Click to edit Master title style

AWS Global Networking in

Terraform
-Chad Smith
Click to edit Master title style

Introduction to Terraform
What is Hashicorp Terraform?
Click to edit Master title style
Terraform is an infrastructure as code (IaC) tool that allows
you to build, change, and version infrastructure safely and
efficiently.
This includes low-level components such as compute
instances, storage, and networking, as well as high-level
components such as DNS entries, SaaS features, etc.
Terraform can manage both existing service providers and
custom in-house solutions.
 Relevant Terraform Constructs
Click to edit Master title style
Resources Variables Modules Outputs Backend

Hardcoded
Parameters
Obfuscation of values or
which can
All object the dirty work properties of
make Location of
types that are of creating created
templates state files and
created in a multiple objects which
reusable while lockfile
terraform related can be
consolidating storage
template. resources of queried using
hardcoded
different types the backend
values
state objects
Terraform in AWS (SPoF)
Click to edit Master title style
AWS Cloud

Client provisions
or modifies AWS
resources via
Terraform
Terraform in AWS (SPoF)
Click to edit Master title style
AWS Cloud

Lockfile prevents
multiple actions
from same client
Terraform in AWS (SPoF)
Click to edit Master title style
AWS Cloud

Resource state
and outputs are
stored on the
client
Terraform in AWS (SPoF)
Click to edit Master title style
AWS Cloud

This paradigm does

not account for
multiple users or
shared access to
state and outputs
Terraform in AWS (SPoF)
Click to edit Master title style
AWS Cloud

Nor is this a
resilient design,
by any measure
Terraform in AWS (Resilient)
Click to edit Master title style
AWS Cloud

Store the state

files as S3 objects
for remote access
from other stacks
Terraform in AWS (Resilient)
Click to edit Master title style
AWS Cloud
Store the lockfiles
as DynamoDB
table items to
allow shared
access without
conflict
Demonstration
Click to edit Master title style
Evaluate the S3 and DynamoDB
configuration for use by Terraform
Click to edit Master title style

AWS Global Network

Requirements and Architecture
Network Functional Requirements
Click to edit Master title style
● Public-facing apps
● Internal only apps
● Geographic
separation
● Highly available
● VPN access
● Use private
networking where
possible
Requirement Translation to Features
Click to edit Master title style
Public Facing Applications

Public subnet
Requirement Translation to Features
Click to edit Master title style
Internal-only Applications

Private subnet
Requirement Translation to Features
Click to edit Master title style
Geographic Separation (For Business
Continuity)

Region Region

Region
Requirement Translation to Features
Click to edit Master title style
Highly Available

Region

Availability Zone Availability Zone Availability Zone

Requirement Translation to Features
Click to edit Master title style
VPN Access (either external or
private)

VPN Network VPC

Requirement Translation to Features
Click to edit Master title style
Use private networking where
possible

Gateway Endpoint Interface Endpoint

Single Region Network Diagram
Click to edit Master title style
Region

VPC
Single Region Network Diagram
Click to edit Master title style
Region

Availability Zone 1 Availability Zone 2 Availability Zone 3

VPC
Single Region Network Diagram
Click to edit Master title style
Region

Availability Zone 1 Availability Zone 2 Availability Zone 3

VPC

Public subnet 1 Public subnet 2 Public subnet 3

Private subnet Private subnet Private subnet

Single Region Network Diagram
Click to edit Master title style
Region

Availability Zone 1 Availability Zone 2 Availability Zone 3

VPC
Internet gateway

Public subnet 1 Public subnet 2 Public subnet 3

NAT gateway NAT gateway NAT gateway

Private subnet Private subnet Private subnet

Single Region Network Diagram
Click to edit Master title style
Region

Availability Zone 1 Availability Zone 2 Availability Zone 3

VPC
Internet gateway

Public subnet 1 Public subnet 2 Public subnet 3

Gateway
NAT gateway NAT gateway NAT gateway Endpoints

Private subnet Private subnet Private subnet

Click to edit Master title style

Single-Region Network
Deployment
Terraform VPC Resources (Atomic)
Click to edit Master title style
All of these require
● VPC object several parameters,
● Subnet(s) many of which are
redundant from one
● IGW resource to the next
VPC ● IGW attachment
● NAT GW(s)
● NAT GW EIP(s)
● Route table(s)
● RT attachment(s)
● Tag(s)
Terraform VPC Module
Click to edit Master title style
The module takes
care of all the
● CIDR atomic elements
with a single set of
● AZs parameters
● Public subnets
VPC

