AWS Transit Gateway is a network hub that you can use to interconnect your VPCs and on-premises networks. With it, you can create hub and spoke architectures to control how your VPCs and on-prem resources communicate between them. In addition, you can centralize different services - like traffic inspection or the connection to VPC endpoints - and therefore avoid extra costs by overprovisioning those services.
This Terraform module helps you create the base of your networking infrastructure in AWS, by provisioning a Hub and Spoke Architecture with AWS Transit Gateway. You can indicate which resources you want to centralize - by defining which central VPCs you want to create -, and you get the Transit Gateway, VPCs, and routing needed to achieve the interconnection. The only thing you will need to do later is place your worloads and services to centralize.
You can either define a current Transit Gateway by passing its ID using the transit_gateway_id
variable, or let the Hub and Spoke Module to create one for you by using the transit_gateway_attributes
variable.
The attributes you can define ing transit_gateway_attributes
are the following ones:
name
= (Optional|string) Name to apply to the new Transit Gateway.description
= (Optional|string) Description of the new Transit Gatewayamazon_side_asn
= (Optional|number) Private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is64512
to65534
for 16-bit ASNs and4200000000
to4294967294
for 32-bit ASNs. It is recommended to configure one to avoid ASN overlap. Default value:64512
.auto_accept_shared_attachments
= (Optional|string) Wheter the attachment requests are automatically accepted. Valid values:disable
(default) orenable
.dns_support
= (Optional|string) Wheter DNS support is enabled. Valid values:disable
orenable
(default).multicast_support
= (Optional|string) Wheter Multicas support is enabled. Valid values:disable
(default) orenable
.transit_gateway_cidr_blocks
= (Optional|list(string)) One or more IPv4/IPv6 CIDR blocks for the Transit Gateway. Must be a size /24 for IPv4 CIDRs, and /64 for IPv6 CIDRs.vpn_ecmp_support
= (Optional|string) Whever VPN ECMP support is enabled. Valid values:disable
orenable
(default).tags
= (Optional|map(string)) Key-value tags to apply to the Transit Gateway.
NOTE: You can only define transit_gateway_id
or transit_gateway_attributes
, but not both variables at the same time.
The Central VPCs you can create are: inspection
, egress
, ingress
, shared_services
, and hybrid_dns
. The Central VPCs you define have a set of input variables that are common (regardless of the type of VPC to create). These variables are inherited from the AWS VPC Module, which is used to create all the VPCs in this module. The common attributes are the following ones:
vpc_id
= (Optional|string) If you specify this value, no other attributes can be set The VPC will be attached to the Transit Gateway, and its attachment associate/propagated to the corresponding TGW Route Tables.name
= (Optional|string) Name of the VPC, if a new VPC is created.cidr_block
= (Optional|string) CIDR range to assign to the VPC, if a new VPC is created.az_count
= (Optional|number) Number of Availability Zones to use in each VPC. As best practice, we recommend the use of at least two AZs to ensure high-availability in your solutions.vpc_enable_dns_hostnames
= (Optional|bool) Indicates whether the instances launched in the VPC get DNS hostnames. Enabled by default.vpc_enable_dns_support
= (Optional|bool) Indicates whether the DNS resolution is supported for the VPC. If enabled, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC network range "plus two" succeed. If disabled, the Amazon provided DNS service in the VPC that resolves public DNS hostnames to IP addresses is not enabled. Enabled by default.vpc_instance_tenancy
= (Optional|string) The allowed tenancy of instances launched into the VPC.subnet_configuration
= (Optional|any) Configuration of the subnets to create in the VPC. You can define as many subnets as you want, however, depending the type of central VPC, this definition may vary. Below you will see one example per type of Central VPC.associate_and_propagate_to_tgw
= (Optional|bool) This option is used with thetransit_gateway_id
