a minimally viable multi az vpc and general network resources
Learning about AWS network resources gave some challenges to wrap my head around when tasked with creating a Multi-AZ deployment.
This is something that takes quite a while to grok, and even longer to one-line-change-deploy my way to victory.
I find that these resources are often a bit small in Terraform (only a few lines), but it's the sheer number of them that makes it a little challenging to wrap my head around the architecture.
To avoid that, this is a list of the "minimally viable" requirements for a good network.
Resources
This resource list is non-exhaustive, and does not include application specific resources but instead is strictly related to bare bones VPC requirements.
I have attempted an "order" of what the dependency Graph Terraform creates kind of looks like:
- VPC
- Main route table (empty)
- Route tables
- Private route table
- Public route table
- Subnets
- Private subnets (a, b, c) for your region
- Assign to Private Route table
- Public subnets (a, b, c) for your region
- Assign to Public Route table
- Private subnets (a, b, c) for your region
- Internet Gateway (a, b, c)
- Assign to all Public subnets
- NAT Gateway (a, b, c) with Elastic IP
- Assign to all Private subnets
- Security groups
- Private general egress (outbound
0.0.0.0/0) to allow private resources to download things- Assign to Private resources
- Private general ingress (from known endpoints)
- Assign to Private resources that need ingress from known endpoints (like S3 or ECR)
- Private general egress (outbound
- VPC Endpoints
- S3 for 1 region is good, requires security group rules
- Would be assigned to Public/Private Route tables
- S3 for 1 region is good, requires security group rules