Building an AWS VPC with Terraform

In David’s previous article, he outlined some general requirements and best practices around designing your first AWS VPC. This article continues what was started in order to put the design into practice.

When building a multi-account AWS environment, it is important to make sure all the AWS VPCs are built the same. If this is not the case it will become a headache to manage the environment in the long term. In order to ensure they look the same Uturn recommends utilizing Infrastructure-as-code, specifically Terraform. Terraform Modules allow for a reusable code block, which is perfect in this situation.

Building your VPC Terraform Module

Consider what is important in your VPC configuration. Do you have optional and required components? Do you need a VPN and/or a NAT Gateway? What about Flow Logs?

My recommendation would be to include configurability where possible in the Terraform module, which can be done using modules and counts.

The AWS NAT Gateway is enabled with the nat_gateway variable, which then allows for the creation of a NAT gateway in each of the public AZs.

Some AWS VPC endpoints have a $0 cost and just save money. The AWS S3 and DynamoDB endpoints should be configured in each VPC, even if you are not currently utilizing these services. These are common enough to use and free endpoints. Endpoints are important, because these services are technically internet based. Which means that all traffic to and from traverse the internet, so without a VPC endpoint there is a data transfer charge into these services.

The last major hurdle to consider is route tables. This is normally something large companies already have a plan for, but if this is your first environment start simple. Create 2 route tables, per AZ, one for public and one for private. Create an association with each of the non-public subnets to their respected private route. Then do the same for the public subnet to the public routes.