Skip to content

dannyducko/aws_egress_tgw-terraform

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
modules
modules
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
diagram.png
diagram.png
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
terraform.tfvars
terraform.tfvars
 
 
variables.tf
variables.tf
 
 

Repository files navigation

AWS Central Egress with Terraform

egress diagram

As part of my studies for the AWS ANS-C01 I wanted to come up with a central egress solution which blocked and isolated certain pathings.

Following on from completing the exam, I wanted to work on my IaC skills. With that in mind, I went ahead and done just that with my previous scenario, but made up in Terraform.

Feel free to use and edit it as you please.

What this will generate:

  • 1 Transit Gateway with attachments to each VPC in 2 AZ's and relevant routes required, appliance mode enabled for egress.
  • 4 VPCs, each with their subnets in 2 AZs, Public subnets where required and route tables for those.
  • 2 NAT GWs, 1 in each AZ in the egress VPC.
  • 3 EC2 instances, T3.micro, in; Prod, Test and On-Prem VPCs.
  • Security Groups allowing a blanket "access everything anywhere".
  • 2 IGWs, 1 in egress and On-Prem VPCs

What should happen

  • Prod and Test VPCs cannot communicate with eachother due to a blackhole route in the TGW RTB that serves those VPCs
  • Prod and Test VPCs can communicate with the internet via the NATGWs, and can communicate with OnPrem.
  • OnPrem VPC can communicate with VPC Prod and Test.

How to use this template

  • Clone or download this repo to your local machine
  • Run the terraform init command to initialise the directory.
  • Edit main.tf to include your region under the AWS provider.
  • Edit the terraform.tfvars to change the variables;
    • ami - select an AMI from your region to be used on the EC2 instances.
    • key_name - Create or use an existing key pair in your region, and set the name of it here
    • availability_zones - Select 2 AZs from your region and input here.
  • terraform plan - see what resources are being created
  • terraform apply - build the environment
  • After the build has completed, you should be able to jump onto the EC2 instance in the onprem VPC, as it has a public IP.
    • From here, you can ssh to the instances into prod and test VPCs by copying across the ssh key to your instance, or using the instance in the onprem vpc as a ssh-passthrough/ tunnel.
  • From the prod or test vpc, try out the connectivity options available to you. Try pinging the onprem instance, try ping the other ec2 instance in the opposite vpc. Try pinging out to the internet. Use VPC reachability analyzer to see what path your traffic is taking. Or just create chaos and edit the terraform configuration to create your own crazy environment :).
  • terraform destroy - destroy the resources created/ that are being managed in the terraform state file.

Notes:

  • For use in eu-west-2 due to the AMI IDs. Feel free to change it and have a play.
  • Will take about 3-4 minutes to completely spin up, mostly due to the NAT GWs and TGW.
  • Will be cleaned up in the near future.
  • I'm not liable for your misery around the costs of NAT Gateways....

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages