and testing purposes:
App VPC instances: Launch one EC2 Instance in a public subnet, one in a private app subnet, and one in a
private persistence subnet.
Mgmt VPC instances: Launch one EC2 Instance in a public subnet and one in a private subnet.
SSH access
Any instance launched in a private subnet will not have a public IP address. Therefore, the only way to SSH to an
instance in a private subnet is to first SSH to an instance in a public subnet and use it as a "jump host". Note that
the Network ACLs in the templates in this example prevent any connections in the App VPCs between a public
subnet and a private persistence subnet, unless that public subnet is in the Mgmt VPC. Therefore, the only way to SSH
to an instance in the private persistence subnet is to enable VPC peering as shown in the vpc-peering
example and to connect via an instance in the public subnet of the Mgmt VPC. See the Bastion Host
examples for more info.
Known Errors
This terraform template may intermittently trigger certain non-critical errors caused by eventual consistency bugs in
Terraform. These are usually harmless and all you need to do to get around them is to re-run terraform apply.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"507cd238c2a8e0b109703f3565de8a86a4afc582"}]},{"name":".gitignore","path":".gitignore","sha":"b4d646276b2bd09ca0637874dedb1e03dc831406"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"49ee828ed16f55335ac4dcc74331f190366b1858"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"8c24c86ef8447a19436b38826f458c71b4da4f45"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.md","path":"README.md","sha":"8a7aee892ef4a96ed61dd236f1306ebd630a3f06"},{"name":"examples","children":[{"name":"vpc-app-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-app-no-nat-gateway/README.md","sha":"ea0486fef279cbb8aced2c65a39a350a65be725f"},{"name":"main.tf","path":"examples/vpc-app-no-nat-gateway/main.tf","sha":"41622b9ed95a4eef916654976075aa52392597c3"},{"name":"outputs.tf","path":"examples/vpc-app-no-nat-gateway/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-app-no-nat-gateway/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-app-subnets-disabled","children":[{"name":"README.md","path":"examples/vpc-app-subnets-disabled/README.md","sha":"67df57551702a809167ca70b61c95b62e08991f0"},{"name":"main.tf","path":"examples/vpc-app-subnets-disabled/main.tf","sha":"6bd73323b34102015d0c0d2391e5eb764b7b64b2"},{"name":"outputs.tf","path":"examples/vpc-app-subnets-disabled/outputs.tf","sha":"6630dcfe2cf399866778a70b9f5530d99d5fc886"},{"name":"variables.tf","path":"examples/vpc-app-subnets-disabled/variables.tf","sha":"d29c3a45b54bb5e7e549d9a46d228ce7e427ad6d"}]},{"name":"vpc-app-with-endpoint","children":[{"name":"README.md","path":"examples/vpc-app-with-endpoint/README.md","sha":"d156678fe7d97d89370b1f95cf0558bf3d2a6430"},{"name":"main.tf","path":"examples/vpc-app-with-endpoint/main.tf","sha":"1a8dcb678fe9d8e81c024e615ce608d807bce0d1"},{"name":"outputs.tf","path":"examples/vpc-app-with-endpoint/outputs.tf","sha":"36e21a8b972bd561cbc3bdaea7b21b8982d6a662"},{"name":"variables.tf","path":"examples/vpc-app-with-endpoint/variables.tf","sha":"be23cd1bfd3a29beb63724612f6bb9a7e5bd3d25"}]},{"name":"vpc-app-with-inbound-network","children":[{"name":"README.md","path":"examples/vpc-app-with-inbound-network/README.md","sha":"25dde99ed73bd19243e09131bc94cfd05fa0214d"},{"name":"main.tf","path":"examples/vpc-app-with-inbound-network/main.tf","sha":"5834e51ae903bf23b3db0e724386fbfe1deb73cc"},{"name":"outputs.tf","path":"examples/vpc-app-with-inbound-network/outputs.tf","sha":"729e7cb3afd8cfee49d4dde4ca3ba20f88ad930f"},{"name":"variables.tf","path":"examples/vpc-app-with-inbound-network/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