1. VPC (Virtual Private Cloud)
A VPC is like a company building. Inside this building, you will have different sections (subnets) where company workers work (e.g., EC2 instances, Lambda functions, etc.).
A VPC is critically important because It provides security and keeps all your resources organized in one isolated place.
Example code to create a VCP using terraform
resource "aws_vpc" "example_vpc" {
cidr_block = "10.0.0.0/16" # The address range for your 'company' (65,536 IPs)
tags = {
Name = "example-vpc" # Name of the company building,
# add more tags if needed
}
}
2. Subnets
A subnet is like a specific section inside the company building. There are public and private subsets inside a VPC.
Public Subnet: A subnet is public if it has a route to an Internet Gateway (IGW). This means resources inside the subnet can be accessed from the internet if security measures allow it to do so.
Private Subnet: A subnet is private if it does not have a direct route to an IGW. Resources inside this subnet cannot be accessed from the internet directly.
Example code to create Public and Private Subnets
resource "aws_subnet" "public_subnet" {
vpc_id = aws_vpc.example_vpc.id
cidr_block = "10.0.1.0/24" # This is a smaller section in the building (256 rooms)
map_public_ip_on_launch = true # public access
tags = {
Name = "public-subnet" # Name of the public section
# add more tags if needed
}
}
resource "aws_subnet" "private_subnet" {
vpc_id = aws_vpc.example_vpc.id
cidr_block = "10.0.2.0/24" # Another smaller section in the building (256 rooms)
map_public_ip_on_launch = false # private access
tags = {
Name = "private-subnet" # Name of the private section
# add more tags if needed
}
}
3. Internet Gateway (IGW)
An Internet Gateway is like the main door to your company building. It allows certain sections to access the outside world (the internet).
Example code to create an Internet Gateway
resource "aws_internet_gateway" "gw" {
vpc_id = aws_vpc.example_vpc.id # Attach the door to the company building
tags = {
Name = "main-igw" # Name of the main door
# more tags if needed
}
}
4. Route Tables
A Route Table defines how traffic is routed in a subnet. It is like the internal map of the company building. It tells people how to get from one section to another (or outside the building).
If the map doesn’t exist, employees won’t know how to get in and out of the building.
Example code to create Route Tables
# Public Route Table
resource "aws_route_table" "public_rt" {
vpc_id = aws_vpc.example_vpc.id
route {
cidr_block = "0.0.0.0/0" # Go to the outside world, need serious consideration when setting this line
gateway_id = aws_internet_gateway.gw.id # Use the main door (IGW)
}
tags = {
Name = "public-route-table" # Name of the map for public section
}
}
# Associating Route Table with Public Subnet
resource "aws_route_table_association" "public_assoc" {
subnet_id = aws_subnet.public_subnet.id
route_table_id = aws_route_table.public_rt.id
}
5. NAT Gateway
A NAT Gateway allows resources in private subnets to access the internet while remaining isolated from incoming traffic. It is like a secret exit that allows people in the private section to go out to the internet, but not receive visitors.
It helps private sections access the internet securely (for updates or external services), without being exposed to direct external access.
Example code to create a NAT Gateway
# Elastic IP for NAT Gateway
resource "aws_eip" "nat_eip" {}
# NAT Gateway
resource "aws_nat_gateway" "nat" {
subnet_id = aws_subnet.public_subnet.id
allocation_id = aws_eip.nat_eip.id # The secret exit uses an Elastic IP
tags = {
Name = "nat-gateway" # Name of the secret exit
}
}
6. Security Groups (SG)
Security Groups are virtual firewalls for controlling inbound and outbound traffic to your instances. They can be thought of as security guards at the entrance of each section of your building. They decide who gets in and who doesn’t based on the rules (ports, IPs).
Example code to create Security Group
resource "aws_security_group" "web_sg" {
vpc_id = aws_vpc.example_vpc.id
ingress {
from_port = 22 # SSH (Security guard allows SSH access)
to_port = 22
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] # Allow SSH from anywhere (could be restricted for security)
}
ingress {
from_port = 80 # HTTP (Security guard allows web traffic)
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0 # Allow all outgoing traffic
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "web-security-group"
}
}
Top comments (0)