single-account

AWS Hub and Spoke Architecture with an Inspection VPC - Single AWS Account

This repository contains terraform code to deploy a sample AWS Hub and Spoke architecture with an Inspection VPC using AWS Network Firewall. The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes.

Prerequisites

• An AWS account with an IAM user with the appropriate permissions
• Terraform installed

Code Principles:

• Writing DRY (Do No Repeat Yourself) code using a modular design pattern

Usage

• Clone the repository
• Edit the variables.tf file in the project root directory. This file contains the information used to configure the Terraform code.

Note EC2 instances, and AWS Network Firewall endpoints will be deployed in all the Availability Zones configured for each VPC. Keep this in mind when testing this environment from a cost perspective - for production environments, we recommend the use of at least 2 AZs for high-availability.

Target Architecture

Deployment

• terraform init to initialize the environment.
• terraform plan to check the resources to create
• terraform apply to build the architecture.

Clean-up

• terraform destroy will clean-up the resources created.

Infrastructure configuration

AWS Network Firewall Policy

The AWS Network Firewall Policy is defined in the policy.tf file in the network_firewall module directory. By default:

• All the SSH and RDP traffic is blocked by the Stateless engine.
• The Stateful engine follows Strict Rule Ordering, blocking all the traffic by default. Two rule groups allow ICMP traffic (between East/West traffic only), and HTTPS traffic to any *.amazon.com domain.

VPC Flow Logs configuration

This project configures both the alert and flow logs to respective AWS Cloudwatch Log Groups (both for the VPC Flow logs and AWS Network Firewall logs). In VPC Flow logs, you can also use Amazon S3. In Network Firewall, you can also use Amazon S3, or Amazon Kinesis Firehose.

To follow best practices, all the logs are encrypted at rest using AWS KMS. The KMS key (alongside the IAM roles needed) is created using the iam_kms module.

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Requirements

Name	Version
terraform	>= 1.3.0
aws	>= 3.73.0

Providers

Name	Version
aws	>= 3.73.0

Modules

Name	Source	Version
compute	./modules/compute	n/a
hubspoke	aws-ia/network-hubandspoke/aws	3.2.0
iam_kms	./modules/iam_kms	n/a
spoke_vpcs	aws-ia/vpc/aws	= 4.4.2

Resources

Name	Type
aws_networkfirewall_firewall_policy.anfw_policy	resource
aws_networkfirewall_rule_group.allow_domains	resource
aws_networkfirewall_rule_group.allow_icmp	resource
aws_networkfirewall_rule_group.allow_tcp	resource
aws_networkfirewall_rule_group.drop_remote	resource

Inputs

Name	Description	Type	Default	Required
aws_region	AWS Region.	string	"eu-west-1"	no
identifier	Name of the project.	string	"hubspoke-inspection"	no
inspection_vpc	Inspection VPC definition.	any	{ "cidr_block": "10.129.0.0/24", "number_azs": 2, "private_subnet_netmask": 28, "public_subnet_netmask": 28, "tgw_subnet_netmask": 28 }	no
spoke_vpcs	Spoke VPCs definition.	any	{ "spoke-vpc-1": { "cidr_block": "10.0.0.0/24", "endpoint_subnet_netmask": 28, "flow_log_config": { "log_destination_type": "cloud-watch-logs", "retention_in_days": 7 }, "instance_type": "t2.micro", "number_azs": 2, "tgw_subnet_netmask": 28, "workload_subnet_netmask": 28 }, "spoke-vpc-2": { "cidr_block": "10.0.1.0/24", "endpoint_subnet_netmask": 28, "flow_log_config": { "log_destination_type": "cloud-watch-logs", "retention_in_days": 7 }, "instance_type": "t2.micro", "number_azs": 2, "tgw_subnet_netmask": 28, "workload_subnet_netmask": 28 } }	no

Outputs

Name	Description
instances	EC2 instances created.
network_firewall	AWS Network Firewall ID.
transit_gateway_id	AWS Transit Gateway ID.
transit_gateway_route_tables	Transit Gateway Route Table.
vpcs	VPCs created.