-app","children":[{"name":"README.md","path":"examples/vpc-app/README.md","sha":"ea0486fef279cbb8aced2c65a39a350a65be725f"},{"name":"main.tf","path":"examples/vpc-app/main.tf","sha":"8b9ee923caf612d802305e83ac65075216a9e2e3"},{"name":"outputs.tf","path":"examples/vpc-app/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-app/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-custom-cidr-blocks","children":[{"name":"README.md","path":"examples/vpc-custom-cidr-blocks/README.md","sha":"aef7de470f10d0d215966842b737bd41a33c98a5"},{"name":"main.tf","path":"examples/vpc-custom-cidr-blocks/main.tf","sha":"c6b67893a5785b84ad9233bd44b4c4d034beff5d"},{"name":"outputs.tf","path":"examples/vpc-custom-cidr-blocks/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-custom-cidr-blocks/variables.tf","sha":"56d3e0ca50ded5ea2535c71f3568f3728106a42b"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"examples/vpc-flow-logs/README.md","sha":"75f78906088bbfb2be1e016e11958776b9a5f474"},{"name":"main.tf","path":"examples/vpc-flow-logs/main.tf","sha":"cd3332c0f244d713956535917d1880164819feb9"},{"name":"outputs.tf","path":"examples/vpc-flow-logs/outputs.tf","sha":"1832dd649235eb4f917497c2772299c761d39dad"},{"name":"variables.tf","path":"examples/vpc-flow-logs/variables.tf","sha":"3ac7ead850b612a5973fd4c58192dc6b856330df"}]},{"name":"vpc-mgmt-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-mgmt-no-nat-gateway/README.md","sha":"31e1e6c333d42951a9929d3c1d2c4bf391a47794"},{"name":"main.tf","path":"examples/vpc-mgmt-no-nat-gateway/main.tf","sha":"64ee074d92e33413b5fe1d8bd5ebc051ad3750e3"},{"name":"outputs.tf","path":"examples/vpc-mgmt-no-nat-gateway/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"variables.tf","path":"examples/vpc-mgmt-no-nat-gateway/variables.tf","sha":"bf7cddc01e2b42855c9c435e5c2751e010e6a435"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"examples/vpc-mgmt/README.md","sha":"31e1e6c333d42951a9929d3c1d2c4bf391a47794"},{"name":"main.tf","path":"examples/vpc-mgmt/main.tf","sha":"9e5438a030c2b91dc3eb4fd53dd8ae9082662a07"},{"name":"outputs.tf","path":"examples/vpc-mgmt/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"variables.tf","path":"examples/vpc-mgmt/variables.tf","sha":"59225eb0320c7af08fa4cade7bbeaf10bdeac295"}]},{"name":"vpc-network-acls","children":[{"name":"README.md","path":"examples/vpc-network-acls/README.md","sha":"dba18c12b6ba20ddecbc23aa2d89c7ade17c5680","toggled":true},{"name":"main.tf","path":"examples/vpc-network-acls/main.tf","sha":"8fa639aadf004b6c4e76b7d460d2c9b2bb3f809c"},{"name":"outputs.tf","path":"examples/vpc-network-acls/outputs.tf","sha":"5f59a828f7128b7bd7e52599fa794abd0f760293"},{"name":"variables.tf","path":"examples/vpc-network-acls/variables.tf","sha":"a19ecd5a9d56e8127d6dbd39ea9594b0ef49a696"}],"toggled":true},{"name":"vpc-peering-cross-accounts","children":[{"name":"README.md","path":"examples/vpc-peering-cross-accounts/README.md","sha":"5bdbe3edf6abf89c0e3fc5098047ffdd4eefc0f9"},{"name":"accepter.tf","path":"examples/vpc-peering-cross-accounts/accepter.tf","sha":"052c6a9bd2d349dbde283afd472b6a7753526718"},{"name":"dependencies.tf","path":"examples/vpc-peering-cross-accounts/dependencies.tf","sha":"dfba9143d3037101cfb72dfd42351651765104bb"},{"name":"outputs.tf","path":"examples/vpc-peering-cross-accounts/outputs.tf","sha":"5257d0521e3fa33b514cb90f55a811416141c9a2"},{"name":"providers.tf","path":"examples/vpc-peering-cross-accounts/providers.tf","sha":"e1e3cb4875ae9d9484ef965ad5ced9fa05bce6be"},{"name":"requester.tf","path":"examples/vpc-peering-cross-accounts/requester.tf","sha":"376903e14eb2eee2dbc3aef37f6054c3b15028f2"},{"name":"variables.tf","path":"examples/vpc-peering-cross-accounts/variables.tf","sha":"a3af170a52ebe3617c5cbdbc751924c2ef77560a"},{"name":"versions.tf","path":"examples/vpc-peering-cross-accounts/versions.tf","sha":"28640ec1da695ee287382ef7afdcf85ac433bc89"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"examples/vpc-peering-external/README.md","sha":"2ab2674e3ec16b14c9b79ef96ca808078549ff5d"},{"name":"main.tf","path":"examples/vpc-peering-external/main.tf","sha":"4dd1f332fdecbc2cddbd5772d7c231899ef4ee5c"},{"name":"outputs.tf","path":"examples/vpc-peering-external/outputs.tf","sha":"5239df47a80d13f33ea58412eb73a83f4ff431ed"},{"name":"variables.tf","path":"examples/vpc-peering-external/variables.tf","sha":"891f648219c644354f932af309fa3dffb0de3bd5"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"examples/vpc-peering/README.md","sha":"72acac0226368d798bc1f29623e61749d84af87a"},{"name":"main.tf","path":"examples/vpc-peering/main.tf","sha":"9b7c2efac60ac2cc78a38242e9f2fcf9c35d88d5"},{"name":"outputs.tf","path":"examples/vpc-peering/outputs.tf","sha":"85acf3fc320ca7969f57133d94515e80150f7c79"},{"name":"variables.tf","path":"examples/vpc-peering/variables.tf","sha":"6a8eb9ed4db5427a9eddb3205cfca9fc7386c085"}]}],"toggled":true},{"name":"modules","children":[{"name":"_docs","children":[{"name":"vpc-core-concepts.md","path":"modules/_docs/vpc-core-concepts.md","sha":"6c5780d57f69364b702bbaa5337aa3a1d693370d"},{"name":"vpc_app_architecture.png","path":"modules/_docs/vpc_app_architecture.png","sha":"1cb6d726e1a35614b27be9f3d45b9752589b9683"}]},{"name":"network-acl-inbound","children":[{"name":"README.md","path":"modules/network-acl-inbound/README.md","sha":"3784f45a817ccb73f2e8254c22c674eb77f29a8d"},{"name":"main.tf","path":"modules/network-acl-inbound/main.tf","sha":"add97f3a0746f3f47f4bda81d728feb6c81cee7b"},{"name":"variables.tf","path":"modules/network-acl-inbound/variables.tf","sha":"5bb3140cec48ca71ebc09ac664fca09c115ad77b"}]},{"name":"network-acl-outbound","children":[{"name":"README.md","path":"modules/network-acl-outbound/README.md","sha":"b0a204c8f1e30c99da43158c231436b018e53db6"},{"name":"main.tf","path":"modules/network-acl-outbound/main.tf","sha":"6b8c95a68fa8a4c0c409b6aa810d14ce0ff930ab"},{"name":"variables.tf","path":"modules/network-acl-outbound/variables.tf","sha":"a36ad2e23d0bab06dc5f2333203c2e9092f5e741"}]},{"name":"vpc-app-network-acls","children":[{"name":"README.md","path":"modules/vpc-app-network-acls/README.md","sha":"911b1a1bd141f1754267782937d091579884b286"},{"name":"main.tf","path":"modules/vpc-app-network-acls/main.tf","sha":"e9e3c96388baceb65ad9b6102f7d733580803373"},{"name":"outputs.tf","path":"modules/vpc-app-network-acls/outputs.tf","sha":"1e48debceed70b0444a7f7c8fc4c6f90d7cd49d3"},{"name":"variables.tf","path":"modules/vpc-app-network-acls/variables.tf","sha":"0b7fbc4e788afeb21a70041485d8d7fef7f2476b"}]},{"name":"vpc-app","children":[{"name":"README.md","path":"modules/vpc-app/README.md","sha":"0c1a23fc7cf7df8045b5dc45def50662d21cac0a"},{"name":"main.tf","path":"modules/vpc-app/main.tf","sha":"a4b108a7a53c61ae099431ea70365521248e7a90"},{"name":"outputs.tf","path":"modules/vpc-app/outputs.tf","sha":"943edfaa07fe82477bc739f7fd10017452e0565d"},{"name":"variables.tf","path":"modules/vpc-app/variables.tf","sha":"8a97cb5f7c7f685f68210c0ac3692473b61c9133"}]},{"name":"vpc-dns-forwarder-rules","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder-rules/README.md","sha":"e61361e740adf9b6c95de03ee3ee4044162f57b8"},{"name":"main.tf","path":"modules/vpc-dns-forwarder-rules/main.tf","sha":"9beaa511796c5f83828a846e9ef0a5f74507a45d"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder-rules/variables.tf","sha":"b5baaad0819ce7c23d47d1292fe0798dee12cdf5"}]},{"name":"vpc-dns-forwarder","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder/README.md","sha":"0d0b4fffb15431758fd436c7cdc474bace686b7e"},{"name":"main.tf","path":"modules/vpc-dns-forwarder/main.tf","sha":"21141be19f6d9ed429140065e2dd3a0ec231f27b"},{"name":"outputs.tf","path":"modules/vpc-dns-forwarder/outputs.tf","sha":"382b7f3ae80e99cfd8325c9b4de404110e4d85ef"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder/variables.tf","sha":"3c27308d90da5517d686c5bfb901801ba65637c0"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"modules/vpc-flow-logs/README.md","sha":"09fa1ba0a3b308bb305f2652e11b6160edf9bce0"},{"name":"main.tf","path":"modules/vpc-flow-logs/main.tf","sha":"87c8f11377a8e4928f3a84e42663d4632c976389"},{"name":"outputs.tf","path":"modules/vpc-flow-logs/outputs.tf","sha":"029e23b76b63c324e836a69891a7cb452da99a06"},{"name":"variables.tf","path":"modules/vpc-flow-logs/variables.tf","sha":"7a29a3e5792d69d9edc3a33edd6f3bf254b7a01b"}]},{"name":"vpc-interface-endpoint","children":[{"name":"README.md","path":"modules/vpc-interface-endpoint/README.md","sha":"5c65f1eec3964b3cc00637270f252406f9247a8a"},{"name":"main.tf","path":"modules/vpc-interface-endpoint/main.tf","sha":"93cc550e284bf5fdc553f2385a0bf22676598c71"},{"name":"outputs.tf","path":"modules/vpc-interface-endpoint/outputs.tf","sha":"79d037d3f3ea31cb6981c07f036e9a1704da8945"},{"name":"variables.tf","path":"modules/vpc-interface-endpoint/variables.tf","sha":"e092b663fd6d87615bbb95d42452fa72878d6436"}]},{"name":"vpc-mgmt-network-acls","children":[{"name":"README.md","path":"modules/vpc-mgmt-network-acls/README.md","sha":"670d2e66c743a02d9f8132752b3a84e447307da7"},{"name":"main.tf","path":"modules/vpc-mgmt-network-acls/main.tf","sha":"3cd745f8b39991020bfcece06f608c81636ec549"},{"name":"outputs.tf","path":"modules/vpc-mgmt-network-acls/outputs.tf","sha":"a5e4effa3263fe4789957fb3058477f0419f65ab"},{"name":"variables.tf","path":"modules/vpc-mgmt-network-acls/variables.tf","sha":"6181036ea5629d4effc3ac95c149709ad8a15b0e"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"modules/vpc-mgmt/README.md","sha":"9dd4c2d8639e4e8833257cdb5407c3de0b3c1c00"},{"name":"main.tf","path":"modules/vpc-mgmt/main.tf","sha":"352667a5d003e864f4a62b0cc6c2c7b03b82a97c"},{"name":"outputs.tf","path":"modules/vpc-mgmt/outputs.tf","sha":"5c5ff7409ce2687c4c041279cb41717102d4d0a0"},{"name":"variables.tf","path":"modules/vpc-mgmt/variables.tf","sha":"682342efa6eed7bf896181063983ca4b6d6e1ebc"}]},{"name":"vpc-peering-cross-accounts-accepter","children":[{"name":"README.md","path":"modules/vpc-peering-cross-accounts-accepter/README.md","sha":"d404e5ac5e400defe8aba3d7f79d0f66870b4d3f"},{"name":"main.tf","path":"modules/vpc-peering-cross-accounts-accepter/main.tf","sha":"501f1631fbe22fa19591194cbbe39f660df3e050"},{"name":"outputs.tf","path":"modules/vpc-peering-cross-accounts-accepter/outputs.tf","sha":"905c5efb879537848fd4df0d0f47465a4cf6c87c"},{"name":"variables.tf","path":"modules/vpc-peering-cross-accounts-accepter/variables.tf","sha":"3f174a39f50ae6485daf74dbf29233a9c9047483"},{"name":"versions.tf","path":"modules/vpc-peering-cross-accounts-accepter/versions.tf","sha":"28640ec1da695ee287382ef7afdcf85ac433bc89"}]},{"name":"vpc-peering-cross-accounts-requester","children":[{"name":"README.md","path":"modules/vpc-peering-cross-accounts-requester/README.md","sha":"bca1ccf011064f52f80c6cafca8a1eb8aed17c29"},{"name":"main.tf","path":"modules/vpc-peering-cross-accounts-requester/main.tf","sha":"47ebaefe6f780a5eea708bd2c53c0101292dfd2c"},{"name":"outputs.tf","path":"modules/vpc-peering-cross-accounts-requester/outputs.tf","sha":"dc15d00e21644f86600bedb6359954e3bbc20f54"},{"name":"variables.tf","path":"modules/vpc-peering-cross-accounts-requester/variables.tf","sha":"16ad583c4ff493c2a831bbe6f46c0a3f7de35bde"},{"name":"versions.tf","path":"modules/vpc-peering-cross-accounts-requester/versions.tf","sha":"28640ec1da695ee287382ef7afdcf85ac433bc89"