Skip to content

Latest commit

 

History

History
122 lines (85 loc) · 8.3 KB

README.md

File metadata and controls

122 lines (85 loc) · 8.3 KB
Raw

AWS Hub and Spoke Architecture with an Inspection VPC - Terraform Sample

This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with an Inspection VPC using AWS Network Firewall. The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

  • An AWS account with an IAM user with the appropriate permissions
  • Terraform installed

Code Principles:

  • Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

  • Clone the repository
  • Edit the variables.tf file in the project root directory

The variables.tf file contains the variables that are used to configure the Terraform code.

Note EC2 instances, VPC endpoints, and AWS Network Firewall endpoints will be deployed in all the Availability Zones configured for each VPC. Keep this in mind when testing this environment from a cost perspective - for production environments, we recommend the use of at least 2 AZs for high-availability.

Deployment

AWS Network Firewall Policy

The AWS Network Firewall Policy is defined in the policy.tf file in the network_firewall module directory. By default:

  • All the SSH and RDP traffic is blocked by the Stateless engine.
  • The Stateful engine follows Strict Rule Ordering, blocking all the traffic by default. Two rule groups allow ICMP traffic (between East/West traffic only), and HTTPS traffic to any *.amazon.com domain.

Logging Configuration

This project configures both the alert and flow logs to respective AWS Cloudwatch Log Groups (both for the VPC Flow logs and AWS Network Firewall logs). In VPC Flow logs, you can also use Amazon S3. In Network Firewall, you can also use Amazon S3, or Amazon Kinesis Firehose.

To follow best practices, all the logs are encrypted at rest using AWS KMS. The KMS key (alongside the IAM roles needed) is created using the iam_kms module.

Target Architecture

Architecture diagram

Cleanup

Remember to clean up after your work is complete. You can do that by doing terraform destroy.

Note that this command will delete all the resources previously created by Terraform.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Requirements

Name Version
terraform >= 1.3.0
aws >= 3.73.0
awscc >= 0.15.0

Providers

Name Version
aws 4.36.1

Modules

Name Source Version
aws_network_firewall aws-ia/networkfirewall/aws 0.0.2
compute ./modules/compute n/a
iam_kms ./modules/iam_kms n/a
inspection_vpc aws-ia/vpc/aws = 3.0.1
spoke_vpcs aws-ia/vpc/aws = 3.0.1
vpc_endpoints ./modules/endpoints n/a

Resources

Name Type
aws_ec2_managed_prefix_list.prefix_list resource
aws_ec2_managed_prefix_list_entry.pl_entry resource
aws_ec2_transit_gateway.tgw resource
aws_ec2_transit_gateway_route.default_route_spoke_to_inspection resource
aws_ec2_transit_gateway_route_table.post_inspection_vpc_route_table resource
aws_ec2_transit_gateway_route_table.spoke_vpc_route_table resource
aws_ec2_transit_gateway_route_table_association.inspection_tgw_association resource
aws_ec2_transit_gateway_route_table_association.spoke_tgw_association resource
aws_ec2_transit_gateway_route_table_propagation.spoke_propagation_to_post_inspection resource
aws_networkfirewall_firewall_policy.anfw_policy resource
aws_networkfirewall_rule_group.allow_domains resource
aws_networkfirewall_rule_group.allow_icmp resource
aws_networkfirewall_rule_group.drop_remote resource

Inputs

Name Description Type Default Required
inspection_vpc Inspection VPC definition. any 
{
  "cidr_block": "10.129.0.0/24",
  "flow_log_config": {
    "log_destination_type": "cloud-watch-logs",
    "retention_in_days": 7
  },
  "number_azs": 2,
  "private_subnet_netmask": 28,
  "public_subnet_netmask": 28,
  "tgw_subnet_netmask": 28
}
 no
project_name Name of the project. string "aws-hub-and-spoke-demo" no
region AWS Region. string "eu-west-1" no
spoke_vpcs Spoke VPCs definition. any 
{
  "spoke-vpc-1": {
    "cidr_block": "10.0.0.0/24",
    "endpoint_subnet_netmask": 28,
    "flow_log_config": {
      "log_destination_type": "cloud-watch-logs",
      "retention_in_days": 7
    },
    "instance_type": "t2.micro",
    "number_azs": 2,
    "tgw_subnet_netmask": 28,
    "workload_subnet_netmask": 28
  },
  "spoke-vpc-2": {
    "cidr_block": "10.0.1.0/24",
    "endpoint_subnet_netmask": 28,
    "flow_log_config": {
      "log_destination_type": "cloud-watch-logs",
      "retention_in_days": 7
    },
    "instance_type": "t2.micro",
    "number_azs": 2,
    "tgw_subnet_netmask": 28,
    "workload_subnet_netmask": 28
  }
}
 no

Outputs

Name Description
instances EC2 instances created.
network_firewall AWS Network Firewall ID.
transit_gateway_id AWS Transit Gateway ID.
transit_gateway_route_tables Transit Gateway Route Table.
vpc_endpoints SSM VPC endpoints created.
vpcs VPCs created.