Skip to content

Latest commit

 

History

History
57 lines (32 loc) · 2.52 KB

File metadata and controls

57 lines (32 loc) · 2.52 KB

AWS Hub and Spoke Architecture with an Inspection VPC - Terraform Sample

This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with an Inspection VPC using AWS Network Firewall. The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

  • An AWS account with an IAM user with the appropriate permissions
  • Terraform installed

Code Principles:

  • Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

  • Clone the repository
  • Edit the variables.tf file in the project root directory

The variables.tf file contains the variables that are used to configure the Terraform code.

Note EC2 instances, VPC endpoints, and AWS Network Firewall endpoints will be deployed in all the Availability Zones configured for each VPC. Keep this in mind when testing this environment from a cost perspective - for production environments, we recommend the use of at least 2 AZs for high-availability.

Deployment

AWS Network Firewall Policy

The AWS Network Firewall Policy is defined in the policy.tf file in the network_firewall module directory. By default:

  • All the SSH and RDP traffic is blocked by the Stateless engine.
  • The Stateful engine follows Strict Rule Ordering, blocking all the traffic by default. Two rule groups allow ICMP traffic (between East/West traffic only), and HTTPS traffic to any *.amazon.com domain.

Logging Configuration

This project configures both the alert and flow logs to respective AWS Cloudwatch Log Groups (both for the VPC Flow logs and AWS Network Firewall logs). In VPC Flow logs, you can also use Amazon S3. In Network Firewall, you can also use Amazon S3, or Amazon Kinesis Firehose.

To follow best practices, all the logs are encrypted at rest using AWS KMS. The KMS key (alongside the IAM roles needed) is created using the iam_kms module.

Target Architecture

Architecture diagram

Cleanup

Remember to clean up after your work is complete. You can do that by doing terraform destroy.

Note that this command will delete all the resources previously created by Terraform.


Security

See CONTRIBUTING for more information.


License

This library is licensed under the MIT-0 License. See the LICENSE file.