option only. It indicates whether the VPC attachment should be associated and propagated to the given Transit Gateway. Iftrue
, then appropriate Transit Gateway Route Table is created, VPC attachment is associated with it and necessary route propagations are provisioned. Iffalse
, then Central VPC is just attached to the TGW. Iftransit_gateway_attributes
are given, then this option is ignored (implicitly is set totrue
). Enabled by default.vpc_flow_logs
= = (Optional|object(any)) Configuration of the VPC Flow Logs of the VPC configured. Options: "cloudwatch", "s3", "none". The format of the object to define is the following:
object({
log_destination = optional(string)
iam_role_arn = optional(string)
kms_key_id = optional(string)
log_destination_type = string
retention_in_days = optional(number)
tags = optional(map(string))
traffic_type = optional(string)
destination_options = optional(object({
file_format = optional(string)
hive_compatible_partitions = optional(bool)
per_hour_partition = optional(bool)
}))
})
When defining a central Inspection VPC, you can define two types: with Internet access (inspection + egress in the same VPC) or without Internet access (if egress is configured, is placed in a different VPC). Each of the types will have a different configuration:
- Inspection VPC with Internet access:
public
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. Additionally, it also acceptsnat_gateway_configuration
, where you can specifyall_azs
(by default),single_az
, ornone
.endpoints
: This subnet is used to place the firewall endpoints (AWS Network Firewall or any solution with Gateway Load Balancer). You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. By default, it creates the following routes in the subnet's route tables:- To the Internet (0.0.0.0/0) via the NAT gateways (if created).
- To the Transit Gateway ENI(s). The destination passed will be the Network CIDR defined (either via a supernet or a prefix list) in the
spoke_vpcs
variable.
transit_gateway
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. The rest of the variables needed to create the Transit Gateway VPC attachment are handled by the module.
central_vpcs = {
inspection = {
name = "inspection-vpc"
cidr_block = "10.10.0.0/16"
az_count = 2
subnets = {
public = {
netmask = 24
nat_gateway_configuration = "all_azs"
}
endpoints = { netmask = 24 }
transit_gateway = { netmask = 28 }
}
}
}
- Inspection VPC without Internet access:
endpoints
: This subnet is used to place the firewall endpoints (AWS Network Firewall or any solution with Gateway Load Balancer). You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. By default, it creates the a default route (0.0.0.0/0) to the Transit Gateway ENI(s).transit_gateway
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. The rest of the variables needed to create the Transit Gateway VPC attachment are handled by the module.
central_vpcs = {
inspection = {
name = "inspection-vpc"
cidr_block = "10.10.0.0/16"
az_count = 2
subnets = {
endpoints = { netmask = 24 }
transit_gateway = { netmask = 28 }
}
}
}
In addition to the subnet definition, two more attributes can be defined in the Inspection VPC:
inspection_flow
= (Optional|string) To indicate how the traffic should be inspected. You can define the following values:all
(default),east-west
,north-south
.aws_network_firewall
= (Optional|map(any)) The Hub and Spoke module also support the creation of AWS Network Firewall, using the AWS Network Firewall module. The module will create the firewall resource and all the routing needed in the Inspection VPC, and you will need to define the following attributes:name
= (Required|string) Name of the AWS Network Firewall resource.description
= (Required|string) Description for the AWS Network Firewall resource.policy_arn
= (Required|string) ARN of the AWS Network Firewall Policy resource.policy_change_protection
= (Optional|bool) To indicate whether it is possible to change the associated firewall policy after creation. Defaults tofalse
.subnet_change_protection
= (Optional|bool) To indicate whether it is possible to change the associated subnet(s) after creation. Defaults tofalse
.tags
= (Optional|map(string)) List of tags to apply to the AWS Network Firewall resource.
