search

aws-ia / terraform-aws-network-hubandspoke

https://registry.terraform.io/modules/aws-ia/network-hubandspoke/aws
Apache License 2.0
28 stars 11 forks source link

Preventing spoke to spoke network traffic with routing domains and network definition without Inspection VPC #29

Open Eagleman7 opened 4 months ago

Eagleman7 commented 4 months ago

Hello AWS-IA,

I want to prevent traffic going from 1 spoke VPC to another spoke VPC. For this I am using the following code to add a routing domain for every new VPC attached to the TGW:

...
  network_definition = {
    type  = "PREFIX_LIST"
    value = aws_ec2_managed_prefix_list.network_prefix_list.id
  }

  spoke_vpcs = {
    routing_domains = [
      "spoke-1",
      "spoke-2",
      ...
    ]

    number_vpcs = 9

    vpc_information = {
      spoke-1 = {
        vpc_id                                        = "tgw-attach-12345678"
        transit_gateway_attachment_id = "tgw-attach-12345678"
        routing_domain                         = "spoke-1"
      }
      spoke-2 = {
        vpc_id                                        = tgw-attach-87654321
        transit_gateway_attachment_id = tgw-attach-87654321
        routing_domain                        = "spoke-2"
      }
...
resource "aws_ec2_managed_prefix_list" "network_prefix_list" {
  name           = "Network's Prefix List"
  address_family = "IPv4"
  max_entries    = 25

  entry {
    cidr        = "192.168.0.0/24"
    description = "spoke-1"
  }
  entry {
    cidr        = 192.168.1.0/24
    description = "spoke-2"
  }
}

This creates a seperate routing table with only routes to it's own spoke VPC and to egress through 0.0.0.0/0. However the egress VPC has the network_prefix_list attached which contains the subnets for the spokes VPC's. So by default all spoke VPC are able to connect to each other anyway, because network_prefix_list contains the routes to all spoke VPC's.

What is the correct way to prevent network traffic going from 1 spoke to another spoke without the network firewall? While still allowing traffic going to the internet?

Eagleman7 commented 2 months ago

@pablo19sc are you still with this project :) ?

pablo19sc commented 1 month ago

Hello @Eagleman7, sorry for the delay. Yes, still working on it (I had crazy months, but back to these modules). Give me a couple of weeks to clear all the pending items and I'll start working on this.