search

terraform-aws-modules / terraform-aws-vpc

Terraform module to create AWS VPC resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws
Apache License 2.0
2.91k stars 4.37k forks source link

This module, doesnt integrate with the Network Firewall Module #978

Open jseiser opened 10 months ago

jseiser commented 10 months ago

Is your request related to a problem? Please describe.

Their is now a network firewall module, but it does not integrate with this module, so even when using them both, you are left in a situation where you can not actually route traffic through the firewall in its normal manner.

Ive also created this here: https://github.com/terraform-aws-modules/terraform-aws-network-firewall/issues/1

Since im not sure where it should live, since both modules are impacted

Describe the solution you'd like.

  1. Should be able to create Firewall Subnets
  2. Should be able to control/override routes for the module so once the firewall is deployed, you can update the routing tables to point to it.

How we currently handle this


    Disable public subnets, and nat gateways
    Create Public Subnets and NAT Gateway, and Internet Gateway
    Create the route table for the NAT gateways
    Create 2 Firewall Subnets and their route tables
    Deploy this ( actually your old beta version) module passing in the firewall subnets in the subnet mapping
    Create the routes for the IGW
    Create the routes for the firewall subnets
    Create all the route associations

Additional context

I think the main issue is not being flexible enough in subnet creation, and not being able to override routes from the Firewall Module, since anytime the VPC module is re-ran, they would be removed/correct I believe.

dimakievukraine commented 9 months ago

I have also issue with AWS Network Firewall module. According to AWS Documentation separate subnets for Network Firewall should be created. Then traffic routes from FW subnet to NAT GW ( public subnet ) and then back from public subnet to FW VPC endpoint. The issue that if I create AWS Network Firewall with 3 endpoints in 3 subnet, then I need to modify public subnet with routes to FW subnets. But this module create only one RT for public subnets and does not allow to modify routes. Here is code: https://github.com/terraform-aws-modules/terraform-aws-vpc/blob/master/main.tf#L126

Could you please create 3 RT for public subnet and ( if it will not add to many time ) allow to pass routes there with variables?

There is no problem to create whole AWS Network Firewall setup in my module, but I cannot use it with this module in such case.

alekc commented 9 months ago

If a customer doesn't want to use AWS nat gw (enable_nat_gateway = false) and use own solution, they cannot because the routing table is the same (or better, they cannot avoid cross AZ traffic and related cost).

Is there advantage in keeping a single unified route table compared to one RT for every subnet?

dimakievukraine commented 9 months ago

@antonbabenko hi. Is there any chance to look at this issue? I cannot use your Network Firewall module with this VPC module due to single and non flexible public subnet RT. 3 public subnet route tables + adding optional firewall VPC endpoint as route would help a lot.

bryantbiggs commented 9 months ago

The network firewall module was designed here which contains a different method for provisioning subnets. we are planning to continue to migrate that functionality over to the respective modules within this GitHub organization

kclinden commented 5 months ago

Are there any branches that currently have this functionality?

blongman-snapdocs commented 1 month ago

Starting on my journey to add Network Firewall to my own VPCs that use this module. I'm hoping that whatever I do is easily convertible to use this module in the future.