CIDR: Classless Inter Domain Routing
It is a method of representing IP addresses and routing information more efficiently than with the traditional classful network addressing used in IPv4.
With CIDR, a network can be divided into smaller subnetworks, or subnets, each with its own unique IP address range.
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}In case of this code, VPC will have an IP address range of 10.0.0.0 ~ 10.0.255.255.
First 2 octets (10.0) are used to identify the network, and the last two octets(0.0) are used to identify the hosts on ther network.
The /16 indicates that the first 16 bits of the Ip address are used to identify the network.(10.0.~.~)
The /32 indicates that entire IP address is used to identify a singl host. (...).
module, resource, workspace
For different env with similar settings, you can use module and workspace.
../module/vpc/vpc.tf
resource "aws_vpc" "main" {
cidr_block = var.cidr_block
tags = {
Name = var.name
}
}
../workspace/dev/vpc.tf
module "vpc" {
source = "../../modules/vpc"
name = "test-dev-vpc"
cidr_block = "10.0.0.0/16"
}Like this, a workspace can use a resource as a module. Terraform will execute all of the code in the module source directory.
Subnet
Public
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = var.public_cidr_block
availability_zone = var.public_az
map_public_ip_on_launch = true
tags = {
Name = "${var.name}-public-subnet"
}
}
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.main.id
}
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.gw.id
}
tags = {
Name = "${var.name}-public-route-table"
}
}
resource "aws_route_table_association" "public" {
subnet_id = aws_subnet.public.id
route_table_id = aws_route_table.public.id
}
Internet gateway allows traffic to flow between the VPC and the internet. However, instances in a public subnet will not be able to access the internet directly, as they do not have public IP addresses.
map_public_ip_on_launch = true will assign the public IP address.
internet_gateway enables internet access for resources in the VPC.(point of entry btw vpc and internet.)
route_table includes route to the internet gatewawy.
That part specifies that all traffic with destination - 0.0.0.0/0(all IP) should be routed to the internet gateway.
route_table_association associates subnet and the route table.
Private
resource "aws_subnet" "private" {
vpc_id = aws_vpc.main.id
cidr_block = var.private_cidr_block
availability_zone = var.private_az
map_public_ip_on_launch = false
tags = {
Name = "${var.name}-private-subnet"
}
}
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.nat.id
}
tags = {
Name = "${var.name}-private-route-table"
}
}
resource "aws_route_table_association" "private" {
subnet_id = aws_subnet.private.id
route_table_id = aws_route_table.private.id
}
resource "aws_eip" "nat" {
vpc=true
}
resource "aws_nat_gateway" "nat" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.private.id
depends_on = [aws_internet_gateway.gw]
}To enable instances in a private subnet to access the internet, you can create a NAT gateway and an EIP address.
These codes allows traffic from instances in the pivate subnet to be routed through the NAT gateway and out to the internet using the public IP address of the EIP.
NAT gateway - provides a way for private subnet resources to access the internet while preserving their IP addresses.
Nat gateway itself cannot access internet it relies on internet gateway using 'depends_on'.
Terraform config
terraform {
required_version = ">= 0.13"
backend "local" {
path = "terraform.tfstate"
}
required_providers {
aws = {
source = "hashicorp/aws"
version = ">=4.65.0"
}
}
}Terraform, aws version control and backend setting. Other stacks can be included in version control - db, queue, etc.
Apply aws configure profile
To use aws credentials, provider setting is also needed.
provider "aws" {
region = "ap-northeast-1"
profile = "test-dev"
}terraform init - plan - apply
-> simple vpc setting is done
