This example creates an App VPC and a Mgmt VPC and shows how to use the vpc-peering module to
create a VPC peering connections between them. We also launch a number of EC2 instances in each VPC to test the
peering connections.
Our goal is to setup the Mgmt VPC so that once you're logged in there, you have access to ALL resources in all VPCs.
But when you're logged into an App VPC, you may have access to the Mgmt VPC, but you do NOT also get access to any other
VPC. That is, VPC peering relationships are not "transitive".
Quick start
To try these templates out you must have Terraform installed (minimum version: 1.0.0):
Open variables.tf, set the environment variables specified at the top of the file, and fill in any other variables that
don't have a default.
Run terraform init.
Run terraform plan.
If the plan looks good, run terraform apply.
Our VPC Structure
To keep this example simple, we create just two VPCs. For a real-world use-case, we recommend following theReference
VPC Architecture and creating three VPCs:
Prod VPC: For production workloads. You can create this type of VPC using the vpc-app module,
as shown in the vpc-app example.
Stage VPC: For non-production workloads. You can create this type of VPC using the vpc-app
module, as shown in the vpc-app example.
Mgmt VPC: Where operators run DevOps tooling and login. You can create this type of VPC using the
vpc-mgmt module, as shown in the templates in the vpc-mgmt example.
VPC Isolation and Peering
Each VPC is completely isolated from the other, so if you connect to one VPC, there is no way to access another VPC.
This is part of the "defense-in-depth" philosophy: even if attackers breaches one level of our security, they still have
other problems to deal with at the next level. It's also useful to ensure that changes you make in one VPC don't
accidentally cause problems in another. However, it can be useful to permit limited, controlled access between VPCs,
such as allowing a DevOps tool in the Mgmt VPC to deploy code in the App VPCs. To enable this, the templates in this
example set up a VPC Peering connection
between the Mgmt VPC and the App VPC.
Note that to make testing easier in this example, we create all the VPCs in the same Terraform template, but in
real-world usage you should create each VPC in a separate set of templates so that it gets a separate state file. That
way, you get more isolation, and if you somehow corrupt the state file while testing a change in one VPC, it does
not affect the state file for another VPC.
EC2 instances in this example
This example launches the following resources for demonstration and testing purposes:
App VPC instances: Launch one EC2 Instance in a public subnet, one in a private app subnet, and one in a
private persistence subnet.
Mgmt VPC instances: Launch one EC2 Instance in a public subnet and one in a private subnet.
SSH access
Any instance launched in a private subnet will not have a public IP address. Therefore, the only way to SSH to an
instance in a private subnet is to first SSH to an instance in a public subnet and use it as a "jump host". With VPC
Peering enabled as shown in the templates in this example, you could launch a public host in the Mgmt VPC and use that
to connect to any instance in any of the VPCs. See the Bastion Host
examples for more info.
Known Errors
This terraform template may intermittently trigger certain non-critical errors caused by eventual consistency bugs in