● Private subnets
● NAT GW #s
● Tags
Demonstration
Click to edit Master title style
Deploy a single-region VPC
Click to edit Master title style

Transit Gateway Deployment

Transit Gateway Basics
Click to edit Master title style

● Attach to subnet
● Region scoped
● Standalone resource
● Connect to VPCs
● Connect to on-prem
networks
Transit Gateway Provisioning
Click to edit Master title style
Transit Gateway can be
deployed as a standalone
resource
Transit Gateway Attachments
Click to edit Master title style
VPC
Attachments can be
Public subnet
created into subnets in a
VPC

Private subnet
Transit Gateway Attachments
Click to edit Master title style
VPC
Route table entries are
Public subnet
also required for each
subnet

Private subnet
Transit Gateway Attachments
Click to edit Master title style
VPC VPC

Public subnet

Multiple VPCs can

Private subnet
communicate via the
Transit Gateway
Transit Gateway Attachments
Click to edit Master title style
VPC VPC

Public subnet

Connect an on-premises
Private subnet data center via VPN

Corporate
data center
Transit Gateway Attachments
Click to edit Master title style
VPC VPC

Public subnet

Private subnet

Corporate Direct Connect

data center Location

Connect an on-premises data center via Direct

Connect Gateway
Terraform Transit Gateway Module
Click to edit Master title style

● TGW
● TGW VPC
attachments
● TGW routes
● Tags
What is missing from the module?
Click to edit Master title style
Because of all these
missing elements, it
makes sense to
● Cross-region peers make OUR OWN
module!
● Cross-region TGW
route table entries
● VPC route table
entries
Demonstration
Click to edit Master title style
Create a Transit Gateway module in
Terraform
Click to edit Master title style

Multi-Region Network
Connectivity using Transit
Gateway
Transit Gateway Attachments
Click to edit Master title style
Region Region Connect Transit Gateways
to each other via cross-
region VPN

This is very efficient for

multiple VPCs in each
Region Region
region
Cross-region Peering Considerations
Click to edit Master title style
● TGW route table
entries
● Requestor and
accepter are
separate resources
in separate regions
● What about DNS
resolution?
● Can we deploy all at
once?
Demonstration
Click to edit Master title style
Deploy Transit Gateway
Infrastructure with cross-region
peering
Click to edit Master title style

Multi-Region Network
Connectivity using VPC Peering
VPC Peering Basics
Click to edit Master title style
● Attach 2 VPC
networks
● Same region
● Same account
● Cross region
● Cross account
● No overlapping CIDR
VPC Peering Configuration
Click to edit Master title style
VPC VPC

Public subnet Requestor VPC Public subnet

Private subnet Private subnet

VPC Peering Configuration
Click to edit Master title style
VPC VPC

Public subnet Accepter VPC Public subnet

Private subnet Private subnet

VPC Peering Configuration
Click to edit Master title style
VPC VPC

Public subnet Public subnet

Private subnet Private subnet

Add route
table entry in
both VPCs
VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept
VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept
VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

Attach to subnet
VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

Attach to subnet

SR private DNS resolution

VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

Attach to subnet

SR private DNS resolution

SR public DNS resolution

VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

Attach to subnet

SR private DNS resolution

SR public DNS resolution

CR private DNS resolution

VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

Attach to subnet

SR private DNS resolution

SR public DNS resolution

CR private DNS resolution

CR public DNS resolution

VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

Attach to subnet(s)

SR private DNS resolution

SR public DNS resolution

CR private DNS resolution

CR public DNS resolution

Monitoring
VPC Peering vs TGW Comparison
Click to edit Master title style
VPCp TGWp

Auto SR accept

Auto CR accept

Route table entry

Attach to subnet(s)

SR private DNS resolution

SR public DNS resolution

CR private DNS resolution

CR public DNS resolution

Monitoring
What about Terraform VPC Peering?
Click to edit Master title style
Let's create a small
module for handling
route table entries
for accepter and
● Same-region peers requestor
● Cross-region peers
● Does NOT handle
route table entries!
Demonstration
Click to edit Master title style
De-provision Transit Gateway and
replace with VPC Peering
Click to edit Master title style

Wrap up and QA