Private Network Only VPC with Transit Gateway and Egress VPC

Tips and Traps

9 min readApr 7, 2024

I have a AWS environment that requires to have private subnet only for the application VPC, all the internet bound traffic has to go through on-premise firewalls.

Let’s simulate this setup on AWS with a egress VPC and Transit Gateway.

Application VPC

We will have 3 application subnets under this VPC.

The Terraform to implement the VPC and the subnets are shown as below,

resource aws_vpc sha-app {
  cidr_block = "10.10.0.0/16"
  instance_tenancy = "default"
  enable_dns_hostnames = true
  
  tags = {
    Name = "sha-app"
  }
}

locals {
  sha-subnets = [
    {
      name = "sha-rosa"
      cidr = "10.10.1.0/24"
    },
    {
      name = "sha-data"
      cidr = "10.10.2.0/24"
    },
    {
      name = "sha-mgmt"
      cidr = "10.10.3.0/24"
    },
    {
      name = "sha-tgw-attach"
      cidr = "10.10.248.0/28"
    }

  ]
}

resource aws_subnet sha-subnets {
  for_each = { for subnet in local.sha-subnets : subnet.name => subnet }

  cidr_block = each.value.cidr
  vpc_id =  aws_vpc.sha-app.id

  # map_public_ip_on_launch = false
  tags = {
    Name = each.value.name
  }
}

We create the subnet with the for_each loop. We are using the default value of…

Private Network Only VPC with Transit Gateway and Egress VPC

Tips and Traps

Application VPC

Written by Zhimin Wen