Terraform. These are usually harmless and all you need to do to get around them is to re-run terraform apply.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"a1b08cb9d295290bd764e1a6be7dc88b2e8705ed"},{"name":"post-upgrade-test-results.sh","path":".circleci/post-upgrade-test-results.sh","sha":"a4867e8fbdc334b7a90259568ee41ea577fbe764"},{"name":"set-upgrade-test-vars.sh","path":".circleci/set-upgrade-test-vars.sh","sha":"8d961461f09584ccd42432b5d56d64db43da1a6e"}]},{"name":".github","children":[{"name":"ISSUE_TEMPLATE","children":[{"name":"bug_report.md","path":".github/ISSUE_TEMPLATE/bug_report.md","sha":"d2e87e27c601e423865ed660ec697082470ca60f"},{"name":"feature_request.md","path":".github/ISSUE_TEMPLATE/feature_request.md","sha":"023a33099be2336476930c96e17ff1ba5dc55348"}]},{"name":"pull_request_template.md","path":".github/pull_request_template.md","sha":"6b100e40e323b5b07f40ed30616277c51c9f4b9e"}]},{"name":".gitignore","path":".gitignore","sha":"a71b2a82eb91166a2620f6da7a4b091897be9e24"},{"name":".patcher","children":[{"name":"patches","children":[{"name":"v0.19.0","children":[{"name":"iam-inline-policies","children":[{"name":"patch.yaml","path":".patcher/patches/v0.19.0/iam-inline-policies/patch.yaml","sha":"98d6fae6ada4e417306e5acfdd729c19c4de68b7"},{"name":"var_use_managed_iam_policies.sh","path":".patcher/patches/v0.19.0/iam-inline-policies/var_use_managed_iam_policies.sh","sha":"3eec8967fcf0b4f7ed0c9f9f97402690b04a4393"}]}]},{"name":"v0.20.0","children":[{"name":"terraform-1.1-upgrade","children":[{"name":"bump_required_version.sh","path":".patcher/patches/v0.20.0/terraform-1.1-upgrade/bump_required_version.sh","sha":"30abb1d075dbc85ce83dc415869de1c9c8560b0d"},{"name":"patch.yaml","path":".patcher/patches/v0.20.0/terraform-1.1-upgrade/patch.yaml","sha":"de0522c9cd8c13471c993391da9b15adfacc18a3"}]}]},{"name":"v0.21.0","children":[{"name":"aws-provider-4.x","children":[{"name":"bump_provider.sh","path":".patcher/patches/v0.21.0/aws-provider-4.x/bump_provider.sh","sha":"d3daee144dd21814811d998e5ae69796b9956509"},{"name":"create_script_for_terraform_init.sh","path":".patcher/patches/v0.21.0/aws-provider-4.x/create_script_for_terraform_init.sh","sha":"91b47e4cbd30dd4341a391eaeb701bc3a9d5c715"},{"name":"patch.yaml","path":".patcher/patches/v0.21.0/aws-provider-4.x/patch.yaml","sha":"49abdd98a19baa7962e2d8ffb9c8ce82045021d8"}]}]}]}]},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"49ee828ed16f55335ac4dcc74331f190366b1858"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"176a799012175cf9e62f9f76b4af198c1552960e"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.md","path":"README.md","sha":"070884b6c8a01db8a21f30d4cef3c4b2d8a6ad95"},{"name":"examples","children":[{"name":"vpc-app-custom-az-ids","children":[{"name":"main.tf","path":"examples/vpc-app-custom-az-ids/main.tf","sha":"64a22da68f2dee529b4a7ae735b860a6176db8e9"},{"name":"output.tf","path":"examples/vpc-app-custom-az-ids/output.tf","sha":"2d75b1b5b85d9aac1c4004dde2579ad5443833ef"},{"name":"variables.tf","path":"examples/vpc-app-custom-az-ids/variables.tf","sha":"871d1b624b399695b8cdee793b25e2406b17e617"}]},{"name":"vpc-app-multiple-public-route-tables","children":[{"name":"README.md","path":"examples/vpc-app-multiple-public-route-tables/README.md","sha":"87d78d1635611fbe823dba4251232da604bd5fac"},{"name":"main.tf","path":"examples/vpc-app-multiple-public-route-tables/main.tf","sha":"e2d2be46c4e711a75af64758f869e450cde9e6ce"},{"name":"outputs.tf","path":"examples/vpc-app-multiple-public-route-tables/outputs.tf","sha":"a801fc3b1ede5802904b07e859669bda4bab4339"},{"name":"variables.tf","path":"examples/vpc-app-multiple-public-route-tables/variables.tf","sha":"02439559dc5a3f2fb6a09df87d21cc76a24accdc"}]},{"name":"vpc-app-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-app-no-nat-gateway/README.md","sha":"826fb03cb21dbe3aff9abc46bc4241baf41e2b13"},{"name":"main.tf","path":"examples/vpc-app-no-nat-gateway/main.tf","sha":"e96a67b33852559f5342c295d095062944e347a0"},{"name":"outputs.tf","path":"examples/vpc-app-no-nat-gateway/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-app-no-nat-gateway/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-app-subnets-disabled","children":[{"name":"README.md","path":"examples/vpc-app-subnets-disabled/README.md","sha":"2256bcba3ca92f542f9ccf5f53822d4dd41a5fd5"},{"name":"main.tf","path":"examples/vpc-app-subnets-disabled/main.tf","sha":"422ebfbb7c96c91868327bd56075690702db6bc4"},{"name":"outputs.tf","path":"examples/vpc-app-subnets-disabled/outputs.tf","sha":"6630dcfe2cf399866778a70b9f5530d99d5fc886"},{"name":"variables.tf","path":"examples/vpc-app-subnets-disabled/variables.tf","sha":"d29c3a45b54bb5e7e549d9a46d228ce7e427ad6d"}]},{"name":"vpc-app-with-deny-ports","children":[{"name":"README.md","path":"examples/vpc-app-with-deny-ports/README.md","sha":"e57e581e1326d0e4142428d3cda0749bb47156d4"},{"name":"main.tf","path":"examples/vpc-app-with-deny-ports/main.tf","sha":"a9191c2b84541c707f90e68e28ccaf1ada2b60ce"},{"name":"outputs.tf","path":"examples/vpc-app-with-deny-ports/outputs.tf","sha":"e69b395ae2f4d58841fc42dec7f7415a46e11558"},{"name":"variables.tf","path":"examples/vpc-app-with-deny-ports/variables.tf","sha":"d4c647ffe1c03e2d66f2bd9a61a16b04b9bac951"}]},{"name":"vpc-app-with-endpoint","children":[{"name":"README.md","path":"examples/vpc-app-with-endpoint/README.md","sha":"97440c1a07a0725d9649ca2903f662eec25da17a"},{"name":"main.tf","path":"examples/vpc-app-with-endpoint/main.tf","sha":"d10af032570fbc8bab36006164e1b111fc2093f3"},{"name":"outputs.tf","path":"examples/vpc-app-with-endpoint/outputs.tf","sha":"36e21a8b972bd561cbc3bdaea7b21b8982d6a662"},{"name":"variables.tf","path":"examples/vpc-app-with-endpoint/variables.tf","sha":"be23cd1bfd3a29beb63724612f6bb9a7e5bd3d25"}]},{"name":"vpc-app-with-inbound-network","children":[{"name":"README.md","path":"examples/vpc-app-with-inbound-network/README.md","sha":"9468946f438fd3ed5922f195b5b1a581162d1625"},{"name":"main.tf","path":"examples/vpc-app-with-inbound-network/main.tf","sha":"7caef5e237269a1f9cbe9e0b030b697b6ada5e1a"},{"name":"outputs.tf","path":"examples/vpc-app-with-inbound-network/outputs.tf","sha":"729e7cb3afd8cfee49d4dde4ca3ba20f88ad930f"},{"name":"variables.tf","path":"examples/vpc-app-with-inbound-network/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-app","children":[{"name":"README.md","path":"examples/vpc-app/README.md","sha":"826fb03cb21dbe3aff9abc46bc4241baf41e2b13"},{"name":"main.tf","path":"examples/vpc-app/main.tf","sha":"d34afc0190c49522e7720de7da41390ce2b41e5b"},{"name":"outputs.tf","path":"examples/vpc-app/outputs.tf","sha":"eb78df2471f68dbf71dc86175155e02a7065d4db"},{"name":"variables.tf","path":"examples/vpc-app/variables.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-custom-cidr-blocks","children":[{"name":"README.md","path":"examples/vpc-custom-cidr-blocks/README.md","sha":"0d398610e8f25b771726e94863ed642805f2cefa"},{"name":"main.tf","path":"examples/vpc-custom-cidr-blocks/main.tf","sha":"9b407edc87073b1cbe41ad3607de4c2ad3a9a5e4"},{"name":"outputs.tf","path":"examples/vpc-custom-cidr-blocks/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"variables.tf","path":"examples/vpc-custom-cidr-blocks/variables.tf","sha":"56d3e0ca50ded5ea2535c71f3568f3728106a42b"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"examples/vpc-flow-logs/README.md","sha":"f1c779e8121f422a2faab197efa55c2e467e610a"},{"name":"main.tf","path":"examples/vpc-flow-logs/main.tf","sha":"22fa028814a3a1ab73d89c2c52209390149550fe"},{"name":"outputs.tf","path":"examples/vpc-flow-logs/outputs.tf","sha":"df25b1afa440cf241b7f335a74394efddaabfbe9"},{"name":"variables.tf","path":"examples/vpc-flow-logs/variables.tf","sha":"8c57d7ac8beb7343ddd7ab5198bfe141c8f4485f"}]},{"name":"vpc-mgmt-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-mgmt-no-nat-gateway/README.md","sha":"3b0f25e9a18355a5fd58495b2b37c778c221edd6"},{"name":"main.tf","path":"examples/vpc-mgmt-no-nat-gateway/main.tf","sha":"088a36ff677243c510e5c5b4ebbb5387790ee600"},{"name":"outputs.tf","path":"examples/vpc-mgmt-no-nat-gateway/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"variables.tf","path":"examples/vpc-mgmt-no-nat-gateway/variables.tf","sha":"bf7cddc01e2b42855c9c435e5c2751e010e6a435"}]},{"name":"vpc-mgmt-with-deny-ports","children":[{"name":"README.md","path":"examples/vpc-mgmt-with-deny-ports/README.md","sha":"32ef87731f85645a8d0cbfdb7bf08b8754ea9052"},{"name":"main.tf","path":"examples/vpc-mgmt-with-deny-ports/main.tf","sha":"bbdd2d665bb35c2261b64b46043c89cb06467321"},{"name":"outputs.tf","path":"examples/vpc-mgmt-with-deny-ports/outputs.tf","sha":"e3ae5435de260d9699187b5a2fe8cfb768d8ce20"},{"name":"variables.tf","path":"examples/vpc-mgmt-with-deny-ports/variables.tf","sha":"7904438005bf74aaee12d63ff1e74f48d834f7a6"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"examples/vpc-mgmt/README.md","sha":"3b0f25e9a18355a5fd58495b2b37c778c221edd6"},{"name":"main.tf","path":"examples/vpc-mgmt/main.tf","sha":"11eb76452e79bd5b0d6ed4338449774191eada6b"},{"name":"outputs.tf","path":"examples/vpc-mgmt/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"variables.tf","path":"examples/vpc-mgmt/variables.tf","sha":"59225eb0320c7af08fa4cade7bbeaf10bdeac295"}]},{"name":"vpc-network-acls","children":[{"name":"README.md","path":"examples/vpc-network-acls/README.md","sha":"1f827f6df5330ae536a7a37f62698beaf76d4a83"},{"name":"main.tf","path":"examples/vpc-network-acls/main.tf","sha":"c018c37266d6aba5c95611b92c7ae1059f706a67"},{"name":"outputs.tf","path":"examples/vpc-network-acls/outputs.tf","sha":"5f59a828f7128b7bd7e52599fa794abd0f760293"},{"name":"variables.tf","path":"examples/vpc-network-acls/variables.tf","sha":"a19ecd5a9d56e8127d6dbd39ea9594b0ef49a696"}]},{"name":"vpc-peering-cross-accounts","children":[{"name":"README.md","path":"examples/vpc-peering-cross-accounts/README.md","sha":"5e9b780bfd5faf2d088af9006070a7ae1dfc8963"},{"name":"accepter.tf","path":"examples/vpc-peering-cross-accounts/accepter.tf","sha":"0a692b86e4920126051912d1172529463371d50b"},{"name":"dependencies.tf","path":"examples/vpc-peering-cross-accounts/dependencies.tf","sha":"e5a5292d4e9ac44f072f4c88b8e5bc16861a67e5"},{"name":"outputs.tf","path":"examples/vpc-peering-cross-accounts/outputs.tf","sha":"5257d0521e3fa33b514cb90f55a811416141c9a2"},{"name":"providers.tf","path":"examples/vpc-peering-cross-accounts/providers.tf","sha":"e1e3cb4875ae9d9484ef965ad5ced9fa05bce6be"},{"name":"requester.tf","path":"examples/vpc-peering-cross-accounts/requester.tf","sha":"63a74f10d3a5a7912b378012e5dc8a771ebfae92"},{"name":"variables.tf","path":"examples/vpc-peering-cross-accounts/variables.tf","sha":"a3af170a52ebe3617c5cbdbc751924c2ef77560a"},{"name":"versions.tf","path":"examples/vpc-peering-cross-accounts/versions.tf","sha":"468159204ae9279f2b7c8a166992f66637d5c909"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"examples/vpc-peering-external/README.md","sha":"6976d17089bb100c609ee72b843994ccf76fcb05"},{"name":"main.tf","path":"examples/vpc-peering-external/main.tf","sha":"74e0a54a37b080a742f10f25fe749a71ac58ee4b"},{"name":"outputs.tf","path":"examples/vpc-peering-external/outputs.tf","sha":"5239df47a80d13f33ea58412eb73a83f4ff431ed"},{"name":"variables.tf","path":"examples/vpc-peering-external/variables.tf","sha":"891f648219c644354f932af309fa3dffb0de3bd5"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"examples/vpc-peering/README.md","sha":"7221059b7ee28648be73f33c009054d40329f8c3","toggled":true},{"name":"main.tf","path":"examples/vpc-peering/main.tf","sha":"b1ae606f917c705aae46f60e38c1cdf2a74a1691"},{"name":"outputs.tf","path":"examples/vpc-peering/outputs.tf","sha":"85acf3fc320ca7969f57133d94515e80150f7c79"},{"name":"variables.tf","path":"examples/vpc-peering/variables.tf","sha":"6a8eb9ed4db5427a9eddb3205cfca9fc7386c085"}],"toggled":true}],"toggled":true},{"name":"modules","children":[{"name":"_docs","children":[{"name":"vpc-core-concepts.md","path":"modules/_docs/vpc-core-concepts.md","sha":"df81498e01f1289c6d6f1b00632bd6c45eb593c6"},{"name":"vpc_app_architecture.png","path":"modules/_docs/vpc_app_architecture.png","sha":"1cb6d726e1a35614b27be9f3d45b9752589b9683"}]},{"name":"network-acl-inbound","children":[{"name":"README.md","path":"modules/network-acl-inbound/README.md","sha":"3784f45a817ccb73f2e8254c22c674eb77f29a8d"},{"name":"main.tf","path":"modules/network-acl-inbound/main.tf","sha":"95483303ded3ac285e8d9a9a4c7cb33cdb49925e"},{"name":"variables.tf","path":"modules/network-acl-inbound/variables.tf","sha":"50cd7fa4e70332c51fdc0190062696a0d54e0393"}]},{"name":"network-acl-outbound","children":[{"name":"README.md","path":"modules/