Private Network Only VPC with Transit Gateway and Egress VPC

Tips and Traps

Zhimin Wen
9 min readApr 7, 2024
Generated by Gemini

I have a AWS environment that requires to have private subnet only for the application VPC, all the internet bound traffic has to go through on-premise firewalls.

Let’s simulate this setup on AWS with a egress VPC and Transit Gateway.

Application VPC

We will have 3 application subnets under this VPC.

The Terraform to implement the VPC and the subnets are shown as below,

resource aws_vpc sha-app {
cidr_block = "10.10.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = true

tags = {
Name = "sha-app"
}
}

locals {
sha-subnets = [
{
name = "sha-rosa"
cidr = "10.10.1.0/24"
},
{
name = "sha-data"
cidr = "10.10.2.0/24"
},
{
name = "sha-mgmt"
cidr = "10.10.3.0/24"
},
{
name = "sha-tgw-attach"
cidr = "10.10.248.0/28"
}

]
}

resource aws_subnet sha-subnets {
for_each = { for subnet in local.sha-subnets : subnet.name => subnet }

cidr_block = each.value.cidr
vpc_id = aws_vpc.sha-app.id

# map_public_ip_on_launch = false
tags = {
Name = each.value.name
}
}

We create the subnet with the for_each loop. We are using the default value of…

--

--