Building an AWS VPC from Scratch Using Terraform
The entire network architecture of any cloud-based service is based on a virtual private cloud (VPC). AWS VPCs offer the required network segregation and enable security by efficiently managing aspects like subnets, routing, internet gateway, NAT gateway, DHCP, etc.
Published Jul 30, 2024
Pre-requisite:
- EC2 instance
- Configure awscli and terraform
In this post, we discuss how to develop a basic AWS VPC scratch using Terraform.
There are several considerations to be made while building a VPC for any project. Let’s start to build our VPC from the ground up using Terraform.
- VPC in us-west-2 zone
- Internet Gateway
- 2 Public Subnets, one in each AZ
- 2 Private Subnets, one in each AZ
- Route Table configurations (main and 2nd)
- NAT gateways
A VPC spans all the Availability Zones (AZ) in a region. It is always associated with a CIDR range (both IPv4 and IPv6) which defines the number of internal network addresses that may be used internally.
Within the VPC, we create subnets that are specific to AZs. It is possible to have multiple subnets in the same AZ. The purpose of subnets is to internally segregate resources contained in the VPC in every AZ. AWS Regions consist of multiple Availability Zones for DR purposes.
Our architecture contains two types of subnets – public and private. Public subnets enable internet access for the components hosted within them, while private subnets allow internet using NAT gateway.
An internet gateway is deployed and associated with the VPC to enable internet traffic within the VPC’s public subnets. Only one internet gateway can be associated with each VPC.
Workflow:
All infrastructure will be on the AWS. If you want to use another cloud provider such as GCP or Azure, you need to change this.
To begin with, let us start by defining our VPC resource in Terraform. To specify a range of IP addresses in a VPC, a CIDR block needs to be provided. We have also provided a Name tag for identification.
- Name: myvpc
- CIDR : 10.0.0.0/16
vpc.tf
The VPC exists across all the Availability Zones in a region. While subnets are associated with a single AZ. The Oregon (us-west-2) region has two AZs, and we need one public and one private subnet in each AZ as per the diagram.
Firstly, we identify the CIDR ranges to be associated with the four new subnets we need to create. In our example, based on the CIDR range of the VPC I have identified the CIDR ranges and defined a couple of variables in our Terraform code (subnet.tf).
Name :
- private-us-west-2a : 10.0.1.0/24
- private-us-west-2b : 10.0.2.0/24
- public-us-west-2a : 10.0.3.0/24
- public-us-west-2b : 10.0.4.0/24
subnet.tf
Since we have to build public subnets, we need to provide access to the internet in the given VPC. For this, the first thing that we need is an internet gateway.
igw.tf
You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.
ngw.tf
We already know that when a VPC is created, a main route table is created as well. The main route table is responsible for enabling the flow of traffic within the VPC.P
Here we have created two route tables one for Public and other Private. Public route table associated 2 public subnet and internet gateway. and Private route table associate 2 Private subnet and NAT Gateway.
Route :
- Public
- subnet associations
- public-us-west-2a : 10.0.3.0/24
- public-us-west-2b : 10.0.4.0/24
- Routes
- igw-XXXX : 0.0.0.0/0
- Private
- subnet associations
- private-us-west-2a : 10.0.1.0/24
- private-us-west-2b : 10.0.2.0/24
- Routes
- NAT-XXXXX : 0.0.0.0/0
route.tf
To download and install the provider we defined in our configuration and other files, we need to initialize the directory containing this file and show where will be saved terraform.tfstate file:
terraaform init
terraform plan
terraform apply
Terraform Destroy
We have covered a couple of ways to create and manage AWS VPCs – building them from scratch and using certified, published modules.