Skip to content

Latest commit

 

History

History

AWS Hub and Spoke Architecture with an Inspection VPC - Single AWS Account

This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with an Inspection VPC using AWS Network Firewall. The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

  • An AWS account with an IAM user with the appropriate permissions
  • Terraform installed

Code Principles:

  • Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

  • Clone the repository
  • Edit the variables.tf file in the project root directory. This file contains the information used to configure the Terraform code.

Note EC2 instances, and AWS Network Firewall endpoints will be deployed in all the Availability Zones configured for each VPC. Keep this in mind when testing this environment from a cost perspective - for production environments, we recommend the use of at least 2 AZs for high-availability.

Target Architecture

Architecture diagram

Deployment

  • terraform init to initialize the environment.
  • terraform plan to check the resources to create
  • terraform apply to build the architecture.

Clean-up

  • terraform destroy will clean-up the resources created.

Infrastructure configuration

AWS Network Firewall Policy

The AWS Network Firewall Policy is defined in the policy.tf file in the network_firewall module directory. By default:

  • All the SSH and RDP traffic is blocked by the Stateless engine.
  • The Stateful engine follows Strict Rule Ordering, blocking all the traffic by default. Two rule groups allow ICMP traffic (between East/West traffic only), and HTTPS traffic to any *.amazon.com domain.

VPC Flow Logs configuration

This project configures both the alert and flow logs to respective AWS Cloudwatch Log Groups (both for the VPC Flow logs and AWS Network Firewall logs). In VPC Flow logs, you can also use Amazon S3. In Network Firewall, you can also use Amazon S3, or Amazon Kinesis Firehose.

To follow best practices, all the logs are encrypted at rest using AWS KMS. The KMS key (alongside the IAM roles needed) is created using the iam_kms module.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Requirements

Name Version
terraform >= 1.3.0
aws >= 3.73.0

Providers

Name Version
aws >= 3.73.0

Modules

Name Source Version
compute ./modules/compute n/a
hubspoke aws-ia/network-hubandspoke/aws 3.2.0
iam_kms ./modules/iam_kms n/a
spoke_vpcs aws-ia/vpc/aws = 4.4.2

Resources

Name Type
aws_networkfirewall_firewall_policy.anfw_policy resource
aws_networkfirewall_rule_group.allow_domains resource
aws_networkfirewall_rule_group.allow_icmp resource
aws_networkfirewall_rule_group.allow_tcp resource
aws_networkfirewall_rule_group.drop_remote resource

Inputs

Name Description Type Default Required
aws_region AWS Region. string "eu-west-1" no
identifier Name of the project. string "hubspoke-inspection" no
inspection_vpc Inspection VPC definition. any
{
"cidr_block": "10.129.0.0/24",
"number_azs": 2,
"private_subnet_netmask": 28,
"public_subnet_netmask": 28,
"tgw_subnet_netmask": 28
}
no
spoke_vpcs Spoke VPCs definition. any
{
"spoke-vpc-1": {
"cidr_block": "10.0.0.0/24",
"endpoint_subnet_netmask": 28,
"flow_log_config": {
"log_destination_type": "cloud-watch-logs",
"retention_in_days": 7
},
"instance_type": "t2.micro",
"number_azs": 2,
"tgw_subnet_netmask": 28,
"workload_subnet_netmask": 28
},
"spoke-vpc-2": {
"cidr_block": "10.0.1.0/24",
"endpoint_subnet_netmask": 28,
"flow_log_config": {
"log_destination_type": "cloud-watch-logs",
"retention_in_days": 7
},
"instance_type": "t2.micro",
"number_azs": 2,
"tgw_subnet_netmask": 28,
"workload_subnet_netmask": 28
}
}
no

Outputs

Name Description
instances EC2 instances created.
network_firewall AWS Network Firewall ID.
transit_gateway_id AWS Transit Gateway ID.
transit_gateway_route_tables Transit Gateway Route Table.
vpcs VPCs created.