network-acl-outbound/README.md","sha":"b0a204c8f1e30c99da43158c231436b018e53db6"},{"name":"main.tf","path":"modules/network-acl-outbound/main.tf","sha":"4adb1d49c9b3a0ce89b1a3932cefd724e7970a54"},{"name":"variables.tf","path":"modules/network-acl-outbound/variables.tf","sha":"c6533d29604c4bbad25bd4f143118907c33fbd54"}]},{"name":"port-range-calculator","children":[{"name":"README.md","path":"modules/port-range-calculator/README.md","sha":"6d9470f9d3531253d85865ab798657fce345bc92"},{"name":"main.tf","path":"modules/port-range-calculator/main.tf","sha":"b83790f3651292f14950fe107ae5e69d573a8046"},{"name":"outputs.tf","path":"modules/port-range-calculator/outputs.tf","sha":"f784a1e622caec65b44a3c34a38eaa4f8f0ed982"},{"name":"variables.tf","path":"modules/port-range-calculator/variables.tf","sha":"e778a7cf9e65c2f7498cb1822b2df8a2eee80ce3"}]},{"name":"vpc-app-network-acls","children":[{"name":"README.md","path":"modules/vpc-app-network-acls/README.md","sha":"5e23f0c63324bee10cbc3d9f03ee982c7e77b2e9"},{"name":"main.tf","path":"modules/vpc-app-network-acls/main.tf","sha":"fcc8228ef2229662f1acdc38ae00518691c73cc3"},{"name":"outputs.tf","path":"modules/vpc-app-network-acls/outputs.tf","sha":"1e48debceed70b0444a7f7c8fc4c6f90d7cd49d3"},{"name":"variables.tf","path":"modules/vpc-app-network-acls/variables.tf","sha":"752b4a90767454b9ff466bf52d819ad09b7951f7"}]},{"name":"vpc-app","children":[{"name":"README.md","path":"modules/vpc-app/README.md","sha":"8aa894968578ac2f3c3da9ca52884ff3a33b09fb"},{"name":"main.tf","path":"modules/vpc-app/main.tf","sha":"1e4c253201b39915d41643b0423df9604afc520b"},{"name":"outputs.tf","path":"modules/vpc-app/outputs.tf","sha":"ff3413a042b454be37bc0fe29843ebfa5b6f0cbc"},{"name":"variables.tf","path":"modules/vpc-app/variables.tf","sha":"f2ddf9553f04bab7a7138447cab8106f7a0162b3"}]},{"name":"vpc-dns-forwarder-rules","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder-rules/README.md","sha":"e61361e740adf9b6c95de03ee3ee4044162f57b8"},{"name":"main.tf","path":"modules/vpc-dns-forwarder-rules/main.tf","sha":"58d47ab8f1ab410cf8128e8ad22dc8b9ba9c07cf"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder-rules/variables.tf","sha":"b5baaad0819ce7c23d47d1292fe0798dee12cdf5"}]},{"name":"vpc-dns-forwarder","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder/README.md","sha":"0d0b4fffb15431758fd436c7cdc474bace686b7e"},{"name":"main.tf","path":"modules/vpc-dns-forwarder/main.tf","sha":"142968373af115feb734f673416851fdcb845e6e"},{"name":"outputs.tf","path":"modules/vpc-dns-forwarder/outputs.tf","sha":"382b7f3ae80e99cfd8325c9b4de404110e4d85ef"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder/variables.tf","sha":"3c27308d90da5517d686c5bfb901801ba65637c0"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"modules/vpc-flow-logs/README.md","sha":"27e79f6b9d633e88e33850f60b719c06b023648b"},{"name":"main.tf","path":"modules/vpc-flow-logs/main.tf","sha":"863958df29ba21d3d0366c29fe926ea7c1394653"},{"name":"outputs.tf","path":"modules/vpc-flow-logs/outputs.tf","sha":"986f6aac55e865d679a182e92929d7788bcb9c79"},{"name":"variables.tf","path":"modules/vpc-flow-logs/variables.tf","sha":"0e69644ec4f8d9dd532bf2ef1d23a6d61faa1ca9"}]},{"name":"vpc-interface-endpoint","children":[{"name":"README.md","path":"modules/vpc-interface-endpoint/README.md","sha":"5c65f1eec3964b3cc00637270f252406f9247a8a"},{"name":"main.tf","path":"modules/vpc-interface-endpoint/main.tf","sha":"7b1763158e377db4c0907b57c99355039b862f7a"},{"name":"outputs.tf","path":"modules/vpc-interface-endpoint/outputs.tf","sha":"17c09a4fe255b2741332b08de50d52c0fb12a0c8"},{"name":"variables.tf","path":"modules/vpc-interface-endpoint/variables.tf","sha":"4bfa9450ec8eae88f12ffa47ef7178eb8d7d8b78"}]},{"name":"vpc-mgmt-network-acls","children":[{"name":"README.md","path":"modules/vpc-mgmt-network-acls/README.md","sha":"5afe5e9c3b7b4f371b36780e0d3be6ad73a74452"},{"name":"main.tf","path":"modules/vpc-mgmt-network-acls/main.tf","sha":"c3adb25634c2a2ba9e1cd9892f719df005cdabfc"},{"name":"outputs.tf","path":"modules/vpc-mgmt-network-acls/outputs.tf","sha":"a5e4effa3263fe4789957fb3058477f0419f65ab"},{"name":"variables.tf","path":"modules/vpc-mgmt-network-acls/variables.tf","sha":"5ba1f208c32cbc738cf5340a5d5507d079cf3136"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"modules/vpc-mgmt/README.md","sha":"318a65966d5c649610226f0aa465da230add3bd3"},{"name":"main.tf","path":"modules/vpc-mgmt/main.tf","sha":"2aaeeee99c351b9225db8bc6fed801a734e0c56e"},{"name":"outputs.tf","path":"modules/vpc-mgmt/outputs.tf","sha":"defdf79928efddcc6f7de1fa9a2492decc654a49"},{"name":"variables.tf","path":"modules/vpc-mgmt/variables.tf","sha":"f0cc294270a02c4fd13a0b9450647c8e824978d2"}]},{"name":"vpc-peering-cross-accounts-accepter","children":[{"name":"README.md","path":"modules/vpc-peering-cross-accounts-accepter/README.md","sha":"797e659ca65995c0cd7aa5bfbd08eb2466f95e34"},{"name":"main.tf","path":"modules/vpc-peering-cross-accounts-accepter/main.tf","sha":"73ffa7b65ccce10dc7e6af54dd2f3defe52d8e7b"},{"name":"outputs.tf","path":"modules/vpc-peering-cross-accounts-accepter/outputs.tf","sha":"905c5efb879537848fd4df0d0f47465a4cf6c87c"},{"name":"variables.tf","path":"modules/vpc-peering-cross-accounts-accepter/variables.tf","sha":"70c3e97b0a72be1ecd2137ba35db000c15229d30"},{"name":"versions.tf","path":"modules/vpc-peering-cross-accounts-accepter/versions.tf","sha":"f75bbb8eec2f5a1650a0d12775e96258d43677f8"}]},{"name":"vpc-peering-cross-accounts-requester","children":[{"name":"README.md","path":"modules/vpc-peering-cross-accounts-requester/README.md","sha":"4895670d7ca6ac45916b1e8d48557e87ff0f4047"},{"name":"main.tf","path":"modules/vpc-peering-cross-accounts-requester/main.tf","sha":"52e44cc4ac9e00fc0517cbdc109c494e9f3272f5"},{"name":"outputs.tf","path":"modules/vpc-peering-cross-accounts-requester/outputs.tf","sha":"dc15d00e21644f86600bedb6359954e3bbc20f54"},{"name":"variables.tf","path":"modules/vpc-peering-cross-accounts-requester/variables.tf","sha":"c1cf6724b737f92c9529dded5fee3fc1a1d746cd"},{"name":"versions.tf","path":"modules/vpc-peering-cross-accounts-requester/versions.tf","sha":"f75bbb8eec2f5a1650a0d12775e96258d43677f8"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"modules/vpc-peering-external/README.md","sha":"3a7b91706130c0901ee5f523633318a21fbe9483"},{"name":"main.tf","path":"modules/vpc-peering-external/main.tf","sha":"8bab8e39a55e0e9f2cd52add7c2e5c3da040dd32"},{"name":"variables.tf","path":"modules/vpc-peering-external/variables.tf","sha":"b7a9760c9a22524b8452e83d68495b31e3af18dc"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"modules/vpc-peering/README.md","sha":"5f10e61c54fd9e175d18f4fdf5f8ae0ae8217d47"},{"name":"main.tf","path":"modules/vpc-peering/main.tf","sha":"5a110fcb980c161203f9c1ad1c664bafdc033ff1"},{"name":"variables.tf","path":"modules/vpc-peering/variables.tf","sha":"60502cffac1867fa48a5f68ef6ef0aa566cef21e"}]}]},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"f798bda8aed01240778826ec33d91a059f52acde"},{"name":"go.mod","path":"test/go.mod","sha":"f9da43069855d06457dd484033f309adadd3e324"},{"name":"go.sum","path":"test/go.sum","sha":"9619620eb18ffa2dfad4212813c3d0b267987f79"},{"name":"port_range_calculator_test.go","path":"test/port_range_calculator_test.go","sha":"7e33974e074380e8745b1d200dfd5203ffa030fc"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"dc78f4ca44c47d843062c08d5544927464d7f4e0"},{"name":"upgrades","children":[{"name":"upgrade_test.go","path":"test/upgrades/upgrade_test.go","sha":"fcdea46ea327492bae675a564902c1c9d421790d"}]},{"name":"validation","children":[{"name":"validate_all_modules_and_examples_test.go","path":"test/validation/validate_all_modules_and_examples_test.go","sha":"74c928d0cbc2914e5cd708277bd857cb2375b660"}]},{"name":"vpc_app_custom_az_id_test.go","path":"test/vpc_app_custom_az_id_test.go","sha":"8b7891d4681c10ea41b1fe6d9e63ae978760c7e9"},{"name":"vpc_app_no_nat_gateway_test.go","path":"test/vpc_app_no_nat_gateway_test.go","sha":"09295214bac60a078be4b94ca86c246ea02df311"},{"name":"vpc_app_route_tables_public_subnet_test.go","path":"test/vpc_app_route_tables_public_subnet_test.go","sha":"ef11ec8f8a4705c06095475b46195cd40a8621a5"},{"name":"vpc_app_subnets_disabled_test.go","path":"test/vpc_app_subnets_disabled_test.go","sha":"d2b8ea779214dd02f753a69c71e2f3bb9b7b79df"},{"name":"vpc_app_test.go","path":"test/vpc_app_test.go","sha":"6660f68d09c0c10b98e1dbd150f16a2a99d076e2"},{"name":"vpc_app_with_endpoint_test.go","path":"test/vpc_app_with_endpoint_test.go","sha":"f524841b0bdc29459c5539c5be68b48746bce948"},{"name":"vpc_app_with_inbound_network_test.go","path":"test/vpc_app_with_inbound_network_test.go","sha":"12de51c3bc16f3607a32aeb009af03759e1de8c9"},{"name":"vpc_custom_cidr_blocks_test.go","path":"test/vpc_custom_cidr_blocks_test.go","sha":"be2294d3d84983b14cd200719f25a52bcd7b82f0"},{"name":"vpc_flow_logs_test.go","path":"test/vpc_flow_logs_test.go","sha":"018466281bf7030a45b5210da39c7d3a16f31614"},{"name":"vpc_mgmt_no_nat_gateway_test.go","path":"test/vpc_mgmt_no_nat_gateway_test.go","sha":"d259b9a39264a89e1fe9efebbd1fb02ceb498724"},{"name":"vpc_mgmt_test.go","path":"test/vpc_mgmt_test.go","sha":"856c7162f0d4f84bd55f74123ed9848e6d8fffd2"},{"name":"vpc_network_acls_test.go","path":"test/vpc_network_acls_test.go","sha":"5817f26c2fa9fabe1a35ed2a657dc3ee727f458d"},{"name":"vpc_peering_cross_accounts_test.go","path":"test/vpc_peering_cross_accounts_test.go","sha":"3f5f6ccaceaa48accbab940c53899eec64609200"},{"name":"vpc_peering_external_test.go","path":"test/vpc_peering_external_test.go","sha":"c8e0e769fdc28dd46ed9c67958189c97a614b1d2"},{"name":"vpc_peering_test.go","path":"test/vpc_peering_test.go","sha":"ede42e31574ab5e7bc9969538cd42663628a3165"},{"name":"vpc_with_deny_ports_test.go","path":"test/vpc_with_deny_ports_test.go","sha":"1352c12d0332b94177ebd29a91da7586226cfa27"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"vpc-peering-example\">VPC Peering Example</h1><div class=\"preview__body--border\"></div><p>This example creates an App VPC and a Mgmt VPC and shows how to use the <a href=\"/repos/v0.26.13/terraform-aws-vpc/modules/vpc-peering\" class=\"preview__body--description--blue\">vpc-peering</a> module to\ncreate a VPC peering connections between them. We also launch a number of EC2 instances in each VPC to test the\npeering connections.</p>\n<p>Our goal is to setup the Mgmt VPC so that once you're logged in there, you have access to ALL resources in all VPCs.\nBut when you're logged into an App VPC, you may have access to the Mgmt VPC, but you do NOT also get access to any other\nVPC. That is, VPC peering relationships are not "transitive".</p>\n<h2 class=\"preview__body--subtitle\" id=\"quick-start\">Quick start</h2>\n<p>To try these templates out you must have Terraform installed (minimum version: <code>1.0.0</code>):</p>\n<ol>\n<li>Open <code>variables.tf</code>, set the environment variables specified at the top of the file, and fill in any other variables that\ndon't have a default.</li>\n<li>Run <code>terraform init</code>.</li>\n<li>Run <code>terraform plan</code>.</li>\n<li>If the plan looks good, run <code>terraform apply</code>.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"our-vpc-structure\">Our VPC Structure</h2>\n<p>To keep this example simple, we create just two VPCs. For a real-world use-case, we recommend following the<a href=\"https://www.whaletech.co/2014/10/02/reference-vpc-architecture.html\" class=\"preview__body--description--blue\" target=\"_blank\">Reference\nVPC Architecture</a> and creating three VPCs:</p>\n<ul>\n<li><strong>Prod VPC</strong>: For production workloads. You can create this type of VPC using the <a href=\"/repos/v0.26.13/terraform-aws-vpc/modules/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a> module,\nas shown in the <a href=\"/repos/v0.26.13/terraform-aws-vpc/examples/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a> example.