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"modules/vpc-peering-external/README.md","sha":"975a0436cd016a0d49429d8166a1f97ab5d203bf"},{"name":"main.tf","path":"modules/vpc-peering-external/main.tf","sha":"41087a1dbed515ce705285b209f3c3301830af85"},{"name":"variables.tf","path":"modules/vpc-peering-external/variables.tf","sha":"b7a9760c9a22524b8452e83d68495b31e3af18dc"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"modules/vpc-peering/README.md","sha":"56b1e169cef2f4201c8204611ea0364c5f04bf2c"},{"name":"main.tf","path":"modules/vpc-peering/main.tf","sha":"103aa53bd83e50f01e22147d3684fa2dc1fb1f24"},{"name":"variables.tf","path":"modules/vpc-peering/variables.tf","sha":"60502cffac1867fa48a5f68ef6ef0aa566cef21e"}]}]},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"ef26d3851db2fff0b36dfa61379724c0db9ff281"},{"name":"go.mod","path":"test/go.mod","sha":"1265ba2fc1b4d3096edca6f68b11a1186c06810b"},{"name":"go.sum","path":"test/go.sum","sha":"6d536859f8a962bcbc4457a71dbc347895fe2c26"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"f7f25df492ec39528e72c8454ac2c807524d52c7"},{"name":"validation","children":[{"name":"validate_all_modules_and_examples_test.go","path":"test/validation/validate_all_modules_and_examples_test.go","sha":"74c928d0cbc2914e5cd708277bd857cb2375b660"}]},{"name":"vpc_app_no_nat_gateway_test.go","path":"test/vpc_app_no_nat_gateway_test.go","sha":"c23d6186a6ebb7de534c9dcc73f74a8e278cf4c2"},{"name":"vpc_app_subnets_disabled_test.go","path":"test/vpc_app_subnets_disabled_test.go","sha":"09d13233dec81215f8e92645ec9ffadc43aa0f6a"},{"name":"vpc_app_test.go","path":"test/vpc_app_test.go","sha":"d564a91c16fef917f1454f6409ac55f32f1199bb"},{"name":"vpc_app_with_endpoint_test.go","path":"test/vpc_app_with_endpoint_test.go","sha":"7d0308586c09b36ff78fce285c765cb340a78e02"},{"name":"vpc_app_with_inbound_network_test.go","path":"test/vpc_app_with_inbound_network_test.go","sha":"13b78ced82ed45618e5b74399f19e3a79a2d9322"},{"name":"vpc_custom_cidr_blocks_test.go","path":"test/vpc_custom_cidr_blocks_test.go","sha":"056710e3d1fc6d6affc28f23caef27cac9042519"},{"name":"vpc_flow_logs_test.go","path":"test/vpc_flow_logs_test.go","sha":"c7462ba92c39088663fafb522ddbf4117355c490"},{"name":"vpc_mgmt_no_nat_gateway_test.go","path":"test/vpc_mgmt_no_nat_gateway_test.go","sha":"98a5b6189e3651267f7038f906deaa0304fcc699"},{"name":"vpc_mgmt_test.go","path":"test/vpc_mgmt_test.go","sha":"4df8061bd0de902e3ef3d1ff56e4e32758fb8ad8"},{"name":"vpc_network_acls_test.go","path":"test/vpc_network_acls_test.go","sha":"5ed930679340c81ea7549b0a26e94566e18ce660"},{"name":"vpc_peering_cross_accounts_test.go","path":"test/vpc_peering_cross_accounts_test.go","sha":"8b1b13de36acd9dc77fa28c2a2daeacb383ee7c5"},{"name":"vpc_peering_external_test.go","path":"test/vpc_peering_external_test.go","sha":"2ce81263d16d2b5f7387993404bea2849ca60698"},{"name":"vpc_peering_test.go","path":"test/vpc_peering_test.go","sha":"fde78ff0e98bfcd42213e5e44d4d2913458ed59c"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"vpc-network-ac-ls-example\">VPC Network ACLs Example</h1><div class=\"preview__body--border\"></div><p>This example creates an App VPC and a Mgmt VPC and shows how to use the\n<a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-app-network-acls\" class=\"preview__body--description--blue\">vpc-app-network-acls</a> and <a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-mgmt-network-acls\" class=\"preview__body--description--blue\">vpc-mgmt-network-acls</a>\nmodules to add Network ACLs that control what inbound and outbound network traffic is allowed in each subnet\nof those VPCs. We also launch a number of EC2 instances in each VPC to test the ACLs.