You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.yaml
+56-1Lines changed: 56 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -49,9 +49,64 @@ related:
49
49
description: |-
50
50
Terraform module to provision public and private [`subnets`](http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html) in an existing [`VPC`](https://aws.amazon.com/vpc)
51
51
52
-
**IMPORTANT:** This module provisions NAT instance with public IP.
52
+
53
53
__Note:__ this module is intended for use with an existing VPC and existing Internet Gateway.
54
54
To create a new VPC, use [terraform-aws-vpc](https://github.com/cloudposse/terraform-aws-vpc) module.
55
+
56
+
The core feature of this module is dividing up a given CIDR range so that a set of subnets each gets its own
57
+
distinct CIDR range within that range, and then creating those subnets in the appropriate availability zones.
58
+
The intention is to keep this module relatively simple and easy to use for the most popular use cases.
59
+
In its default configuration, this module creates 1 public subnet and 1 private subnet in each
60
+
of the specified availability zones. The public subnets are configured for bi-directional traffic to the
61
+
public internet, while the private subnets are configured for egress-only traffic to the public internet.
62
+
Rather than provide a wealth of configuration options allowing for numerous special cases, this module
63
+
provides some common options and further provides the ability to suppress the creation of resources, allowing
64
+
you to create and configure them as you like from outside this module. For example, rather than give you the
65
+
option to customize the Network ACL, the module gives you the option to create a completely open one (and control
66
+
access via Security Groups and other means) or not create one at all, allowing you to create and configure one yourself.
67
+
68
+
### Public subnets
69
+
70
+
This module defines a public subnet as one that has direct access to an internet gateway and can accept incoming connection requests.
71
+
In the simplest configuration, the module creates a single route table with a default route targeted to the
72
+
VPC's internet gateway, and associates all the public subnets with that single route table.
73
+
74
+
Likewise it creates a single Network ACL with associated rules allowing all ingress and all egress,
75
+
and associates that ACL with all the public subnets.
76
+
77
+
### Private subnets
78
+
79
+
A private subnet may be able to initiate traffic to the public internet through a NAT gateway,
80
+
a NAT instance, or an egress-only internet gateway, or it might only have direct access to other
81
+
private subnets. In the simple configuration, for IPv4 and/or IPv6 with NAT64 enabled via `public_dns64_enabled`
82
+
or `private_dns64_enabled`, the module creates 1 NAT Gateway or NAT Instance for each
83
+
private subnet (in the public subnet in the same availability zone), creates 1 route table for each private subnet,
84
+
and adds to that route table a default route from the subnet to its NAT Gateway or Instance. For IPv6,
85
+
the module adds a route to the Egress-Only Internet Gateway configured via input.
86
+
87
+
As with the Public subnets, the module creates a single Network ACL with associated rules allowing all ingress and
88
+
all egress, and associates that ACL with all the private subnets.
89
+
90
+
### Customization for special use cases
91
+
92
+
Various features are controlled by `bool` arguments with names ending in `_enabled`. By changing the default
93
+
values, you can enable or disable creation of public subnets, private subnets, route tables,
94
+
NAT gateways, NAT instances, or Network ACLs. So for example, you could use this module to create only
95
+
private subnets and the open Network ACL, and then add your own route table associations to the subnets
96
+
and route all non-local traffic to a Transit Gateway or VPN.
97
+
98
+
### CIDR allocation
99
+
100
+
For IPv4, you provide a CIDR and the module divides the address space into the largest CIDRs possible that are still
101
+
small enough to accommodate `max_subnet_count` subnets of each enabled type (public or private). When `max_subnet_count`
102
+
is left at the default `0`, it is set to the total number of availability zones in the region. Private subnets
103
+
are allocated out of the first half of the reserved range, and public subnets are allocated out of the second half.
104
+
105
+
For IPv6, you provide a `/56` CIDR and the module assigns `/64` subnets of that CIDR in consecutive order starting
106
+
at zero. (You have the option of specifying a list of CIDRs instead.) As with IPv4, enough CIDRs are allocated to
107
+
cover `max_subnet_count` private and public subnets (when both are enabled, which is the default), with the private
108
+
subnets being allocated out of the lower half of the reservation and the public subnets allocated out of the upper half.
0 commit comments