</li>\n<li><strong>Stage VPC</strong>: For non-production workloads. You can create this type of VPC using the <a href=\"/repos/v0.26.13/terraform-aws-vpc/modules/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a>\nmodule, as shown in the <a href=\"/repos/v0.26.13/terraform-aws-vpc/examples/vpc-app\" class=\"preview__body--description--blue\">vpc-app</a> example.</li>\n<li><strong>Mgmt VPC</strong>: Where operators run DevOps tooling and login. You can create this type of VPC using the\n<a href=\"/repos/v0.26.13/terraform-aws-vpc/modules/vpc-mgmt\" class=\"preview__body--description--blue\">vpc-mgmt</a> module, as shown in the templates in the <a href=\"/repos/v0.26.13/terraform-aws-vpc/examples/vpc-mgmt\" class=\"preview__body--description--blue\">vpc-mgmt</a> example.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"vpc-isolation-and-peering\">VPC Isolation and Peering</h2>\n<p>Each VPC is completely isolated from the other, so if you connect to one VPC, there is no way to access another VPC.\nThis is part of the "defense-in-depth" philosophy: even if attackers breaches one level of our security, they still have\nother problems to deal with at the next level. It's also useful to ensure that changes you make in one VPC don't\naccidentally cause problems in another. However, it can be useful to permit limited, controlled access between VPCs,\nsuch as allowing a DevOps tool in the Mgmt VPC to deploy code in the App VPCs. To enable this, the templates in this\nexample set up a <a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html\" class=\"preview__body--description--blue\" target=\"_blank\">VPC Peering connection</a>\nbetween the Mgmt VPC and the App VPC.</p>\n<p>Note that to make testing easier in this example, we create all the VPCs in the same Terraform template, but in\nreal-world usage you should create each VPC in a separate set of templates so that it gets a separate state file. That\nway, you get more isolation, and if you somehow corrupt the state file while testing a change in one VPC, it does\nnot affect the state file for another VPC.</p>\n<h2 class=\"preview__body--subtitle\" id=\"ec-2-instances-in-this-example\">EC2 instances in this example</h2>\n<p>This example launches the following resources for demonstration and testing purposes:</p>\n<ol>\n<li><strong>App VPC instances</strong>: Launch one EC2 Instance in a public subnet, one in a private app subnet, and one in a\nprivate persistence subnet.</li>\n<li><strong>Mgmt VPC instances</strong>: Launch one EC2 Instance in a public subnet and one in a private subnet.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"ssh-access\">SSH access</h2>\n<p>Any instance launched in a private subnet will not have a public IP address. Therefore, the only way to SSH to an\ninstance in a private subnet is to first SSH to an instance in a public subnet and use it as a "jump host". With VPC\nPeering enabled as shown in the templates in this example, you could launch a public host in the Mgmt VPC and use that\nto connect to any instance in any of the VPCs. See the <a href=\"/repos/terraform-aws-server/examples/bastion-host\" class=\"preview__body--description--blue\">Bastion Host\nexamples</a> for more info.</p>\n<h2 class=\"preview__body--subtitle\" id=\"known-errors\">Known Errors</h2>\n<p>This terraform template may intermittently trigger certain non-critical errors caused by eventual consistency bugs in\nTerraform. These are usually harmless and all you need to do to get around them is to re-run <code>terraform apply</code>.</p>\n","repoName":"terraform-aws-vpc","repoRef":"v0.23.3","serviceDescriptor":{"serviceName":"Virtual Private Cloud (VPC)","serviceRepoName":"terraform-aws-vpc","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Create a Virtual Private Cloud (VPC). Includes multiple subnet tiers, NACLs, NAT gateways, Internet Gateways, and VPC peering.","imageUrl":"vpc.png","licenseType":"subscriber","technologies":["Terraform"],"compliance":[],"tags":[""]},"serviceCategoryName":"Networking","fileName":"README.md","filePath":"/examples/vpc-peering","title":"Repo Browser: Virtual Private Cloud (VPC)","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}