Creating a Multi-tier, Highly Available VPC Network in AWS using Terraform

This article will help you create a multi-tier, highly available (multi-AZ) VPC network in AWS using Terraform (IaC).

Assumptions made: The reader has

1. A basic understanding of AWS & its services like VPC, subnet, etc
2. Terraform installed along with the basic knowledge of how it works

Amazon VPC (Virtual Private Cloud) is the networking layer for your AWS resources like EC2, Lambda function, CodeBuild, RDS, etc. It lets you create a customized network as per your business requirement. VPC resembles a traditional network that you'd operate in your own data center, with the benefits of using the secure and scalable infrastructure of AWS. To learn more about AWS VPC visit the link

A typical web application has the following 3 tiers, each of which has different networking requirements.

• Web tier (hosting the frontend components) requires accessibility from the internet as it needs to serve users from the public internet. For example, a web page takes input data (username and password to log in) from the user.
• Application/Backend tier (hosting all kinds of processing engines) doesn't need to be accessed from the public internet as end-users don't need to access it directly but the Web tier needs to access this tier to process the users' request. For example, the data taken from the input is passed to the backend for validation and/or processing.
• Database tier (consisting of DBs etc) is the most vulnerable tier out of all, as it has the user and business data stored in it. It should neither have access from the public internet nor the Web tier as none of these accesses the DB tier directly but the Application/Backend tier does. For example, the user password is verified from the DB data.

We assume the above use case and will create a VPC network, for this, in the following.

VPC subnets can be simply divided into 2 categories

1. Public subnets, with inbound & outbound Internet traffic enabled (via Internet gateway).
2. Private subnets, with inbound internet access disabled, (optional) outbound internet traffic enabled (via NAT gateway), and internal (from within the VPC) inbound & outbound traffic enabled. The traffic routes are customizable and really depend on the business requirement. Note: Outbound internet access is required to download patches and/or required packages etc.

We will be creating the following Network architecture in AWS using IaC - Terraform. It consists of 2 Availability zones (AZs), for High Availability (HA). Learn more about HA on the link . Each AZ consists of 3 subnets, public subnet (to host web tier), private subnet (for backend tier), protected subnet (for DB or any other equally vulnerable component).

Executing Terraform script:

Follow the steps below to create the VPC with Terraform script.

1. Download the source code from the repo .

The repo has the following structure (see screenshot)

terraform/modules/vpc/ contains the VPC definition. More services can be added to the folder terraform/modules/. For example, terraform/modules/ec2/. terraform/infra/ creates all the modules sitting in terraform/modules/ (for now we only have vpc but it can be extended as per need. Learn more about how Terraform modules work.

2. Open file terraform/infra/providers.tf and make sure it has your required configuration i.e AWS_PROFILE name goes as 'profile' and AWS_REGION name goes as 'region'

provider "aws" {
? region ?= "eu-west-1"
? profile = "default"
}        

3. terraform/infra/vars/dev.tfvars is the variable file used to pass values to the Terraform script e.g vpc_cidr & public_subnet_cidrs. Open this file and make sure it has the right values for your requirement. This Terraform script is written for scalability. Passing two values against the variable public_subnet_cidrs denotes that the script will create 2 AZs in the VPC. You can create as many AZs as required, by providing the respective number of CIDR blocks in public_subnet_cidrs, private_subnet_cidrs, and protected_subnet_cidrs.

project ? ? ? ? ? ? ? ? = "vpcchallenege
#############################
# ? ?VPC Vars
#############################
vpc_cidr ? ? ? ? ? ? ?= "172.31.0.0/16"
enable_dns_hostnames ?= true
enable_dns_support ? ?= true
public_subnet_cidrs ? = ["172.31.0.0/24", "172.31.32.0/24" ]
private_subnet_cidrs ?= ["172.31.2.0/24", "172.31.3.0/24" ?]
protected_subnet_cidrs = ["172.31.7.0/24", "172.31.9.0/24"]"        

Note: You can create a variable file with the name of your choice but the best practice is to name it according to your environment e.g uat.tfvars for UAT environment and prod.tfvars for prod environment.

4. Open the cmd/CommandLineTerminal in the folder terraform/infra/ and run the following command to create Terraform workspace

terraform workspace new dev        

Where dev is the name of your workspace. Learn more about Terraform Workspaces . You can choose any name for your workspace but recommended is to go as your environment name. workspace name will be used in the names of your services e.g your vpc's name would look like "<project-name>-<WorkSpace-name>-vpc"

5. Run the below command to initialize terraform. It's required to run this command whenever a new module is added in the script. For the first time, it may take 5 to 10 min to complete.

terraform init        

6. Run the following command to check and confirm the actions that Terraform is going to take.

terraform plan --var-file vars/dev.tfvars?        

where 'vars/dev.tfvars is the variables file.

You will get a console output similar to the following.

7. To create the resources run the following command

terraform apply --var-file vars/dev.tfvars??        

It will ask for confirmation before actually creating resources in the AWS account. You need to enter 'yes' to confirm. See below screenshot

Once you enter 'yes' Terraform will start creating the resources in AWS and will show you an output similar to the following.

Once the Terraform execution is completed, it will show you the summary of the action taken, i,e the resources created/updated/deleted, which will look like the following screenshot. If you get such output that means your resources are created successfully.

8. By following steps 1 to 7, you have created the VPC in your AWS console. Go to AWS VPC console and make sure your region is selected in the top right of the screen.

And you should see a VPC like this.

Now if you require to delete all the resources created via Terraform run the following command

terraform destroy --var-file vars/dev.tfvars        

Enter 'yes' to confirm the deletion, as done above. and deletion will complete in a couple of minutes. and will show an output similar to the following.

Out of Scope: The above Network diagram has Load Balancers as well which will be discussed in the coming articles.