Private Network Only VPC with Transit Gateway and Egress VPC
Tips and Traps
9 min readApr 7, 2024
I have a AWS environment that requires to have private subnet only for the application VPC, all the internet bound traffic has to go through on-premise firewalls.
Let’s simulate this setup on AWS with a egress VPC and Transit Gateway.
Application VPC
We will have 3 application subnets under this VPC.
The Terraform to implement the VPC and the subnets are shown as below,
resource aws_vpc sha-app {
cidr_block = "10.10.0.0/16"
instance_tenancy = "default"
enable_dns_hostnames = true
tags = {
Name = "sha-app"
}
}
locals {
sha-subnets = [
{
name = "sha-rosa"
cidr = "10.10.1.0/24"
},
{
name = "sha-data"
cidr = "10.10.2.0/24"
},
{
name = "sha-mgmt"
cidr = "10.10.3.0/24"
},
{
name = "sha-tgw-attach"
cidr = "10.10.248.0/28"
}
]
}
resource aws_subnet sha-subnets {
for_each = { for subnet in local.sha-subnets : subnet.name => subnet }
cidr_block = each.value.cidr
vpc_id = aws_vpc.sha-app.id
# map_public_ip_on_launch = false
tags = {
Name = each.value.name
}
}
We create the subnet with the for_each loop. We are using the default value of…