Skip to content

Latest commit

 

History

History

terraform

README.md

AWS Site-to-Site VPN Private IP VPN - Terraform

This repository contains terraform code to deploy an AWS Site-to-Site VPN Private IP VPN over AWS Direct Connect. The following resources are created by default:

  • Direct Connect gateway. By default, both examples create a new Direct Connect gateway resource. If you want to test this code over an existing Direct Connect gateway, check each specific example to understand how you can configure this.
  • Customer gateway, and AWS Site-to-Site VPN Private IP VPN.
  • AWS Transit Gateway, and one Transit Gateway Route Table where all the VPCs and the VPN will be associated and they will propagate their routes.
  • Two Spoke VPCs, each of them with EC2 instances and VPC endpoints (AWS Systems Manager) to test the end-to-end connectivity.

In both examples, the following variables are defined with default values:

  • ASN numbers: AWS-side (for the Transit Gateway and the Direct Connect gateway), and customer-side (for the Customer gateway).
  • Transit Gateway CIDR block - used for the private Outer IPs when creating the VPN.
  • Allowed prefixes - AWS-side CIDR blocks to add in the Direct Connect gateway (if created)
  • Customer gateway IP - use the private IP of your device on premises.

Feel free to change these variables (check each example to see how you can do that) to build the Private IP VPN connection with values from your hybrid network.

Architecture diagram

The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes. Take it as an example on how to create all the necessary resources to build a Private IP VPN on top of a Direct Connect connection. The AWS Direct Connect connection and Transit VIF required to finish the end-to-end connectivity are not built in this example. The configuration of the VPN tunnels in the on-premises routers is done as an usual AWS Site-to-Site VPN connection (check the documentation in the References section).

Deployment instructions

  • Clone the repository
  • Edit the variables.tf file (in the root directory) to configure the AWS Region to use, the project identifier, and the number of Availability Zones to use. Edit the locals.tf (in the root directory) to configure the VPCs to create.
  • To change the configuration about the Security Groups and VPC endpoints to create, edit the locals.tf file in the project root directory.
  • Initialize Terraform using terraform init.
  • Now you can deploy the rest of the infrastructure using terraform apply.
  • To delete everything, use terraform destroy.

Note The default number of Availability Zones to use in the VPCs is 1. To follow best practices, each resource - EC2 instance, and VPC endpoints - will be created in each Availability Zone. Keep this in mind to avoid extra costs unless you are happy to deploy more resources and accept additional costs.

References

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

Requirements

Name Version
aws 4.20.0
awscc 0.25.0

Providers

Name Version
aws 4.20.0

Modules

Name Source Version
compute ./modules/compute n/a
iam_kms ./modules/iam_kms n/a
vpc_endpoints ./modules/vpc_endpoints n/a
vpcs aws-ia/vpc/aws 1.4.1

Resources

Name Type
aws_customer_gateway.cgw resource
aws_dx_gateway.dxgw resource
aws_dx_gateway_association.dxgw_tgw_association resource
aws_ec2_transit_gateway.tgw resource
aws_ec2_transit_gateway_route_table.tgw_rt resource
aws_ec2_transit_gateway_route_table_association.spoke_tgw_association resource
aws_ec2_transit_gateway_route_table_association.vpn_tgw_association resource
aws_ec2_transit_gateway_route_table_propagation.spoke_tgw_propagation resource
aws_ec2_transit_gateway_route_table_propagation.vpn_tgw_propagation resource
aws_vpn_connection.private_ip_vpn resource
aws_ec2_transit_gateway_dx_gateway_attachment.tgw_dxgw_attachment data source
aws_ec2_transit_gateway_vpn_attachment.vpn_tgw_attachment data source

Inputs

Name Description Type Default Required
asn_numbers ASNs to configure in the different resources: Direct Connect gateway, Transit Gateway, and Customer gateway (on premises). Remember that all the ASNs cannot overlap between them. 
object({
    amazon_side_dxgw = string
    amazon_side_tgw  = string
    customer_side    = number
  })
 
{
  "amazon_side_dxgw": "64531",
  "amazon_side_tgw": "64532",
  "customer_side": 64533
}
 no
aws_region AWS Region to spin up the resources. string "us-west-1" no
customer_gateway_ip IPv4 private address of your Customer gateway (CGW). string "10.0.0.1" no
dxgw_allowed_prefixes Allowed prefixes. This value is indicated when the Direct Connect gateway is associated to the Transit Gateway. The list of prefixes specified here are the CIDR announcements to on premises. list(string) 
[
  "10.0.0.0/8"
]
 no
dxgw_id ID of the Direct Connect gateway to use for the Private IP VPN connection creation. If no ID is defined, this repository will create one. string "" no
identifier Project identifier. This value will be added to all the resources names. string "private-ip-vpn-example" no
tgw_cidr_blocks Transit Gateway CIDR blocks. list(string) 
[
  "10.0.0.0/24"
]
 no

Outputs

Name Description
customer_gateway_id Customer Gateway ID.
dx_gateway_id AWS Direct Connect gateway ID (if created).
ec2_instances EC2 instances created.
private_ip_vpn_id AWS Site-to-Site Private IP VPN ID.
ssm_endpoints SSM endpoints created.
transit_gateway_id Transit Gateway ID.
vpcs VPC IDs created.