AWS VPC Peering and NAT Gateway using Terraform

Before you read further, I need to declare that I am not a network engineer. My CCNA certification has been rusted over a decade ago. But networking is a crucial part when you want to design infrastructure for an application. Networking is a service in the cloud and you can provision using code. In this case, I will use Terraform to provision network infrastructure and configuration.

Background:

VPC is a virtual boundary of your cloud resources. We want to host an internal application that accessible inside VPC but not from the internet. But we want the instance to be able to connect to the internet to download necessary application code and other AWS services.

NAT (Network Address Translation) is a way to connect from private IP to the internet. The simple example is our internet router at our home.

There is an internal application that belongs to Sales Departement. The application will be used by internal users. The developer for this application is from a third-party vendor. The developer will access the AWS environment through a jump host instance. The application needs to access the internet do download the application dependency library.

Design:

We will have 1 VPC for sales applications and users. We will use default VPC to host the jump-host instance. The jump-host instance will have public IP so the developer can access it. We use VPC peering to connect the default VPC to Sales VPC. Then create NAT gateway so application instance can connect to the internet.

Code Execution:

The source code is in GitHub https://github.com/footprns/aws-vpc

1. Create a VPC with CIDR 192.168.0.0/24. It divided into 2 subnets (private subnet 192.168.0.0/25 and public subnet 192.168.0.128/25).
2. Create VPC peering from default to sales VPC (it can be vice versa). It needs to approve by both VPC owners.
3. Create a route from default VPC to Sales VPC and vice versa.
4. Create a jump-host instance with public IP and attach to correct security group valid ingress and egress rules.
5. Create an app instance without public IP. If the VPC peering is working fine then jump-host instance can connect to the app instance.
6. Create an internet gateway that attaches to the public subnet
7. Create an Elastic IP, then create a NAT Gateway that attaches to Elastic IP and public subnet
8. Create a route in a private subnet to NAT Gateway
9. Create a route in a public subnet to Internet Gateway. If everything correct then your app instance can connect to the internet.

The good thing in the implementation:

1. Using HCL Dynamic nested block. It allows us to list the security group rules (ingress and egress) outside the module and make the module more dynamic and re-usable.
2. Use a small module as a small building block to build complex infrastructure. The small module is reusable as well.

Challenge:

1. Route management. As the number of VPC grows, the growing route needs to manage as well.
2. NAT Gateway is not part of the free tier account, so if you use a free tier account then make sure you destroy it if you don’t need it. Anyway, destroy using Terraform is very easy.

Reference:

NAT gateways