</p>\n<h2 class=\"preview__body--subtitle\" id=\"quick-start\">Quick start</h2>\n<p>To try these templates out you must have Terraform installed (minimum version: <code>0.12</code>):</p>\n<ol>\n<li>Open <code>variables.tf</code>, set the environment variables specified at the top of the file, and fill in any other variables that\ndon't have a default.</li>\n<li>Run <code>terraform init</code>.</li>\n<li>Run <code>terraform plan</code>.</li>\n<li>If the plan looks good, run <code>terraform apply</code>.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"whats-a-network-acl\">What's a Network ACL?</h2>\n<p><a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html\" class=\"preview__body--description--blue\" target=\"_blank\">Network ACLs</a> provide an extra layer of network\nsecurity, similar to a <a href=\"http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html\" class=\"preview__body--description--blue\" target=\"_blank\">security group</a>.\nWhereas a security group controls what inbound and outbound traffic is allowed for a specific resource (e.g. a single\nEC2 instance), a network ACL controls what inbound and outbound traffic is allowed for an entire subnet.</p>\n<h2 class=\"preview__body--subtitle\" id=\"our-vpc-structure\">Our VPC Structure</h2>\n<p>To keep this example simple, we create just two VPCs. For a real-world use-case, we recommend following the<a href=\"https://www.whaletech.co/2014/10/02/reference-vpc-architecture.html\" class=\"preview__body--description--blue\" target=\"_blank\">Reference\nVPC Architecture</a> and creating three VPCs:</p>\n<ul>\n<li><strong>Prod VPC</strong>: For production workloads. You can create this type of VPC using the <a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a> module,\nas shown in the <a href=\"/repos/v0.18.3/terraform-aws-vpc/examples/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a> example.</li>\n<li><strong>Stage VPC</strong>: For non-production workloads. You can create this type of VPC using the <a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a>\nmodule, as shown in the <a href=\"/repos/v0.18.3/terraform-aws-vpc/examples/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a> example.</li>\n<li><strong>Mgmt VPC</strong>: Where operators run DevOps tooling and login. You can create this type of VPC using the\n<a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-mgmt\" class=\"preview__body--description--blue\">vpc-mgmt</a> module, as shown in the templates in the <a href=\"/repos/v0.18.3/terraform-aws-vpc/examples/vpc-mgmt\" class=\"preview__body--description--blue\">vpc-mgmt</a> example.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"vpc-isolation\">VPC Isolation</h2>\n<p>Each VPC is completely isolated from the other, so if you connect to one VPC, there is no way to access another VPC.\nThis is part of the "defense-in-depth" philosophy: even if attackers breaches one level of our security, they still\nhave other problems to deal with at the next level. It's also useful to ensure that changes you make in one VPC don't\naccidentally cause problems in another. However, it can be useful to permit limited, controlled access between VPCs,\nsuch as allowing a DevOps tool in the Mgmt VPC to deploy code in the Stage and Prod VPCs. See the\n<a href=\"/repos/v0.18.3/terraform-aws-vpc/examples/vpc-peering\" class=\"preview__body--description--blue\">vpc-peering</a> example to learn how this can be done.</p>\n<p>Note that to make testing easier in this example, we create all three VPCs in the same Terraform template, but in\nreal-world usage you should create each VPC in a separate set of templates so that it gets a separate state file. That\nway, you get more isolation, and if you somehow corrupt the state file while testing a change in one VPC, it does\nnot affect the state file for another VPC.