central_vpcs = {
inspection = {
name = "inspection-vpc"
cidr_block = "10.10.0.0/16"
az_count = 2
inspection_flow = "east-west"
aws_network_firewall = {
name = "ANFW"
policy_arn = aws_networkfirewall_firewall_policy.anfw_policy.arn
}
subnets = {
endpoints = { netmask = 24 }
transit_gateway = { netmask = 28 }
}
}
}
When defining a central Egress VPC, the following subnet configuration is expected:
public
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. Additionally, it also acceptsnat_gateway_configuration
, where you can specifyall_azs
(by default),single_az
, ornone
. By default, it creates the a route to the Transit Gateway ENI(s), using as destination the Network CIDR defined (either via a supernet or a prefix list) in thespoke_vpcs
variable.transit_gateway
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. The rest of the variables needed to create the Transit Gateway VPC attachment are handled by the module. Additionally, it creates a route to the Internet (0.0.0.0/0) via the NAT gateways (if created).
central_vpcs = {
egress = {
name = "egress-vpc"
cidr_block = "10.10.0.0/24"
az_count = 2
vpc_flow_logs = {
iam_role_arn = "ROLEARN" # You should add here an IAM role so VPC Flow logs can publish in CloudWatch Logs
kms_key_id = "KMSARN" # You should add here a KMS Key ARN to encrypt the logs at rest (best practice)
log_destination_type = "cloudwatch"
retention_in_days = 7
}
subnets = {
public = {
name_prefix = "public_egress"
cidrs = ["10.10.0.0/28", "10.10.0.16/28"]
nat_gateway_configuration = "all_azs"
}
transit_gateway = {
name_prefixt = "tgw_egress"
cidrs = ["10.10.0.32/28", "10.10.0.48/28"]
}
}
}
}
NOTE Both Inspection VPC with public subnets and Egress VPC cannot be created at the same time.
When defining a central Shared Services VPC, three subnet types are expected: endpoints
(to place VPC Interface endpoints), dns
(to place Route 53 Resolver endpoints, or your own DNS solution in AWS), and transit_gateway
. Two types of VPC can be created: with DNS subnets, and without DNS subnets.
- Shared Services VPC with only "endpoints" subnets:
endpoints
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. By default, it creates the a default route (0.0.0.0/0) to the Transit Gateway ENI(s).transit_gateway
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. The rest of the variables needed to create the Transit Gateway VPC attachment are handled by the module.
central_vpcs = {
shared_services = {
name = "shared-services-vpc"
cidr_block = "10.10.0.0/24"
az_count = 2
subnets = {
endpoints = { netmask = 28 }
transit_gateway = { netmask = 28 }
}
}
}
- Shared Services VPC with "endpoints" and "dns" subnets:
endpoints
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. By default, it creates the a default route (0.0.0.0/0) to the Transit Gateway ENI(s).dns
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. By default, it creates the a default route (0.0.0.0/0) to the Transit Gateway ENI(s).transit_gateway
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. The rest of the variables needed to create the Transit Gateway VPC attachment are handled by the module.
central_vpcs = {
shared_services = {
name = "shared-services-vpc"
cidr_block = "10.10.0.0/24"
az_count = 2
subnets = {
endpoints = { netmask = 28 }
dns = { netmask = 28 }
transit_gateway = { netmask = 28 }
}
}
}
NOTE Both Shared Services VPC with "dns" subnets and Hybrid DNS VPC cannot be created at the same time.
When defining a central Hybrid DNS VPC, the following subnet configuration is expected:
endpoints
: To place Route 53 Resolver endpoints, or your own DNS solution in AWS. You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. By default, it creates the a default route (0.0.0.0/0) to the Transit Gateway ENI(s).transit_gateway
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. The rest of the variables needed to create the Transit Gateway VPC attachment are handled by the module.
central_vpcs = {
hybrid_dns = {
name = "hybrid-dns-vpc"
cidr_block = "10.10.0.0/24"
az_count = 2
vpc_flow_logs = {
iam_role_arn = "ROLEARN" # You should add here an IAM role so VPC Flow logs can publish in CloudWatch Logs
kms_key_id = "KMSARN" # You should add here a KMS Key ARN to encrypt the logs at rest (best practice)
log_destination_type = "cloudwatch"
retention_in_days = 7
}
subnets = {
endpoints = {
name_prefix = "r53_endpoints"
cidrs = ["10.10.0.0/28", "10.10.0.16/28"]
}
transit_gateway = {
name_prefixt = "tgw"
cidrs = ["10.10.0.32/28", "10.10.0.48/28"]
}
}
}
When defining a central Ingress VPC, the following subnet configuration is expected:
public
: To place your entry point to AWS from the Internet (Elastic Load Balancer, for example). You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. By default, it creates the a route (0.0.0.0/0) to the Transit Gateway ENI(s), using as destination the Network CIDR defined (either via a supernet or a prefix list) in thespoke_vpcs
variable.transit_gateway
: You can define the following attributes:cidrs
,netmask
,name_prefix
,tags
. The rest of the variables needed to create the Transit Gateway VPC attachment are handled by the module.
central_vpcs = {
ingress = {
name = "ingress-vpc"
cidr_block = "10.10.0.0/24"
az_count = 2
vpc_flow_logs = {
iam_role_arn = "ROLEARN" # You should add here an IAM role so VPC Flow logs can publish in CloudWatch Logs
kms_key_id = "KMSARN" # You should add here a KMS Key ARN to encrypt the logs at rest (best practice)
log_destination_type = "cloudwatch"
retention_in_days = 7
}
subnets = {
public = { cidrs = ["10.10.0.0/28", "10.10.0.16/28"] }
transit_gateway = { cidrs = ["10.10.0.32/28", "10.10.0.48/28"] }
}
}
This variable is used to provide the Hub and Spoke module the neccessary information about the Spoke VPCs created. Note that the module does not create the VPCs, and the information you pass is the routing domains you want to create, and the Spoke VPC information (VPC IDs and Transit Gateway VPC attachment IDs). It is recommended the use of the following AWS VPC Module to simplify your infrastructure creation - also because the Hub and Spoke module makes use of the VPC module to create the Central VPCs.
Within this variable, the following attributes are expected:
routing_domains
= (Optional|list(string)) Definition of the different routing domains for the Spoke VPCs - for example prod or dev. If this variable is not provided, all the Spoke VPCs will be associated to a common routing domain (spokes).number_vpcs
= (Optional|number) Total number of Spoke VPCs that have been attached to the Transit Gateway, regardless of the routing domain.vpc_information
= (Optional|map(string)) Information about the VPCs to include in the architecture. Inside the variable, a map of the following keys is expected:vpc_id
= (Optional|string) VPC ID. This value is not used in this version of the module, we keep it as placehoder when adding support for centralized VPC endpoints.transit_gateway_attachment_id
= (Optional|string) Transit Gateway VPC attachment ID.routing_domain
= (Optional|string) Routing domain to include the VPC (Transit Gateway route table association). This value needs to be included in var.spoke_vpcs.routing_domains.
spoke_vpcs = {
routing_domains = ["prod", "nonprod"]
number_vpcs = 2
vpc_information = {
prod = {
vpc_id = vpc-ID1
transit_gateway_attachment_id = tgw-attach-ID1
routing_domain = "prod"
}
nonprod = {
vpc_id = vpc-ID2
transit_gateway_attachment_id = tgw-attach-ID2
routing_domain = "nonprod"
}
}
}
This variable is used to define the IPv4 CIDR block(s) of all the AWS network. Two different types of definition are allowed: CIDR (Supernet's CIDR block) or PREFIX_LIST (managed prefix list ID). The variable is an object type, composed by two attributes:
type
= (string) Defines the type of network definition provided. It has to be eitherCIDR
(Supernet's CIDR Block) orPREFIX_LIST
(prefix list ID containing all the CIDR blocks of the network)value
= (string) Either a Supernet's CIDR Block or a prefix list ID. This value needs to be consistent with thetype
provided in this variable.
network_definition = {
type = "PREFIX_LIST"
value = pl-id
}
network_definition = {
type = "CIDR"
value = "10.0.0.0/8"
}
Each Spoke VPC segment created is independent between each other, meaning that inter-segment communication is not allowed. However, if you add an Inspection VPC with the traffic inspection flow as all
or east-west
, potentially you can have communication between segments. You need to block or allow inter-segment communication in the firewall solution deployed.