</p>\n<h2 class=\"preview__body--subtitle\" id=\"subnets-and-network-ac-ls\">Subnets and Network ACLs</h2>\n<p>Each VPC defines different "tiers" of subnets, or logical subdivisions of the VPC. The <a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a>\nmodule creates public, private app, and private persistence subnets. The <a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-mgmt\" class=\"preview__body--description--blue\">vpc-mgmt</a> module\ncreates public and private subnets. By default, the only limitations on those subnets are that public subnets are\naccessible from the public Internet, while private subnets are not.</p>\n<p>The templates in this example show how we can improve security in these subnets by adding Network ACLs. In particular,\nthe ACLs ensure that each subnet can only receive and send traffic to "adjacent" subnets (e.g. the private persistence\nsubnet receive requests from the private app subnet, but not the public subnet) as well as the Mgmt VPC. See the\n<a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-app-network-acls\" class=\"preview__body--description--blue\">vpc-app-network-acls</a> and <a href=\"/repos/v0.18.3/terraform-aws-vpc/modules/vpc-mgmt-network-acls\" class=\"preview__body--description--blue\">vpc-mgmt-network-acls</a>\nmodules for details.</p>\n<h2 class=\"preview__body--subtitle\" id=\"ec-2-instances-in-this-example\">EC2 instances in this example</h2>\n<p>This example launches the following resources for demonstration and testing purposes:</p>\n<ol>\n<li><strong>App VPC instances</strong>: Launch one EC2 Instance in a public subnet, one in a private app subnet, and one in a\nprivate persistence subnet.</li>\n<li><strong>Mgmt VPC instances</strong>: Launch one EC2 Instance in a public subnet and one in a private subnet.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"ssh-access\">SSH access</h2>\n<p>Any instance launched in a private subnet will not have a public IP address. Therefore, the only way to SSH to an\ninstance in a private subnet is to first SSH to an instance in a public subnet and use it as a "jump host". Note that\nthe Network ACLs in the templates in this example prevent any connections in the App VPCs between a public\nsubnet and a private persistence subnet, unless that public subnet is in the Mgmt VPC. Therefore, the only way to SSH\nto an instance in the private persistence subnet is to enable VPC peering as shown in the <a href=\"/repos/v0.18.3/terraform-aws-vpc/examples/vpc-peering\" class=\"preview__body--description--blue\">vpc-peering\nexample</a> and to connect via an instance in the public subnet of the Mgmt VPC. See the <a href=\"/repos/terraform-aws-server/examples/bastion-host\" class=\"preview__body--description--blue\">Bastion Host\nexamples</a> for more info.</p>\n<h2 class=\"preview__body--subtitle\" id=\"known-errors\">Known Errors</h2>\n<p>This terraform template may intermittently trigger certain non-critical errors caused by eventual consistency bugs in\nTerraform. These are usually harmless and all you need to do to get around them is to re-run <code>terraform apply</code>.</p>\n","repoName":"terraform-aws-vpc","repoRef":"v0.15.6","serviceDescriptor":{"serviceName":"Virtual Private Cloud (VPC)","serviceRepoName":"terraform-aws-vpc","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Create a Virtual Private Cloud (VPC). Includes multiple subnet tiers, NACLs, NAT gateways, Internet Gateways, and VPC peering.","imageUrl":"vpc.png","licenseType":"subscriber","technologies":["Terraform"],"compliance":[],"tags":[""]},"serviceCategoryName":"Networking","fileName":"README.md","filePath":"/examples/vpc-network-acls","title":"Repo Browser: Virtual Private Cloud (VPC)","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
.circleci
main.tf
